Kyance

Credential Rotation and Brute-Force Protection

Implement brute-force protection on all authentication endpoints and enforce credential rotation upon suspected compromise.

Deny-by-Default Access Control

Implement deny-by-default access control where all resource access is denied unless an explicit grant exists for the requesting identity.

API Resource Consumption Limits

Implement resource consumption quotas and throttling on all API endpoints to prevent service exhaustion and excessive resource usage.

Return of assets

Require all personnel and relevant interested parties to return all organizational assets in their possession upon change or termination of employment, contract, or agreement.

CI/CD Pipeline Integrity Verification

Implement integrity verification mechanisms for CI/CD pipelines including build artifact signing, separation of duties, and tamper-evident logging.

Software Supply Chain Change Tracking

Track and audit changes across all software supply chain components including dependencies, CI/CD configurations, registries, and third-party integrations.

Awareness

Ensure personnel are aware of the information security policy, their contribution to ISMS effectiveness, and the implications of non-conformance with ISMS requirements.

Communication

Determine the need for internal and external communications relevant to the ISMS, including what, when, with whom, and how to communicate.

Competence

Determine required competencies for personnel affecting information security performance, ensure competence through education, training, or experience, take actions to close identified competence gaps and evaluate the effectiveness of those actions, and retain documented evidence of competence.

Resources

Determine and provide the resources needed for the establishment, implementation, maintenance, and continual improvement of the ISMS.

Pseudonymisation and Encryption

Implement pseudonymisation and encryption as technical measures for data protection by design and processing security

Control of documented information

Control documented information to ensure availability, suitability, and adequate protection, addressing distribution, access, retrieval, storage, preservation, version control, retention, disposition, and external-origin documents.

Creating and updating

Ensure documented information is appropriately identified, described, formatted, and reviewed and approved for suitability and adequacy when created or updated.

Documented information — General

Maintain documented information required by ISO 27001 and any additional documented information the organization determines necessary for ISMS effectiveness.

Server-Side Request Forgery Prevention

Implement server-side request validation and destination restriction to prevent unauthorized outbound requests from reaching internal or sensitive resources.

Determining the scope of the information security management system

Define and document the boundaries and applicability of the ISMS, considering internal/external issues, interested party requirements, and organizational interfaces and dependencies.

Information security management system

Establish, implement, maintain, and continually improve an information security management system, including the processes needed and their interactions.

Understanding the needs and expectations of interested parties

Identify interested parties relevant to the ISMS, determine their requirements, and decide which requirements will be addressed through the management system.

Understanding the organization and its context

Determine external and internal issues relevant to the organization's purpose that affect the ISMS's ability to achieve its intended outcomes, including whether climate change is a relevant issue.

Leadership and commitment

Demonstrate top management leadership and commitment by establishing an information security policy and objectives, ensuring resource availability, integrating ISMS requirements into organizational processes, and promoting continual improvement.

Organizational roles, responsibilities and authorities

Assign and communicate responsibilities and authorities for information security roles, including responsibility for ISMS conformance and performance reporting to top management.

Policy

Establish and document an information security policy appropriate to the organization's purpose, including security objectives, commitment to applicable requirements, and commitment to continual improvement. Communicate the policy within the organization and make it available to interested parties.

Information security risk assessment (operational)

Perform information security risk assessments at planned intervals or when significant changes are proposed or occur, applying the criteria established in the risk assessment process, and retain documented results.

Information security risk treatment (operational)

Implement the information security risk treatment plan and retain documented results of risk treatment activities.

Operational planning and control

Plan, implement, and control ISMS processes by establishing criteria, controlling planned changes, reviewing consequences of unintended changes, and ensuring externally provided processes and services are controlled. Retain documented evidence of process execution.

Threat Intelligence Integration

Operate a threat intelligence capability that identifies relevant threats, adversary techniques, and emerging attack patterns against organizational infrastructure.

Continual improvement

Continually improve the suitability, adequacy, and effectiveness of the information security management system.

Internal audit — General

Conduct internal audits at planned intervals to determine whether the ISMS conforms to organizational requirements and ISO 27001 requirements and is effectively implemented and maintained.

Internal audit programme

Plan, establish, implement, and maintain an internal audit programme defining frequency, methods, responsibilities, and reporting. Define audit criteria and scope, ensure auditor objectivity, report results to relevant management, and retain documented evidence of the programme and audit results.

Management review — General

Conduct management reviews of the ISMS at planned intervals to ensure its continuing suitability, adequacy, and effectiveness.

Management review inputs

Include in the management review: status of previous actions, changes in external/internal issues and interested party needs, information security performance trends (nonconformities, monitoring results, audit results, objective fulfilment), feedback from interested parties, results of risk assessment and status of risk treatment plan, and improvement opportunities.

Management review results

Document management review outputs including continual improvement decisions and any needs for changes to the ISMS, and retain documented evidence of management review results.

Monitoring, measurement, analysis and evaluation

Determine what to monitor and measure, establish valid and reproducible methods, define schedules and responsibilities for monitoring, measurement, analysis, and evaluation, and retain documented evidence of results.

Nonconformity and corrective action

React to nonconformities by controlling, correcting, and managing consequences. Evaluate root causes, determine whether similar nonconformities exist or could occur, implement corrective actions, review their effectiveness, and update the ISMS. Retain documented evidence of nonconformities, actions taken, and corrective action results.

Actions to address risks and opportunities — General

Determine risks and opportunities that could affect ISMS outcomes, and plan actions to address them, integrating those actions into ISMS processes with effectiveness evaluation.

Information security objectives and planning to achieve them

Establish information security objectives at relevant functions and levels that are consistent with policy, measurable where practicable, informed by applicable requirements and risk assessment results, monitored, communicated, and updated when requirements or risks change. Document and retain as documented information. Plan what will be done, resources required, responsibilities, timelines, and evaluation methods.

Information security risk assessment (process)

Define and apply a repeatable information security risk assessment process that establishes risk acceptance criteria, identifies risks to confidentiality, integrity, and availability, assigns risk owners, analyzes consequences and likelihood, and prioritizes risks for treatment.

Information security risk treatment (process)

Define and apply an information security risk treatment process that selects treatment options, determines necessary controls, verifies completeness against Annex A, produces a Statement of Applicability documenting necessary controls with justification for inclusion, implementation status, and justification for any Annex A exclusions, formulates a risk treatment plan, and obtains risk owner approval of the plan and acceptance of residual information security risks.

Planning of changes

Carry out changes to the ISMS in a planned manner.

Application Input Validation and Output Encoding

Implement server-side input validation and context-appropriate output encoding at all application trust boundaries where untrusted data enters processing.

Deserialization Attack Prevention

Implement integrity verification and type constraints on all serialized data received from untrusted sources before processing.

Threat Modeling During Design

Perform threat modeling during the design phase for all application components handling authentication, access control, business logic, and sensitive data flows.

Cryptographic Key Lifecycle Management

Implement cryptographic key lifecycle management covering generation, storage, rotation, and retirement of all encryption keys.

Secrets Vault Management

Implement centralized secrets management to store and retrieve application credentials, API keys, and certificates outside of source code and configuration files.