# ISO 27001 Annex A ISO/IEC 27001:2022 Annex A — **Information security controls**. The mapping below summarises which controls Edge implements and where the evidence lives. ## Coverage matrix | Annex A control | Topic | Edge contribution | Where | | --------------- | ---------------------------- | --------------------------------------------------------- | ------------------------------------------------------------------------------------------------- | | **A.5.7** | Threat intelligence | Dependabot + GitHub Security Advisories as primary signal | [Gate 02](/banking-readiness/gate-02-supply-chain.md) | | **A.5.15** | Access control | Trunk-based branching; CODEOWNERS; PR-only changes | [Gate 06](/banking-readiness/gate-06-access-control.md) | | **A.5.18** | Access rights — reviewing | Quarterly access review of `admin_actions` | [Gate 06](/banking-readiness/gate-06-access-control.md) | | **A.5.24** | Incident planning | Severity ladder + runbook | [Incident response](/operations/incident-response.md) | | **A.5.25** | Decision on events | Severity assignment within 15 min of declaration | [Incident response](/operations/incident-response.md) | | **A.5.26** | Response | Mitigation-before-fix protocol | [Incident response](/operations/incident-response.md) | | **A.5.27** | Learning | Blameless 4-question post-mortem within 5 BD | [Incident response](/operations/incident-response.md) | | **A.5.31** | Legal, statutory, regulatory | Compliance section of this site; bilateral schedule | [Compliance index](/compliance/dora.md) | | **A.5.32** | Intellectual property | Image SPDX licence label; MIT on app source | [Gate 04](/banking-readiness/gate-04-container-security.md) | | **A.5.34** | Privacy / PII | Workspace isolation; audit log; right-of-erasure tooling | [GDPR mapping](/compliance/gdpr.md) | | **A.6.1** | Security responsibilities | Owner per CODEOWNERS path | [Gate 06](/banking-readiness/gate-06-access-control.md) | | **A.8.7** | Malware protection | Trivy HIGH+CRITICAL blocking | [Gate 04](/banking-readiness/gate-04-container-security.md) | | **A.8.8** | Technical vulnerability mgmt | Vuln response SLA table; pip-audit; npm audit | [Gate 02](/banking-readiness/gate-02-supply-chain.md) | | **A.8.9** | Configuration mgmt | CI as code; pinned versions | [Stack](/architecture/stack.md), [Gate 03](/banking-readiness/gate-03-cicd-security.md) | | **A.8.13** | Information backup | Restic + off-site bucket; quarterly restore drill | [Backup & recovery](/operations/backup-recovery.md) | | **A.8.15** | Logging | Structured JSON logs; required fields enforced | [Monitoring](/operations/monitoring.md) | | **A.8.16** | Monitoring activities | Probes, thresholds, alert rules | [Monitoring](/operations/monitoring.md) | | **A.8.25** | Secure SDLC | PR + review + CI required-checks contract | [Gate 03](/banking-readiness/gate-03-cicd-security.md) | | **A.8.27** | Secure architecture | Trust zones, egress allowlist | [Security boundaries](/architecture/security.md) | | **A.8.28** | Secure coding | Ruff + Mypy + pre-commit gitleaks | [Stack](/architecture/stack.md) | | **A.8.29** | Security testing | Pytest + Vitest + CI gates | [Gate 03](/banking-readiness/gate-03-cicd-security.md) | | **A.8.30** | Outsourced development | Image provenance + signed releases | [Gate 04](/banking-readiness/gate-04-container-security.md) | | **A.8.32** | Change management | Trunk-based, PR-only, audit log | [Gate 03](/banking-readiness/gate-03-cicd-security.md), [Architecture](/architecture/overview.md) | ## Known gaps | Control | Status | Plan | | ------------------------------------------ | --------------------------------------------------------------- | ---------------------------------------------------------- | | **A.5.7** Threat intelligence (formalised) | Informal (Dependabot + GH Security Advisories) | Acceptable for current data-classification level | | **A.8.10** Information deletion | Manual (no automated secure-erase beyond GitHub 90-day default) | Acceptable for current data-classification level | | **A.8.31** Separation of dev / test / prod | Partial (envs defined; some shared infra) | Closes when `edge-infra` per-env directories diverge fully | ## Review cadence This mapping is reviewed: * After any P0 / P1 incident (mandatory within 5 business days). * After any structural change to the repo set. * Otherwise, every 6 months. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.edge.nyami.fr/compliance/iso-27001.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.