Register Owner: CISO
Effective Date: June 13, 2026
Reviewed: At each ISMS Management Review and on any material control change
Next Review: June 13, 2027
Status — initial draft for the ISO/IEC 27001:2022 certification track. This Statement of Applicability (SoA) is the document required by ISO/IEC 27001:2022 clause 6.1.3(d). It records, for every control in Annex A:2022 (93 controls across four themes), whether the control is applicable to Neuroscale’s ISMS, the justification for inclusion or exclusion, and the Neuroscale policy / procedure / register that implements it. It is maintained alongside the SOC 2-mapped Controls Inventory; the Controls Inventory remains the operational, Vanta-reconciled control list, and this SoA is the Annex A crosswalk used for ISO certification.

ISMS scope statement

The ISMS covers the people, processes, and technology used to design, build, operate, and support the Neuroscale (Arbi) production services and the corporate systems that support them, as described in the SOC 2 System Description. The scope boundary, in-scope locations (remote-first workforce; Sterling, VA registered office), cloud infrastructure (AWS US, Vultr US, Neuroscale-managed Vault), and subservice organizations are as stated there. Exclusions from scope are documented in the System Description and reflected in the per-control justifications below.

How to read this SoA

  • Applicable — the control is included in the ISMS. Justification states why and points to the implementing document.
  • Not applicable — the control is excluded. Justification states the basis (no such asset/activity within scope). Exclusions are minimized and reviewed each cycle.
  • (new in 2022) marks the 11 controls introduced in the 2022 revision relative to 2013.
Annex A:2022 themes: A.5 Organizational (37), A.6 People (8), A.7 Physical (14), A.8 Technological (34).

A.5 — Organizational controls

ControlTitleApplicableJustification & implementation
A.5.1Policies for information securityYesVersioned, management-approved (CEO / sole member) policy set published and acknowledged. Information Security Policy; How to use these docs.
A.5.2Information security roles and responsibilitiesYesRoles, ownership, and role-concentration compensating controls defined. Roles & Responsibilities; Roles & Personnel.
A.5.3Segregation of dutiesYesSoD for release, crypto-root, adjudication, ISMS-MR; CEO independent attestation where roles are concentrated. Roles & Responsibilities → Role concentration.
A.5.4Management responsibilitiesYesManagement commitment and ISMS oversight. Information Security Policy; ISMS Management Review.
A.5.5Contact with authoritiesYesGC maintains supervisory-authority, AG, and law-enforcement contact routes. Incident Response Policy; Customer Communications.
A.5.6Contact with special interest groupsYesCISO maintains threat-intel/ISAC and vendor-advisory contacts (CISA advisories, vendor PSIRTs). Operations Security.
A.5.7Threat intelligence (new in 2022)YesDocumented threat-intelligence intake feeding vulnerability and risk management. Operations Security → Threat intelligence.
A.5.8Information security in project managementYesSecurity and DPIA gates in the SDLC and project planning. Secure Development Policy; DPIA Procedure.
A.5.9Inventory of information and other associated assetsYesAsset and information inventories maintained. Asset Management Policy; Vendor Inventory; RoPA.
A.5.10Acceptable use of information and other associated assetsYesAcceptable Use; Information Security Policy; AI Acceptable Use Policy.
A.5.11Return of assetsYesOffboarding asset-return workflow. Asset Management → Return of assets; Offboarding.
A.5.12Classification of informationYesPublic/Internal/Confidential classification scheme. Data Management Policy.
A.5.13Labelling of informationYesHandling and labelling rules per classification. Data Management Policy.
A.5.14Information transferYesEncrypted transfer, transfer agreements, and DPA-governed flows. Cryptography Policy; Cross-Border Transfers.
A.5.15Access controlYesLeast-privilege, role-based access. Access Control Policy; Access Matrix.
A.5.16Identity managementYesRippling IdP, lifecycle provisioning/deprovisioning. Access Management.
A.5.17Authentication informationYesMFA, WebAuthn for privileged access, secret handling. Access Control Policy; Secrets Management.
A.5.18Access rightsYesProvisioning, quarterly review, removal SLAs. Access Reviews; Offboarding.
A.5.19Information security in supplier relationshipsYesTiered vendor risk assessment. Third-Party Management Policy; Vendor Risk Assessment.
A.5.20Addressing information security within supplier agreementsYesSecurity/DPA terms in supplier contracts. Third-Party Management Policy; DPA Template.
A.5.21Managing information security in the ICT supply chainYesSBOM, dependency vetting, supply-chain flow-downs. Open Source & SBOM Policy; Third-Party Management Policy.
A.5.22Monitoring, review and change management of supplier servicesYesAnnual High-tier vendor re-review. Vendor Review Schedule.
A.5.23Information security for use of cloud services (new in 2022)YesCloud shared-responsibility, hardening, and cloud-vendor due diligence. Configuration Hardening; Operations Security.
A.5.24Information security incident management planning and preparationYesIR plan, roles, severities. Incident Response Policy.
A.5.25Assessment and decision on information security eventsYesTriage and severity classification. Incident Response Policy; Log Review.
A.5.26Response to information security incidentsYesDocumented response process and RCA. Incident Response Policy.
A.5.27Learning from information security incidentsYesRCA and post-incident review feed control improvement. Incident Response Policy → Documentation.
A.5.28Collection of evidenceYesForensic preservation and privileged-handling in IR. Incident Response Policy.
A.5.29Information security during disruptionYesBC/DR continuity of security controls. Business Continuity Policy.
A.5.30ICT readiness for business continuity (new in 2022)YesRTO/RPO, backup-restore and DR testing. RTO/RPO Matrix; DR & Backup-Restore Test.
A.5.31Legal, statutory, regulatory and contractual requirementsYesLegal-register and compliance obligations tracked. Compliance Frameworks; Trade Compliance Policy.
A.5.32Intellectual property rightsYesOSS license compliance and IP handling. Open Source & SBOM Policy; Code of Conduct.
A.5.33Protection of recordsYesRecords retention and tamper-evidence. Records Retention Schedule; Records Disposal.
A.5.34Privacy and protection of PIIYesPrivacy program, RoPA, DSR, DPIA. Data Management Policy; Privacy Notice; RoPA.
A.5.35Independent review of information securityYesIndependent pen-test and external SOC 2 / ISO audit; VGC governance review. A clause 9.2 internal-audit function is being stood up for the ISO track (see Compliance Frameworks → ISO 27001). Operations Security.
A.5.36Compliance with policies, rules and standards for information securityYesAcknowledgement, Vanta tests, documented exceptions. How to use these docs; Vault Transit exception.
A.5.37Documented operating proceduresYesOperational procedures published in /procedures/ and /engineering/. Procedures index.

A.6 — People controls

ControlTitleApplicableJustification & implementation
A.6.1ScreeningYesTiered Checkr background checks at hire. HR Security Policy → Screening; Background Checks.
A.6.2Terms and conditions of employmentYesSecurity obligations in employment terms. HR Security Policy.
A.6.3Information security awareness, education and trainingYesAt-hire and annual training; phishing simulations. Security Awareness Training; Training Catalog.
A.6.4Disciplinary processYesDocumented disciplinary process for violations. HR Security Policy; Code of Conduct.
A.6.5Responsibilities after termination or change of employmentYesPost-termination obligations and access removal. Offboarding; HR Security Policy → Termination.
A.6.6Confidentiality or non-disclosure agreementsYesNDAs at hire and with vendors. HR Security Policy; Third-Party Management Policy.
A.6.7Remote workingYesRemote-first device, network, and home-working controls. Information Security Policy → Device policy; Acceptable Use.
A.6.8Information security event reportingYessecurity@ reporting channel and anonymous channel. Information Security Policy → Security incident reporting; Whistleblower Policy.

A.7 — Physical controls

ControlTitleApplicableJustification & implementation
A.7.1Physical security perimetersYesOffice perimeter; data-center perimeter carved out to AWS/Vultr. Physical Security Policy.
A.7.2Physical entryYesEntry controls at the Sterling office; data-center entry is a subservice control. Physical Security Policy.
A.7.3Securing offices, rooms and facilitiesYesPhysical Security Policy.
A.7.4Physical security monitoring (new in 2022)YesCCTV/monitoring at the office with privacy-compliant retention. Physical Security Policy; Employee Privacy Policy.
A.7.5Protecting against physical and environmental threatsYesOffice environmental controls; data-center environmental controls carved out to cloud providers. Physical Security Policy.
A.7.6Working in secure areasYesClean-desk and secure-area handling for the office. Physical Security Policy.
A.7.7Clear desk and clear screenYesPhysical Security Policy; Acceptable Use.
A.7.8Equipment siting and protectionYesEndpoint siting; production equipment is cloud-hosted (carve-out). Physical Security Policy.
A.7.9Security of assets off-premisesYesRemote-work device controls (MDM, FDE). Asset Management Policy; Information Security Policy.
A.7.10Storage mediaYesMedia handling and removable-media restrictions. Asset Management Policy; Data Management Policy.
A.7.11Supporting utilitiesYesOffice utilities; data-center power/cooling carved out to cloud providers. Physical Security Policy.
A.7.12Cabling securityPartialOffice cabling only; production network cabling is a cloud-provider control (carve-out). Physical Security Policy.
A.7.13Equipment maintenanceYesEndpoint maintenance via MDM; production hardware maintenance carved out. Asset Management Policy.
A.7.14Secure disposal or re-use of equipmentYesNIST 800-88 wipe / Certificate of Destruction. Records Disposal; Asset Management → Disposal.

A.8 — Technological controls

ControlTitleApplicableJustification & implementation
A.8.1User endpoint devicesYesRippling MDM, FDE, endpoint hardening. Asset Management Policy; Information Security Policy → Device policy.
A.8.2Privileged access rightsYesNamed approval, WebAuthn, just-in-time elevation. Access Control Policy; Access Management.
A.8.3Information access restrictionYesLeast-privilege data access. Access Control Policy; Data Management Policy.
A.8.4Access to source codeYesGitHub branch protection, repo access control. Secure Development Policy; Code Review.
A.8.5Secure authenticationYesMFA / WebAuthn / SSO. Access Control Policy.
A.8.6Capacity managementYesCapacity planning and monitoring (availability criterion deferred but control operates). Operations Security; RTO/RPO Matrix.
A.8.7Protection against malwareYesRippling EDR on endpoints; email threat protection. Operations Security; Asset Management Policy.
A.8.8Management of technical vulnerabilitiesYesScanning, SLAs, pen-test. Vulnerability Management; Operations Security → Technical vulnerability management.
A.8.9Configuration managementYesHardened baselines, IaC, drift control. Configuration Hardening.
A.8.10Information deletion (new in 2022)YesRetention-driven deletion and disposal. Records Disposal; Data Retention Matrix.
A.8.11Data masking (new in 2022)YesDeidentification standard and masking in non-prod. AI Acceptable Use → Deidentification Standard; Operations Security → Data masking.
A.8.12Data leakage prevention (new in 2022)YesDLP, egress controls, secret scanning. Operations Security; Secrets Management.
A.8.13Information backupYesBackup schedule and restore testing. Business Continuity Policy; DR & Backup-Restore Test.
A.8.14Redundancy of information processing facilitiesYesMulti-AZ/region redundancy (availability criterion deferred; control operates). RTO/RPO Matrix; Business Continuity Policy.
A.8.15LoggingYesSecurity event logging with tiered retention. Logging & Monitoring; Operations Security → Log retention tiers.
A.8.16Monitoring activities (new in 2022)YesAdmin-activity and log review; alerting. Log Review; Logging & Monitoring.
A.8.17Clock synchronizationYesNTP-synchronized time across systems for log integrity. Logging & Monitoring.
A.8.18Use of privileged utility programsYesRestricted and logged privileged-utility use. Access Control Policy; Operations Security.
A.8.19Installation of software on operational systemsYesControlled deployment; no ad-hoc installs on production. Change Management; Configuration Hardening.
A.8.20Networks securityYesCloudflare One, Tailscale, segmentation. Configuration Hardening; Operations Security.
A.8.21Security of network servicesYesSecured network services and SLAs. Operations Security.
A.8.22Segregation of networksYesNetwork segmentation and isolation. Configuration Hardening.
A.8.23Web filtering (new in 2022)YesCloudflare Gateway web filtering / threat-intel blocking. Operations Security → Web filtering.
A.8.24Use of cryptographyYesCrypto standards, key management. Cryptography Policy.
A.8.25Secure development life cycleYesSecure Development Policy.
A.8.26Application security requirementsYesSecurity requirements in design and review. Secure Development Policy; Code Review.
A.8.27Secure system architecture and engineering principlesYesSecure Development Policy; Configuration Hardening.
A.8.28Secure coding (new in 2022)YesSecure-coding standards and checks. Secure Coding; Secure Development Policy.
A.8.29Security testing in development and acceptanceYesSAST/DAST/dependency scanning in CI; pre-release testing. Vulnerability Management; Secure Development Policy.
A.8.30Outsourced developmentPartialCore development is in-house; where development is outsourced, supplier-security terms apply. Third-Party Management Policy; Secure Development Policy.
A.8.31Separation of development, test and production environmentsYesEnvironment separation enforced. Secure Development Policy; Change Management.
A.8.32Change managementYesPeer review, CI gates, change approval, emergency-change process. Change Management; Operations Security → Change management.
A.8.33Test informationYesProduction data not used in test without masking; deidentification standard. Data Management Policy; Customer-data-in-non-prod exception.
A.8.34Protection of information systems during audit testingYesRead-only/scoped audit and pen-test access. Operations Security.

Excluded controls summary

No Annex A:2022 control is fully excluded. Three are marked Partial because the relevant asset is largely a carve-out to a subservice organization (A.7.12 cabling — production network cabling) or an activity that is in-house today but governed-if-used (A.8.30 outsourced development). Physical and environmental data-center controls (parts of A.7.1, A.7.5, A.7.8, A.7.11) are operated by AWS and Vultr under the carve-out method described in the SOC 2 System Description and evidenced by their own ISO 27001 / SOC 2 reports.

Cross-references

Version history

VersionDateDescriptionAuthorApproved by
1.0June 13, 2026Initial Statement of Applicability — all 93 Annex A:2022 controls mapped to Neuroscale policies/procedures/registers.Cameron WolfeIshan Jadhwani