Register Owner: CISO
Effective Date: June 13, 2026
Reviewed: At each ISMS Management Review
Frameworks: ISO/IEC 27001:2022 cl. 4–7, 9.1; supports ISO/IEC 42001:2023 and SOC 2
This register holds the ISO/IEC 27001:2022 management-system records that do not live in a single policy: the ISMS scope (cl. 4.3), the information-security objectives (cl. 6.2), the master list of ISMS documents (cl. 7.5), and the documented-information control rules (cl. 7.5.3).

1. ISMS scope (cl. 4.3)

The ISMS applies to the people, processes, and technology used to design, build, operate, and support the Neuroscale (Arbi) production services and the corporate systems that support them, as described in the SOC 2 System Description.
  • Organizational scope: NEUROSCALE LLC; remote-first workforce; registered office at 46175 Westlake Dr Ste 300, Sterling, VA 20165.
  • Information systems in scope: production cloud infrastructure (AWS US, Vultr US), the Neuroscale-managed Vault cluster, the Arbi application and its data stores, and the corporate SaaS supporting the service (Microsoft 365, Rippling, Better Stack, Vanta, Linear, GitHub, Cloudflare, Tailscale, Dashlane).
  • Interfaces and dependencies: subservice organizations carved out under the System Description (AWS, Vultr, and the model/infra sub-processors on the Subprocessor List).
  • Exclusions: data-center physical/environmental controls (operated by AWS/Vultr) are carved out; justifications for any Annex A exclusions are in the Statement of Applicability.
The boundaries of the AIMS are stated in the AIMS Statement of Applicability.

2. Information-security objectives (cl. 6.2)

Measurable objectives, reviewed at each ISMS Management Review. Targets are set for the current cycle and tracked to completion.
#ObjectiveMeasureTargetOwner
O-1Achieve and maintain SOC 2 Type IIReport issued, no qualified opinionInitial Type II report by Q4 2026CISO
O-2Stand up the ISO 27001:2022 + ISO 42001 ISMS/AIMSSoA complete; internal audit run; cert audit scheduledStage 1 readiness by H1 2027CISO
O-3Remediate audit/test findings within SLA% corrective actions closed on time≥ 95%CISO
O-4Workforce security-awareness + policy acknowledgement% current staff complete in Vanta100% within 30 days of hire / annuallyCHRO
O-5Vulnerability remediation within SLA% Critical/High remediated within SLA≥ 95%CISO
O-6Access reviews completed on cadenceQuarterly reviews completed and signed4/4 per yearCISO
O-7No Sev-1 security incidents with customer-data impactCount0CISO
Progress against objectives is recorded in the ISMS Management Review minutes and drives corrective action where off-track.

3. Master list of ISMS documents (cl. 7.5)

The controlled ISMS document set. Each is controlled, version-tracked, and approved before use.
RefDocumentLocation
ScopeISMS scopethis register §1
PolicyInformation Security Policy (ISMS policy)/policies/information-security
RolesRoles & Responsibilities/policies/roles-responsibilities
RiskRisk Management Policy + Annual Risk Assessment/policies/risk-management, /procedures/annual-risk-assessment
SoA (27001)Statement of Applicability/registers/iso27001-statement-of-applicability
SoA (42001)AIMS Statement of Applicability/registers/iso42001-aims-statement-of-applicability
ObjectivesInformation-security objectivesthis register §2
Doc controlControl of documented informationthis register §4
CommsCommunication (internal/external)/policies/information-security, /procedures/customer-communications
Internal auditInternal Audit Procedure/procedures/internal-audit
Mgmt reviewISMS Management Review Procedure/procedures/isms-management-review
ImprovementCorrective Action & Continual Improvement/procedures/corrective-action
LegalLegal, Regulatory & Contractual Requirements Register/registers/legal-regulatory-register
ControlsControls Inventory/registers/controls-inventory
The full operational policy and procedure set is the /policies/ and /procedures/ library; the Controls Inventory maps controls to their implementing documents.

4. Control of documented information (cl. 7.5.3)

  • Authoring & format: ISMS documents are authored as controlled documents, each with a title, owner, effective date, and version history.
  • Review & approval: changes are made through a controlled revision process and reviewed by the document owner before release; material changes require the named policy owner’s approval. Approval is recorded in the version-history table.
  • Versioning & availability: every document carries a version history; approved documents are published to the workforce through the controlled documentation library. Acknowledgement is tracked in Vanta.
  • Evidence vs. documentation split: governance documentation is maintained as the controlled document set (Policies, Procedures, Registers, and Program documents); operational evidence artifacts (signed PDFs, vendor reports, certificates) live in the SharePoint evidence library, per the Information Security Policy. Register rows that span both name each location.
  • Retention & disposal: controlled per the Records Retention Schedule; superseded versions are retained in the document version history.
  • External documents: externally-originated documents needed by the ISMS (vendor SOC 2 reports, the pen-test report, standards) are stored in the evidence library and referenced from the Vendor Inventory / Controls Inventory.

Cross-references

Version history

VersionDateDescriptionAuthorApproved by
1.0June 13, 2026Initial ISMS management-system register (scope, objectives, master list, doc control).Cameron WolfeIshan Jadhwani