Register Owner: CISO
Effective Date: June 13, 2026
Reviewed: At each ISMS Management Review and on any material control change
Next Review: June 13, 2027
Effective Date: June 13, 2026
Reviewed: At each ISMS Management Review and on any material control change
Next Review: June 13, 2027
Status — initial draft for the ISO/IEC 27001:2022 certification track. This Statement of Applicability (SoA) is the document required by ISO/IEC 27001:2022 clause 6.1.3(d). It records, for every control in Annex A:2022 (93 controls across four themes), whether the control is applicable to Neuroscale’s ISMS, the justification for inclusion or exclusion, and the Neuroscale policy / procedure / register that implements it. It is maintained alongside the SOC 2-mapped Controls Inventory; the Controls Inventory remains the operational, Vanta-reconciled control list, and this SoA is the Annex A crosswalk used for ISO certification.
ISMS scope statement
The ISMS covers the people, processes, and technology used to design, build, operate, and support the Neuroscale (Arbi) production services and the corporate systems that support them, as described in the SOC 2 System Description. The scope boundary, in-scope locations (remote-first workforce; Sterling, VA registered office), cloud infrastructure (AWS US, Vultr US, Neuroscale-managed Vault), and subservice organizations are as stated there. Exclusions from scope are documented in the System Description and reflected in the per-control justifications below.How to read this SoA
- Applicable — the control is included in the ISMS. Justification states why and points to the implementing document.
- Not applicable — the control is excluded. Justification states the basis (no such asset/activity within scope). Exclusions are minimized and reviewed each cycle.
- (new in 2022) marks the 11 controls introduced in the 2022 revision relative to 2013.
A.5 — Organizational controls
| Control | Title | Applicable | Justification & implementation |
|---|---|---|---|
| A.5.1 | Policies for information security | Yes | Versioned, management-approved (CEO / sole member) policy set published and acknowledged. Information Security Policy; How to use these docs. |
| A.5.2 | Information security roles and responsibilities | Yes | Roles, ownership, and role-concentration compensating controls defined. Roles & Responsibilities; Roles & Personnel. |
| A.5.3 | Segregation of duties | Yes | SoD for release, crypto-root, adjudication, ISMS-MR; CEO independent attestation where roles are concentrated. Roles & Responsibilities → Role concentration. |
| A.5.4 | Management responsibilities | Yes | Management commitment and ISMS oversight. Information Security Policy; ISMS Management Review. |
| A.5.5 | Contact with authorities | Yes | GC maintains supervisory-authority, AG, and law-enforcement contact routes. Incident Response Policy; Customer Communications. |
| A.5.6 | Contact with special interest groups | Yes | CISO maintains threat-intel/ISAC and vendor-advisory contacts (CISA advisories, vendor PSIRTs). Operations Security. |
| A.5.7 | Threat intelligence (new in 2022) | Yes | Documented threat-intelligence intake feeding vulnerability and risk management. Operations Security → Threat intelligence. |
| A.5.8 | Information security in project management | Yes | Security and DPIA gates in the SDLC and project planning. Secure Development Policy; DPIA Procedure. |
| A.5.9 | Inventory of information and other associated assets | Yes | Asset and information inventories maintained. Asset Management Policy; Vendor Inventory; RoPA. |
| A.5.10 | Acceptable use of information and other associated assets | Yes | Acceptable Use; Information Security Policy; AI Acceptable Use Policy. |
| A.5.11 | Return of assets | Yes | Offboarding asset-return workflow. Asset Management → Return of assets; Offboarding. |
| A.5.12 | Classification of information | Yes | Public/Internal/Confidential classification scheme. Data Management Policy. |
| A.5.13 | Labelling of information | Yes | Handling and labelling rules per classification. Data Management Policy. |
| A.5.14 | Information transfer | Yes | Encrypted transfer, transfer agreements, and DPA-governed flows. Cryptography Policy; Cross-Border Transfers. |
| A.5.15 | Access control | Yes | Least-privilege, role-based access. Access Control Policy; Access Matrix. |
| A.5.16 | Identity management | Yes | Rippling IdP, lifecycle provisioning/deprovisioning. Access Management. |
| A.5.17 | Authentication information | Yes | MFA, WebAuthn for privileged access, secret handling. Access Control Policy; Secrets Management. |
| A.5.18 | Access rights | Yes | Provisioning, quarterly review, removal SLAs. Access Reviews; Offboarding. |
| A.5.19 | Information security in supplier relationships | Yes | Tiered vendor risk assessment. Third-Party Management Policy; Vendor Risk Assessment. |
| A.5.20 | Addressing information security within supplier agreements | Yes | Security/DPA terms in supplier contracts. Third-Party Management Policy; DPA Template. |
| A.5.21 | Managing information security in the ICT supply chain | Yes | SBOM, dependency vetting, supply-chain flow-downs. Open Source & SBOM Policy; Third-Party Management Policy. |
| A.5.22 | Monitoring, review and change management of supplier services | Yes | Annual High-tier vendor re-review. Vendor Review Schedule. |
| A.5.23 | Information security for use of cloud services (new in 2022) | Yes | Cloud shared-responsibility, hardening, and cloud-vendor due diligence. Configuration Hardening; Operations Security. |
| A.5.24 | Information security incident management planning and preparation | Yes | IR plan, roles, severities. Incident Response Policy. |
| A.5.25 | Assessment and decision on information security events | Yes | Triage and severity classification. Incident Response Policy; Log Review. |
| A.5.26 | Response to information security incidents | Yes | Documented response process and RCA. Incident Response Policy. |
| A.5.27 | Learning from information security incidents | Yes | RCA and post-incident review feed control improvement. Incident Response Policy → Documentation. |
| A.5.28 | Collection of evidence | Yes | Forensic preservation and privileged-handling in IR. Incident Response Policy. |
| A.5.29 | Information security during disruption | Yes | BC/DR continuity of security controls. Business Continuity Policy. |
| A.5.30 | ICT readiness for business continuity (new in 2022) | Yes | RTO/RPO, backup-restore and DR testing. RTO/RPO Matrix; DR & Backup-Restore Test. |
| A.5.31 | Legal, statutory, regulatory and contractual requirements | Yes | Legal-register and compliance obligations tracked. Compliance Frameworks; Trade Compliance Policy. |
| A.5.32 | Intellectual property rights | Yes | OSS license compliance and IP handling. Open Source & SBOM Policy; Code of Conduct. |
| A.5.33 | Protection of records | Yes | Records retention and tamper-evidence. Records Retention Schedule; Records Disposal. |
| A.5.34 | Privacy and protection of PII | Yes | Privacy program, RoPA, DSR, DPIA. Data Management Policy; Privacy Notice; RoPA. |
| A.5.35 | Independent review of information security | Yes | Independent pen-test and external SOC 2 / ISO audit; VGC governance review. A clause 9.2 internal-audit function is being stood up for the ISO track (see Compliance Frameworks → ISO 27001). Operations Security. |
| A.5.36 | Compliance with policies, rules and standards for information security | Yes | Acknowledgement, Vanta tests, documented exceptions. How to use these docs; Vault Transit exception. |
| A.5.37 | Documented operating procedures | Yes | Operational procedures published in /procedures/ and /engineering/. Procedures index. |
A.6 — People controls
| Control | Title | Applicable | Justification & implementation |
|---|---|---|---|
| A.6.1 | Screening | Yes | Tiered Checkr background checks at hire. HR Security Policy → Screening; Background Checks. |
| A.6.2 | Terms and conditions of employment | Yes | Security obligations in employment terms. HR Security Policy. |
| A.6.3 | Information security awareness, education and training | Yes | At-hire and annual training; phishing simulations. Security Awareness Training; Training Catalog. |
| A.6.4 | Disciplinary process | Yes | Documented disciplinary process for violations. HR Security Policy; Code of Conduct. |
| A.6.5 | Responsibilities after termination or change of employment | Yes | Post-termination obligations and access removal. Offboarding; HR Security Policy → Termination. |
| A.6.6 | Confidentiality or non-disclosure agreements | Yes | NDAs at hire and with vendors. HR Security Policy; Third-Party Management Policy. |
| A.6.7 | Remote working | Yes | Remote-first device, network, and home-working controls. Information Security Policy → Device policy; Acceptable Use. |
| A.6.8 | Information security event reporting | Yes | security@ reporting channel and anonymous channel. Information Security Policy → Security incident reporting; Whistleblower Policy. |
A.7 — Physical controls
| Control | Title | Applicable | Justification & implementation |
|---|---|---|---|
| A.7.1 | Physical security perimeters | Yes | Office perimeter; data-center perimeter carved out to AWS/Vultr. Physical Security Policy. |
| A.7.2 | Physical entry | Yes | Entry controls at the Sterling office; data-center entry is a subservice control. Physical Security Policy. |
| A.7.3 | Securing offices, rooms and facilities | Yes | Physical Security Policy. |
| A.7.4 | Physical security monitoring (new in 2022) | Yes | CCTV/monitoring at the office with privacy-compliant retention. Physical Security Policy; Employee Privacy Policy. |
| A.7.5 | Protecting against physical and environmental threats | Yes | Office environmental controls; data-center environmental controls carved out to cloud providers. Physical Security Policy. |
| A.7.6 | Working in secure areas | Yes | Clean-desk and secure-area handling for the office. Physical Security Policy. |
| A.7.7 | Clear desk and clear screen | Yes | Physical Security Policy; Acceptable Use. |
| A.7.8 | Equipment siting and protection | Yes | Endpoint siting; production equipment is cloud-hosted (carve-out). Physical Security Policy. |
| A.7.9 | Security of assets off-premises | Yes | Remote-work device controls (MDM, FDE). Asset Management Policy; Information Security Policy. |
| A.7.10 | Storage media | Yes | Media handling and removable-media restrictions. Asset Management Policy; Data Management Policy. |
| A.7.11 | Supporting utilities | Yes | Office utilities; data-center power/cooling carved out to cloud providers. Physical Security Policy. |
| A.7.12 | Cabling security | Partial | Office cabling only; production network cabling is a cloud-provider control (carve-out). Physical Security Policy. |
| A.7.13 | Equipment maintenance | Yes | Endpoint maintenance via MDM; production hardware maintenance carved out. Asset Management Policy. |
| A.7.14 | Secure disposal or re-use of equipment | Yes | NIST 800-88 wipe / Certificate of Destruction. Records Disposal; Asset Management → Disposal. |
A.8 — Technological controls
| Control | Title | Applicable | Justification & implementation |
|---|---|---|---|
| A.8.1 | User endpoint devices | Yes | Rippling MDM, FDE, endpoint hardening. Asset Management Policy; Information Security Policy → Device policy. |
| A.8.2 | Privileged access rights | Yes | Named approval, WebAuthn, just-in-time elevation. Access Control Policy; Access Management. |
| A.8.3 | Information access restriction | Yes | Least-privilege data access. Access Control Policy; Data Management Policy. |
| A.8.4 | Access to source code | Yes | GitHub branch protection, repo access control. Secure Development Policy; Code Review. |
| A.8.5 | Secure authentication | Yes | MFA / WebAuthn / SSO. Access Control Policy. |
| A.8.6 | Capacity management | Yes | Capacity planning and monitoring (availability criterion deferred but control operates). Operations Security; RTO/RPO Matrix. |
| A.8.7 | Protection against malware | Yes | Rippling EDR on endpoints; email threat protection. Operations Security; Asset Management Policy. |
| A.8.8 | Management of technical vulnerabilities | Yes | Scanning, SLAs, pen-test. Vulnerability Management; Operations Security → Technical vulnerability management. |
| A.8.9 | Configuration management | Yes | Hardened baselines, IaC, drift control. Configuration Hardening. |
| A.8.10 | Information deletion (new in 2022) | Yes | Retention-driven deletion and disposal. Records Disposal; Data Retention Matrix. |
| A.8.11 | Data masking (new in 2022) | Yes | Deidentification standard and masking in non-prod. AI Acceptable Use → Deidentification Standard; Operations Security → Data masking. |
| A.8.12 | Data leakage prevention (new in 2022) | Yes | DLP, egress controls, secret scanning. Operations Security; Secrets Management. |
| A.8.13 | Information backup | Yes | Backup schedule and restore testing. Business Continuity Policy; DR & Backup-Restore Test. |
| A.8.14 | Redundancy of information processing facilities | Yes | Multi-AZ/region redundancy (availability criterion deferred; control operates). RTO/RPO Matrix; Business Continuity Policy. |
| A.8.15 | Logging | Yes | Security event logging with tiered retention. Logging & Monitoring; Operations Security → Log retention tiers. |
| A.8.16 | Monitoring activities (new in 2022) | Yes | Admin-activity and log review; alerting. Log Review; Logging & Monitoring. |
| A.8.17 | Clock synchronization | Yes | NTP-synchronized time across systems for log integrity. Logging & Monitoring. |
| A.8.18 | Use of privileged utility programs | Yes | Restricted and logged privileged-utility use. Access Control Policy; Operations Security. |
| A.8.19 | Installation of software on operational systems | Yes | Controlled deployment; no ad-hoc installs on production. Change Management; Configuration Hardening. |
| A.8.20 | Networks security | Yes | Cloudflare One, Tailscale, segmentation. Configuration Hardening; Operations Security. |
| A.8.21 | Security of network services | Yes | Secured network services and SLAs. Operations Security. |
| A.8.22 | Segregation of networks | Yes | Network segmentation and isolation. Configuration Hardening. |
| A.8.23 | Web filtering (new in 2022) | Yes | Cloudflare Gateway web filtering / threat-intel blocking. Operations Security → Web filtering. |
| A.8.24 | Use of cryptography | Yes | Crypto standards, key management. Cryptography Policy. |
| A.8.25 | Secure development life cycle | Yes | Secure Development Policy. |
| A.8.26 | Application security requirements | Yes | Security requirements in design and review. Secure Development Policy; Code Review. |
| A.8.27 | Secure system architecture and engineering principles | Yes | Secure Development Policy; Configuration Hardening. |
| A.8.28 | Secure coding (new in 2022) | Yes | Secure-coding standards and checks. Secure Coding; Secure Development Policy. |
| A.8.29 | Security testing in development and acceptance | Yes | SAST/DAST/dependency scanning in CI; pre-release testing. Vulnerability Management; Secure Development Policy. |
| A.8.30 | Outsourced development | Partial | Core development is in-house; where development is outsourced, supplier-security terms apply. Third-Party Management Policy; Secure Development Policy. |
| A.8.31 | Separation of development, test and production environments | Yes | Environment separation enforced. Secure Development Policy; Change Management. |
| A.8.32 | Change management | Yes | Peer review, CI gates, change approval, emergency-change process. Change Management; Operations Security → Change management. |
| A.8.33 | Test information | Yes | Production data not used in test without masking; deidentification standard. Data Management Policy; Customer-data-in-non-prod exception. |
| A.8.34 | Protection of information systems during audit testing | Yes | Read-only/scoped audit and pen-test access. Operations Security. |
Excluded controls summary
No Annex A:2022 control is fully excluded. Three are marked Partial because the relevant asset is largely a carve-out to a subservice organization (A.7.12 cabling — production network cabling) or an activity that is in-house today but governed-if-used (A.8.30 outsourced development). Physical and environmental data-center controls (parts of A.7.1, A.7.5, A.7.8, A.7.11) are operated by AWS and Vultr under the carve-out method described in the SOC 2 System Description and evidenced by their own ISO 27001 / SOC 2 reports.Cross-references
- Controls Inventory — SOC 2 TSC-mapped operational control list.
- Compliance Frameworks — ISO 27001:2022 program context.
- Risk Management Policy — risk treatment that drives control selection.
Version history
| Version | Date | Description | Author | Approved by |
|---|---|---|---|---|
| 1.0 | June 13, 2026 | Initial Statement of Applicability — all 93 Annex A:2022 controls mapped to Neuroscale policies/procedures/registers. | Cameron Wolfe | Ishan Jadhwani |