The Statement of Applicability (SoA) is a required ISO 27001 document that lists every Annex A control, states whether it applies to our ISMS, records the implementation status, and points to the evidence. This page is the public summary; the full SoA (with sensitive evidence paths) is available under NDA.
Scope of the ISMS
The Denialbase Information Security Management System (ISMS) covers:- The Denialbase SaaS platform — production, staging, and development environments.
- All customer PHI and operational data processed by Denialbase.
- All Denialbase workforce members (employees, contractors, consultants).
- All subprocessors that may touch Denialbase customer data (see Subprocessors).
- Denialbase corporate systems that support the above (GitHub, GCP, Google Workspace, 1Password).
Applicability summary
| Annex A clause | Title | Applicable | Implemented | Evidence |
|---|---|---|---|---|
| 5 — Organizational controls (37 controls) | ||||
| A.5.1 | Policies for information security | ✅ | Partial | ISP — draft Q2 2026 |
| A.5.2 | Information security roles & responsibilities | ✅ | Partial | ISP — roles |
| A.5.3 | Segregation of duties | ✅ | Yes | Change management |
| A.5.4 | Management responsibilities | ✅ | Partial | Management review — program starting Q2 2026 |
| A.5.5 | Contact with authorities | ✅ | Partial | Incident response |
| A.5.6 | Contact with special interest groups | ✅ | Partial | Not formalized |
| A.5.7 | Threat intelligence | ✅ | Partial | Sentry, GCP Security Command Center, CVE monitoring |
| A.5.8 | Information security in project management | ✅ | Yes | Change management, secure SDLC in CI |
| A.5.9 | Inventory of information and other associated assets | ✅ | Partial | Asset inventory — target Q2 2026 |
| A.5.10 | Acceptable use of information and other associated assets | ✅ | Partial | AUP — draft Q2 2026 |
| A.5.11 | Return of assets | ✅ | Partial | HR security — offboarding |
| A.5.12 | Classification of information | ✅ | Partial | Data classification policy |
| A.5.13 | Labelling of information | ✅ | Partial | Data classification policy — labeling |
| A.5.14 | Information transfer | ✅ | Yes | TLS in transit, PHI-scrubbed egress — see Network security |
| A.5.15 | Access control | ✅ | Yes | Access control policy |
| A.5.16 | Identity management | ✅ | Yes | Authentication |
| A.5.17 | Authentication information | ✅ | Yes | GCP Secret Manager, no plaintext secrets — Cryptography |
| A.5.18 | Access rights | ✅ | Yes | Pundit RBAC + IAM + Access control |
| A.5.19 | Information security in supplier relationships | ✅ | Partial | Vendor management; BAAs in progress |
| A.5.20 | Addressing information security within supplier agreements | ✅ | Partial | Standard DPA/BAA templates — see BAA |
| A.5.21 | Managing information security in the ICT supply chain | ✅ | Partial | Dependency scanning (Dependabot, bundler-audit, npm audit) |
| A.5.22 | Monitoring, review and change management of supplier services | ✅ | Partial | Vendor management — annual review |
| A.5.23 | Information security for use of cloud services | ✅ | Yes | GCP hardened per CIS benchmarks; private VPC; CMEK |
| A.5.24 | Information security incident management planning | ✅ | Partial | Incident response — formal IRP Q2 2026 |
| A.5.25 | Assessment and decision on information security events | ✅ | Yes | Alert triage + severity matrix |
| A.5.26 | Response to information security incidents | ✅ | Partial | IR — response phases |
| A.5.27 | Learning from information security incidents | ✅ | Partial | Blameless post-mortem process |
| A.5.28 | Collection of evidence | ✅ | Yes | Audit logs with 7-year retention, immutable Cloud Logging sink |
| A.5.29 | Information security during disruption | ✅ | Partial | DR, BC |
| A.5.30 | ICT readiness for business continuity | ✅ | Partial | Multi-region backups; first drill Q2 2026 |
| A.5.31 | Legal, statutory, regulatory and contractual requirements | ✅ | Yes | HIPAA, state breach laws, ERISA, ACA — tracked |
| A.5.32 | Intellectual property rights | ✅ | Yes | license_finder in CI; OSS license policy |
| A.5.33 | Protection of records | ✅ | Yes | Audit log integrity + retention |
| A.5.34 | Privacy and protection of PII | ✅ | Yes | HIPAA, PHI minimization, encryption |
| A.5.35 | Independent review of information security | ✅ | Partial | Internal audit program launching Q2 2026 |
| A.5.36 | Compliance with policies, rules and standards | ✅ | Partial | Being formalized as part of internal audit program |
| A.5.37 | Documented operating procedures | ✅ | Partial | Runbooks in /docs; being migrated to Trust Center |
| 6 — People controls (8 controls) | ||||
| A.6.1 | Screening | ✅ | Yes | Background checks for all production-access personnel |
| A.6.2 | Terms and conditions of employment | ✅ | Yes | Employment agreements with confidentiality clauses |
| A.6.3 | Information security awareness, education and training | ✅ | Partial | Security awareness — annual training |
| A.6.4 | Disciplinary process | ✅ | Yes | AUP — enforcement |
| A.6.5 | Responsibilities after termination or change of employment | ✅ | Yes | HR security — offboarding |
| A.6.6 | Confidentiality or non-disclosure agreements | ✅ | Yes | NDAs required; mutual NDAs for customer conversations |
| A.6.7 | Remote working | ✅ | Yes | AUP — remote work |
| A.6.8 | Information security event reporting | ✅ | Yes | security@denialbase.com; anonymized reporting channel |
| 7 — Physical controls (14 controls) | ||||
| A.7.1 | Physical security perimeters | ✅ | Inherited | GCP data centers — GCP physical security |
| A.7.2 | Physical entry | ✅ | Inherited | GCP data centers |
| A.7.3 | Securing offices, rooms and facilities | ❌ | N/A | Fully remote — no Denialbase offices |
| A.7.4 | Physical security monitoring | ✅ | Inherited | GCP data centers |
| A.7.5 | Protecting against physical and environmental threats | ✅ | Inherited | GCP multi-region; disaster resilience |
| A.7.6 | Working in secure areas | ❌ | N/A | No physical secure areas |
| A.7.7 | Clear desk and clear screen | ✅ | Yes | AUP — devices |
| A.7.8 | Equipment siting and protection | ✅ | Inherited | GCP |
| A.7.9 | Security of assets off-premises | ✅ | Yes | MDM + full-disk encryption + auto-lock |
| A.7.10 | Storage media | ✅ | Yes | AUP — devices — no removable media for customer data |
| A.7.11 | Supporting utilities | ✅ | Inherited | GCP |
| A.7.12 | Cabling security | ✅ | Inherited | GCP |
| A.7.13 | Equipment maintenance | ✅ | Yes | Managed workstation patching |
| A.7.14 | Secure disposal or re-use of equipment | ✅ | Yes | Cloud asset destruction per GCP; workstation wipe on offboarding |
| 8 — Technological controls (34 controls) | ||||
| A.8.1 | User endpoint devices | ✅ | Yes | MDM, FDE, EDR, patching |
| A.8.2 | Privileged access rights | ✅ | Yes | Access control, just-in-time production access |
| A.8.3 | Information access restriction | ✅ | Yes | Pundit + IAM |
| A.8.4 | Access to source code | ✅ | Yes | GitHub with enforced MFA + SSO |
| A.8.5 | Secure authentication | ✅ | Yes | Authentication |
| A.8.6 | Capacity management | ✅ | Yes | Cloud Run autoscaling + alerting |
| A.8.7 | Protection against malware | ✅ | Yes | ClamAV on uploads; EDR on workstations |
| A.8.8 | Management of technical vulnerabilities | ✅ | Yes | Vulnerability management |
| A.8.9 | Configuration management | ✅ | Yes | Terraform IaC, signed commits |
| A.8.10 | Information deletion | ✅ | Yes | User#permanently_delete!, account/practice deletion flows |
| A.8.11 | Data masking | ✅ | Yes | PHI masking in list views; logs PHI-scrubbed |
| A.8.12 | Data leakage prevention | ✅ | Partial | No endpoint DLP; egress limited, scrubbing in place |
| A.8.13 | Information backup | ✅ | Yes | DR — backups |
| A.8.14 | Redundancy of information processing facilities | ✅ | Yes | Cloud Run multi-zone; Cloud SQL HA |
| A.8.15 | Logging | ✅ | Yes | Audit logging |
| A.8.16 | Monitoring activities | ✅ | Yes | Cloud Monitoring + Sentry + alerting |
| A.8.17 | Clock synchronization | ✅ | Yes | GCP NTP, workstation NTP |
| A.8.18 | Use of privileged utility programs | ✅ | Partial | Break-glass logged; no broad sudo in prod |
| A.8.19 | Installation of software on operational systems | ✅ | Yes | Container images only; no ad-hoc installs |
| A.8.20 | Networks security | ✅ | Yes | Network security |
| A.8.21 | Security of network services | ✅ | Yes | Cloud Armor WAF; private VPC |
| A.8.22 | Segregation of networks | ✅ | Yes | VPC isolation between staging and prod |
| A.8.23 | Web filtering | ❌ | N/A | No employee web proxy (remote-first) |
| A.8.24 | Use of cryptography | ✅ | Yes | Cryptography policy |
| A.8.25 | Secure development life cycle | ✅ | Yes | Change management; SAST + tests + review |
| A.8.26 | Application security requirements | ✅ | Yes | Secure SDLC, threat modeling for new features |
| A.8.27 | Secure system architecture and engineering principles | ✅ | Yes | Security architecture |
| A.8.28 | Secure coding | ✅ | Yes | Brakeman, ESLint security, Trivy, gitleaks on every commit |
| A.8.29 | Security testing in development and acceptance | ✅ | Yes | 90% backend / 80% frontend test coverage; E2E |
| A.8.30 | Outsourced development | ❌ | N/A | No outsourced development |
| A.8.31 | Separation of development, test and production environments | ✅ | Yes | Separate GCP projects; isolated data |
| A.8.32 | Change management | ✅ | Yes | Change management policy |
| A.8.33 | Test information | ✅ | Yes | Seed data only; no prod PHI in non-prod |
| A.8.34 | Protection of information systems during audit testing | ✅ | Yes | Audit access controls; read-only audit role |
Implementation status summary
| Status | Count | Meaning |
|---|---|---|
| Yes | 53 | Control is fully implemented with evidence |
| Partial | 32 | Control is partially implemented; gaps tracked in Risk register |
| Inherited | 8 | Control is inherited from GCP; evidence via GCP SOC 2/ISO 27001 reports |
| N/A | 4 | Control doesn’t apply (remote-only, no physical sites, no outsourced dev) |
Exclusions and rationale
A.7.3 — Securing offices, rooms, and facilities
A.7.3 — Securing offices, rooms, and facilities
Denialbase is a fully remote organization with no physical offices. Workforce security relies on managed workstations, secure home networks, and AUP — devices.
A.7.6 — Working in secure areas
A.7.6 — Working in secure areas
No physical secure areas to protect — see A.7.3 above.
A.8.23 — Web filtering
A.8.23 — Web filtering
No corporate network with employee web traffic to filter. DNS-level filtering is considered if workforce expands.
A.8.30 — Outsourced development
A.8.30 — Outsourced development
All product development is performed by Denialbase employees. No outsourced/offshore development. If this changes, the control will be applicable and tracked.
Review cadence
- Monthly — control implementation status updated by Security Officer.
- Quarterly — applicability reviewed with CTO for any scope changes.
- Annually — full SoA refresh ahead of external audit; mapped to current version of ISO 27001.
- Ad-hoc — any material architecture or vendor change triggers re-evaluation of affected controls.