Compliance_Checklist.md

May 24, 2026 · View on GitHub

Hack23 Logo

✅ Hack23 AB — ISMS Compliance Checklist

Unified Compliance Through Systematic Framework Alignment
Demonstrating Regulatory Adherence for Cybersecurity Consulting

Owner Version Effective Date Review Cycle

📋 Document Owner: CEO | 📄 Version: 2.6 | 📅 Last Updated: 2026-05-10 (UTC) 🔄 Review Cycle: Semi-Annual | ⏰ Next Review: 2026-11-10


🎯 Purpose Statement

Hack23 AB’s ISMS Compliance Checklist provides a single, evidence-based view of how our security and compliance controls align with multiple international frameworks and regulatory requirements. It is designed to be both an internal assurance tool and an external transparency artifact for clients, partners, and regulators.

This document consolidates mappings between Hack23 AB’s implemented controls and the following frameworks and regulations:

  • ISO/IEC 27001:2022 Annex A (organizational, people, physical, technological controls)
  • NIST Cybersecurity Framework 2.0
  • CIS Controls v8.1
  • EU NIS2 Directive (EU 2022/2555)
  • EU Cyber Resilience Act (CRA) — Annex I essential requirements and Annex II critical product considerations
  • General Data Protection Regulation (GDPR) & Swedish Dataskyddslagen
  • Swedish corporate and bookkeeping law (Bokföringslagen, Aktiebolagslagen)
  • SOC 2 Type II Trust Services Criteria
  • PCI DSS v4.0 (with SAQ A focus and Stripe/AWS outsourcing model)
  • HIPAA Security Rule (consulting readiness, no PHI currently processed)

Each requirement is linked to the specific ISMS policy, procedure, register, or technical control that implements it, forming a clear, auditable compliance trail across security, privacy, resilience, and governance domains.

By publishing this checklist, Hack23 AB demonstrates that:

  • Our ISMS is architected for multi-framework alignment, not one-off certifications
  • We have traceable evidence for control design and operational effectiveness
  • We are consulting-ready for clients who must comply with ISO 27001, NIS2, CRA, PCI DSS, SOC 2, HIPAA, and related regulatory ecosystems
  • Our AI-augmented operating model (Information Security Strategy § AI-Enabled Operations) enforces these mappings continuously: the compliance-reviewer specialist agent re-validates control coverage on every PR, GitHub Actions regenerate the ISMS Metrics Dashboard on a schedule, and CEO sign-off via merge constitutes the formal approval of record — no manual quarterly compliance-team cycle required

This transparency is intentional: it shows how a robust, open ISMS becomes a competitive advantage, enabling faster due diligence, smoother audits, and higher trust.

— James Pether Sörling, CEO/Founder


🗺️ Compliance Framework Overview

This checklist is organized primarily around ISO/IEC 27001:2022 Annex A controls and extends those mappings across a broader regulatory landscape.

At a high level:

  • ISO/IEC 27001:2022 Annex A provides the control backbone (A.5–A.8) for organizational, people, physical, and technological controls.
  • NIST CSF 2.0 and CIS Controls v8.1 are mapped to each ISO control to show risk-based and operational alignment.
  • NIS2 Directive requirements (Articles 20, 21, 23) are mapped to governance, risk management, incident handling, business continuity, and supply chain controls.
  • EU Cyber Resilience Act (CRA) mappings cover:
    • Annex I essential cybersecurity requirements
    • Annex II critical product classifications and enhanced obligations (Art. 6, 11, 14, 15, 20, 54)
  • GDPR and Swedish Dataskyddslagen mappings demonstrate privacy, data protection by design/default, breach handling, and local regulatory considerations.
  • Swedish legal obligations (Bookkeeping Act and Companies Act) are integrated into records retention, financial controls, and governance.
  • SOC 2 Type II Trust Services Criteria are mapped to demonstrate operational effectiveness of controls over time.
  • PCI DSS v4.0 is covered with a SAQ A–centric implementation, reflecting a fully outsourced cardholder data processing model (Stripe + AWS).
  • HIPAA Security Rule mappings illustrate consulting readiness for healthcare and PHI-related environments, even though Hack23 AB does not currently handle PHI.

This multi-framework structure ensures that a single set of ISMS controls can be:

  • Traced to multiple standards and regulations
  • Used as evidence in audits, due diligence processes, and client assessments
  • Reused as a consulting reference model for clients adopting similar architectures and regulatory obligations.

🎖️ ISO 27001:2022 Compliance Mapping

Visual representation of how Hack23 ISMS policies directly map to ISO 27001:2022 Annex A controls, demonstrating comprehensive coverage across organizational, people, physical, and technological security domains.

flowchart LR
    subgraph ANNEX_A["📋 ISO 27001:2022 Annex A Controls"]
        A5[A.5: Organizational<br/>Security Policies<br/>& Governance]
        A6[A.6: People<br/>Controls & HR<br/>Security]
        A7[A.7: Physical<br/>Security Controls]
        A8[A.8: Technological<br/>Security Controls]
    end
    
    subgraph POLICIES["🔐 Hack23 ISMS Policies"]
        INFO_SEC[Information Security<br/>Policy]
        SOD[Segregation of<br/>Duties Policy]
        ACCESS_CTRL[Access Control<br/>Policy]
        PHYSICAL[Physical Security<br/>Policy]
        INCIDENT_RESP[Incident Response<br/>Plan]
        CHANGE_MGMT[Change<br/>Management]
        SECURE_DEV[Secure Development<br/>Policy]
        NETWORK[Network Security<br/>Policy]
    end
    
    A5 --> INFO_SEC
    A5 --> SOD
    A5 --> INCIDENT_RESP
    A6 --> ACCESS_CTRL
    A6 --> PHYSICAL
    A7 --> PHYSICAL
    A8 --> CHANGE_MGMT
    A8 --> SECURE_DEV
    A8 --> NETWORK
    A8 --> ACCESS_CTRL
    
    INFO_SEC --> COMPLIANCE_CHECK["✅ 95% Controls<br/>Implemented"]
    SOD --> COMPLIANCE_CHECK
    ACCESS_CTRL --> COMPLIANCE_CHECK
    PHYSICAL --> COMPLIANCE_CHECK
    INCIDENT_RESP --> COMPLIANCE_CHECK
    CHANGE_MGMT --> COMPLIANCE_CHECK
    SECURE_DEV --> COMPLIANCE_CHECK
    NETWORK --> COMPLIANCE_CHECK
    
    style ANNEX_A fill:#1565C0,color:#fff
    style POLICIES fill:#4CAF50,color:#fff
    style COMPLIANCE_CHECK fill:#4CAF50,stroke:#2E7D32,stroke-width:3px,color:#fff
    style INFO_SEC fill:#4CAF50,stroke:#2E7D32,stroke-width:2px,color:#fff
    style SOD fill:#4CAF50,stroke:#2E7D32,stroke-width:2px,color:#fff
    style ACCESS_CTRL fill:#4CAF50,stroke:#2E7D32,stroke-width:2px,color:#fff
    style PHYSICAL fill:#4CAF50,stroke:#2E7D32,stroke-width:2px,color:#fff
    style INCIDENT_RESP fill:#4CAF50,stroke:#2E7D32,stroke-width:2px,color:#fff
    style CHANGE_MGMT fill:#4CAF50,stroke:#2E7D32,stroke-width:2px,color:#fff
    style SECURE_DEV fill:#4CAF50,stroke:#2E7D32,stroke-width:2px,color:#fff
    style NETWORK fill:#4CAF50,stroke:#2E7D32,stroke-width:2px,color:#fff

Key Takeaways:

  • 📋 A.5 Organizational: Covered by Information Security Policy, Segregation of Duties, and Incident Response Plan
  • 👥 A.6 People: Implemented through Access Control and Physical Security policies
  • 🏢 A.7 Physical: Home office security and AWS inherited controls documented in Physical Security Policy
  • 🛠️ A.8 Technological: Comprehensive coverage through Change Management, Secure Development, Network Security, and Access Control
  • ✅ 95% Implementation: Strong control coverage demonstrates ISO 27001 alignment and readiness for certification

Related Documents:


📊 Multi-Framework Alignment Overview

mindmap
  root(("✅ ISMS Compliance"))
    ISO_27001_2022(("🔵 ISO 27001:2022"))
      A5_Organizational(("🟢 A.5 Organizational – strong coverage"))
      A6_People(("🟡 A.6 People – some controls planned"))
      A7_Physical(("🟢 A.7 Physical – home office and AWS inherited"))
      A8_Technological(("🟢 A.8 Technological – strong technical controls"))
    NIST_CSF_2_0(("🔵 NIST CSF 2.0"))
      NIST_Govern(("🟢 Govern – ISMS governance and metrics"))
      NIST_Identify(("🟢 Identify – assets risks legal mapped"))
      NIST_Protect(("🟢 Protect – access crypto SDLC BCP"))
      NIST_Detect(("🟢 Detect – logging monitoring vulnerability mgmt"))
      NIST_Respond(("🟢 Respond – IR and reporting flows"))
      NIST_Recover(("🟢 Recover – backup and recovery ready"))
    CIS_Controls_v8_1(("🔵 CIS Controls v8.1"))
      CIS_IG1(("🟢 IG1 – basic cyber hygiene implemented"))
      CIS_IG2(("🟢 IG2 – advanced controls largely covered"))
      CIS_IG3(("🟡 IG3 – enterprise grade concepts mapped"))
    NIS2(("🔵 NIS2 Directive"))
      NIS2_Art20(("🟢 Art 20 – governance implemented"))
      NIS2_Art21(("🟢 Art 21 – risk management measures implemented"))
      NIS2_Art23(("🟢 Art 23 – incident reporting ready"))
    EU_CRA(("🔵 EU Cyber Resilience Act"))
      CRA_Annex1(("🟢 Annex I – essential requirements covered"))
      CRA_Annex2(("🟣 Annex II – critical products consulting focus"))
      CRA_Art6_11(("🟡 Art 6 and 11 – strong docs certification later"))
    GDPR(("🔵 GDPR"))
      GDPR_Core(("🟢 Core articles – mapped to ISMS controls"))
      GDPR_SWE(("🟡 Swedish DPA – localisation in progress"))
    SOC2_TypeII(("🔵 SOC 2 Type II"))
      SOC2_CC(("🟢 CC1 to CC9 – 100 percent mapped"))
      SOC2_TSC(("🟢 TSC – security availability PI confidentiality privacy"))
    PCI_DSS_v4_0(("🔵 PCI DSS v4.0"))
      PCI_SAQ_A(("🟢 SAQ A – Stripe outsourced card processing"))
      PCI_Reqs(("🟡 12 requirements – most implemented"))
    HIPAA(("🔵 HIPAA"))
      HIPAA_Safeguards(("🟢 Safeguards – 60 of 60 mapped to ISMS"))
      HIPAA_Readiness(("🟣 Consulting readiness – no PHI processed"))

Status Legend:

  • Implemented
  • Partially Implemented
  • Not Implemented
  • Not Applicable

🇪🇺 ISO/IEC 27001:2022 Information security management system

🏢 A.5 Organizational Controls

ISO 27001 ControlControl SummaryHack23 Policy/Evidence / Planned ActionStatusNIST CSF 2.0 MappingCIS v8.1 Mapping
A.5.1Policies for information security🔐 Information Security PolicyImplementedGV.PO-01
GV.PO-01: Cybersecurity policy is established, approved, communicated, and updated.
CIS 14.1
CIS 14.1: Awareness program establishes & disseminates security policy expectations.
A.5.2Roles & responsibilities🔐 Information Security Policy § RolesImplementedGV.RR-02
GV.RR-02: Roles, responsibilities, and authorities are established and enforced.
CIS 14.3
CIS 14.3: Document and communicate workforce security responsibilities.
A.5.3Segregation of duties🚫 Segregation of Duties Policy🔍 SoD Validation ChecklistImplementedPR.AC-03
PR.AC-03: Privileged access is managed.
CIS 6.1
CIS 6.1: Formal access granting workflow enforcing least privilege & SoD.
A.5.4Management responsibilities🔐 Information Security Policy § Management CommitmentImplementedGV.OV-01
GV.OV-01: Leadership supports cybersecurity risk management.
CIS 17.1
CIS 17.1: Designate personnel and leadership for incident handling.
A.5.5Contact with authorities🤝 External Stakeholder RegistryImplementedRS.CO-01 RS.CO-01: Response coordination with stakeholders.CIS 17.2 CIS 17.2: Maintain external authority / regulator contact details.
A.5.6Contact with special interest groups🤝 External Stakeholder RegistryImplementedGV.OV-02 GV.OV-02: External/internal context is understood.CIS 17.3 CIS 17.3: Communication plan for coordination & information sharing.
A.5.7Threat intelligence📉 Risk Register🎯 Threat Modeling PolicyImplementedID.RA-04
ID.RA-04: Threat intelligence informs risk.
CIS 7.1
CIS 7.1: Establish vulnerability / threat intake & triage process.
A.5.8Security in project/product mgmt🛠️ Secure Development Policy📝 Change ManagementImplementedPR.IP-01
PR.IP-01: Processes for system development/maintenance are established.
CIS 16.1
CIS 16.1: Maintain secure application development (governed SDLC).
A.5.9Asset inventory💻 Asset RegisterImplementedID.AM-01
ID.AM-01: Physical/virtual assets are inventoried.
CIS 1.1
CIS 1.1: Detailed enterprise asset inventory.
A.5.10Acceptable use of assets✅ Acceptable Use PolicyImplementedPR.AC-01
PR.AC-01: Identities are managed.
CIS 14.1
CIS 14.1: Establish security awareness program incl. acceptable use.
A.5.11Return of assets💻 Asset Register § Asset Return & TerminationImplementedPR.AC-04
PR.AC-04: Access revocation & review.
CIS 5.6
CIS 5.6: Remove/disable accounts immediately on role change or exit.
A.5.12Information classification🏷️ Data Classification PolicyImplementedID.AM-03
ID.AM-03: Data assets are inventoried (incl. classification).
CIS 3.4
CIS 3.4: Implement and maintain a data classification scheme.
A.5.13Labelling of information🏷️ Data Classification Policy § LabelingImplementedID.AM-03
ID.AM-03: Data classification / attributes recorded.
CIS 3.4
CIS 3.4: Apply labels aligned to classification scheme.
A.5.14Information transfer protection🌐 Network Security Policy🔒 Cryptography PolicyImplementedPR.DS-02
PR.DS-02: Data-in-transit protected. Comprehensive email auth (SPF/DKIM/DMARC/MTA-STS) + TLS 1.2+
CIS 3.7
CIS 3.7: Email authentication standards fully implemented with MTA-STS enforcement.
A.5.14.1Email Authentication Standards🌐 Network Security Policy § Email SecurityImplementedPR.DS-02
PR.DS-02: SPF strict (-all), DKIM 2048-bit, DMARC reject policy, MTA-STS enforce mode
CIS 9.2
CIS 9.2: Enterprise-grade email security with transport security (TLS-RPT)
A.5.15Access control (policy)🔑 Access Control PolicyImplementedPR.AC-01
PR.AC-01: Identity lifecycle managed.
CIS 6.1
CIS 6.1: Formal access request / approval process.
A.5.16Identity management🔑 Access Control PolicyImplementedPR.AC-01
PR.AC-01: Identity lifecycle managed.
CIS 5.1
CIS 5.1: Establish and maintain account inventory.
A.5.17Authentication info protection🔑 Access Control Policy § MFA🔒 Cryptography PolicyImplementedPR.AC-01
PR.AC-01: Strong identity proofing / auth.
CIS 6.3
CIS 6.3: MFA for administrative access.
A.5.18Access rights lifecycle🔑 Access Control Policy § Monitoring & Compliance📝 Change ManagementImplementedPR.AC-04
PR.AC-04: Access review & revocation.
CIS 5.4
CIS 5.4: Disable dormant accounts.
A.5.19Supplier relationships🤝 Third Party ManagementImplementedGV.SC-01
GV.SC-01: Supply chain risks identified.
CIS 15.2
CIS 15.2: Maintain service provider inventory & ownership.
A.5.20Supplier security in agreements🤝 Third Party ManagementImplementedGV.SC-02
GV.SC-02: Cyber requirements for suppliers.
CIS 15.4
CIS 15.4: Define security & compliance requirements in contracts.
A.5.21ICT supply chain mgmt🤝 Third Party Management🔗 SUPPLIERImplementedGV.SC-01
GV.SC-01: Supply chain risks identified.
CIS 15.5
CIS 15.5: Assess service providers for security risk.
A.5.22Supplier monitoring & change🔗 Supplier Posture § ClassificationImplementedGV.SC-04
GV.SC-04: Supplier performance monitored.
CIS 15.6
CIS 15.6: Ongoing performance & security monitoring.
A.5.23Cloud services security🤝 Third Party ManagementImplementedGV.SC-04
GV.SC-04: Supplier performance monitored.
CIS 15.3
CIS 15.3: Classify service providers by criticality/risk.
A.5.24Incident mgmt planning🚨 Incident Response PlanImplementedRS.RP-01
RS.RP-01: Response plan executed.
CIS 17.4
CIS 17.4: Maintain incident response process & runbooks.
A.5.25Event assessment & decision🚨 IR Plan § ClassificationImplementedRS.AN-01
RS.AN-01: Incidents analyzed.
CIS 17.5
CIS 17.5: Define incident categories, criteria & severity model.
A.5.26Incident response🚨 IR Plan § Response ProcessImplementedRS.MI-01
RS.MI-01: Response actions performed.
CIS 17.6
CIS 17.6: Execute documented incident response procedures.
A.5.27Lessons learned🚨 IR Plan § Lessons LearnedImplementedRS.IM-01
RS.IM-01: Improvements incorporated.
CIS 17.7
CIS 17.7: Post-incident reviews & improvement tracking.
A.5.28Evidence collection🚨 IR Plan § EvidenceImplementedRS.AN-02
RS.AN-02: Forensic data collected.
CIS 17.8
CIS 17.8: Preserve evidence (logs, artifacts) for investigation.
A.5.29Security during disruption🔄 BCP🆘 DRPImplementedRC.RP-01
RC.RP-01: Recovery plan executed.
CIS 11.3
CIS 11.3: Protect recovery data (integrity & availability).
A.5.30ICT readiness (BC)🔄 Business Continuity PlanImplementedRC.RP-01
RC.RP-01: Recovery plan executed.
CIS 11.4
CIS 11.4: Test restoration & recovery procedures.
A.5.31Legal & regulatory identification✅ This Checklist📉 Risk Register🤝 External Stakeholder RegistryImplementedGV.PO-03
GV.PO-03: Legal & regulatory requirements addressed.
CIS 17.3
CIS 17.3: Communication plan includes regulatory contacts.
A.5.32Intellectual property rights💻 Asset Register § IPR HandlingImplementedGV.PO-03
GV.PO-03: Legal & regulatory requirements addressed.
CIS 3.9
CIS 3.9: Secure disposal / protection of sensitive information assets.
A.5.33Protection of records🏷️ Data Classification Policy § Records Retention MatrixImplementedPR.DS-04
PR.DS-04: Data (incl. records) is managed and retained per policy.
CIS 3.8
CIS 3.8: Define & implement data retention and disposal schedule.
A.5.34Privacy & PII protection🏷️ Data Classification Policy § Privacy🏷️ Classification Framework § Privacy🔐 Privacy Policy🔐 Information Security PolicyImplementedPR.DS-01
PR.DS-01: Data-at-rest (incl. PII) is protected.
CIS 3.6
CIS 3.6: Restrict access to sensitive data (need-to-know / PII).
A.5.35Independent ISMS reviewSchedule annual external reviewNot ImplementedGV.IM-01
GV.IM-01: Independent cybersecurity reviews performed.
CIS 17.7
CIS 17.7: Post-incident / program reviews drive improvement.
A.5.36Policy / standard compliance📊 Security Metrics § Compliance MonitoringImplementedGV.IM-02
GV.IM-02: Compliance with cybersecurity requirements is monitored.
CIS 5.5
CIS 5.5: Periodic review of accounts/privileges (supports compliance verification).
A.5.37Operating proceduresAdd operational runbooks indexNot ImplementedPR.IP-01
PR.IP-01: Processes documented & maintained.
CIS 4.1
CIS 4.1: Maintain secure configuration / procedural baseline.

🤖 A.5.AI - AI Governance Controls (EU AI Act Alignment)

AI Governance ControlControl SummaryHack23 Policy/EvidenceStatusEU AI Act RequirementNIST AI RMF Mapping
A.5.AI.1AI system classification🤖 AI Governance Policy § ClassificationImplementedArt. 6-15
Risk-based AI system classification
GOVERN-1.1
AI governance policies established
A.5.AI.2AI risk assessment🤖 AI Policy § Risk Management📉 Risk RegisterImplementedArt. 9
Risk management system
MAP-2.3
AI system risks mapped
A.5.AI.3AI transparency & disclosure🤖 AI Policy § EU AI Act Compliance🌐 ISMS Transparency PlanImplementedArt. 50
Transparency obligations
GOVERN-5.1
Organizational AI risk tolerance communicated
A.5.AI.4AI human oversight🤖 AI Policy § Security ControlsImplementedArt. 14
Human oversight requirements
GOVERN-3.1
AI design incorporates human oversight
A.5.AI.5AI incident reporting🤝 External Stakeholder Registry § AI Authorities🚨 Incident Response PlanImplementedArt. 62
Serious incident reporting
GOVERN-6.1
AI incident response capabilities
A.5.AI.6AI data governance🏷️ Data Classification Policy🤖 AI PolicyImplementedArt. 10
Data and data governance
MAP-3.2
AI training/test data characterized
A.5.AI.7LLM-specific security controls🛡️ OWASP LLM Security PolicyImplementedArt. 15
AI system robustness & cybersecurity
MEASURE-2.11
AI system security risks identified & documented: OWASP LLM Top 10 2025 coverage with 54% implementation (foundation complete, LLM-specific controls Q1-Q3 2026)
A.5.AI.8AI-augmented compliance evidence generation (operating model control)🎯 Information Security Strategy § AI-Enabled Operations🤖 AI Policy📊 ISMS_METRICS_DASHBOARD.md auto-generated by .github/scripts/generate-metrics.sh • Specialist Copilot agents draft evidence; CEO approves and signsImplementedArt. 14
Human oversight in evidence chain: agents draft, CEO authorises
MANAGE-1.3
AI risk responses tracked; agent contributions logged in PR history for auditability

👤 A.6 People Controls

ISO 27001 ControlControl SummaryHack23 Policy/Evidence / Planned ActionStatusNIST CSF 2.0 MappingCIS v8.1 Mapping
A.6.1ScreeningAdd pre-employment screening checklistNot ImplementedPR.AT-01
PR.AT-01: Workforce is trained.
CIS 14.2
CIS 14.2: Role-based training prerequisites (onboarding screening support).
A.6.2Terms & conditionsAdd security clauses to employment templatesNot ImplementedPR.AT-01
PR.AT-01: Workforce is trained.
CIS 14.3
CIS 14.3: Document workforce security responsibilities.
A.6.3Awareness & training🔑 Access Control PolicyPartialPR.AT-01
PR.AT-01: Workforce is trained.
CIS 14.1
CIS 14.1: Establish & maintain security awareness program.
A.6.4Disciplinary processDefine process (People Security Addendum)Not ImplementedGV.PO-02
GV.PO-02: Policy exceptions & enforcement defined.
CIS 14.6
CIS 14.6: Reinforce policies through training & accountability.
A.6.5Responsibilities after termination💻 Asset Register § Asset Return & TerminationImplementedPR.AC-04
PR.AC-04: Timely access revocation.
CIS 5.6
CIS 5.6: Remove/disable accounts immediately on role change or exit.
A.6.6Confidentiality / NDAAdd NDA reference registerNot ImplementedPR.AT-01
PR.AT-01: Workforce is trained.
CIS 14.5
CIS 14.5: Train workforce on data handling & confidentiality obligations.
A.6.7Remote workingAdd remote work security guidelinesNot ImplementedPR.PT-03
PR.PT-03: Remote work security managed.
CIS 12.4
CIS 12.4: Implement and manage network segmentation / secure remote architecture.
A.6.8Event reporting by personnelAdd quick-report channel summaryNot ImplementedDE.CM-01
DE.CM-01: Monitoring for anomalies.
CIS 17
CIS 17: Incident Reporting & mgmt.

🔒 A.7 Physical Controls

ISO 27001 ControlControl SummaryHack23 Policy/Evidence / Planned ActionStatusNIST CSF 2.0 MappingCIS v8.1 Mapping
A.7.1Physical security perimetersCloud infrastructure only (AWS responsibility)Not ApplicablePR.PS-01
PR.PS-01: Physical protections defined (via CSP).
CIS 13
CIS 13: Network / boundary context (facility via CSP).
A.7.2Physical entry controlsCovered by AWS data center controls (SOC2 / ISO attestations)Not ApplicablePR.PS-01CIS 13
A.7.3Securing offices, rooms, facilities🏠 Physical Security Policy § Home Office SecurityImplementedPR.PS-01CIS 13
A.7.4Physical security monitoringRelies on CSP monitoring (AWS) – reviewed via supplier due diligenceNot ApplicablePR.PS-02CIS 15.6
A.7.5Protection against physical & environmental threatsInherited from AWS shared responsibility modelNot ApplicablePR.PS-02CIS 15.3
A.7.6Working in secure areasNot applicable (no owned secure areas)Not ApplicablePR.PS-01CIS 14.1
A.7.7Clear desk & clear screen🏠 Physical Security Policy § Clean Desk RequirementsImplementedPR.PS-03CIS 14.1
A.7.8Equipment siting & protectionMinimal local equipment; logical hardening onlyNot ApplicablePR.PS-03CIS 10.1
A.7.9Security of assets off-premises📱 Mobile Device Management Policy - Device encryption, MDM enrollment, remote wipeImplementedPR.PS-03
PR.PS-03: Off-premises data protection via device encryption & remote wipe
CIS 1.1
CIS 1.1: Mobile device inventory in Asset Register
A.7.10Storage media🏠 Physical Security Policy § Backup Media and StorageImplementedPR.DS-05CIS 3.9
A.7.11Supporting utilitiesInherited (AWS data center utility redundancy)Not ApplicableRC.RP-01CIS 11.3
A.7.12Cabling securityCovered by AWS physical controlsNot ApplicablePR.PS-02CIS 15.6
A.7.13Equipment maintenanceCSP responsibility (no owned server hardware)Not ApplicablePR.PS-02CIS 15.5
A.7.14Secure disposal / re-use of equipment📱 Mobile Device Management Policy § Device LifecycleImplementedPR.DS-05
PR.DS-05: Device wipe procedures and secure disposal
CIS 3.9
CIS 3.9: Secure data deletion before disposal

💻 A.8 Technological Controls

ISO 27001 ControlControl SummaryHack23 Policy/Evidence / Planned ActionStatusNIST CSF 2.0 MappingCIS v8.1 Mapping
A.8.1User endpoint devices📱 Mobile Device Management Policy - AWS WorkMail MDM + Ubuntu LUKS encryptionImplementedPR.PT-01
PR.PT-01: Endpoint protection via MDM policy enforcement and encryption
CIS 10.1
CIS 10.1: Endpoint security baseline (mobile + workstation)
A.8.2Privileged access rights🔑 Access Control PolicyImplementedPR.AC-03
PR.AC-03: Privileged access managed.
CIS 5.4
CIS 5.4: Disable inactive and unnecessary accounts.
A.8.3Information access restriction🔑 Access Control PolicyImplementedPR.AC-02
PR.AC-02: Access permissions enforced.
CIS 6.1
CIS 6.1: Enforce standardized access granting workflow.
A.8.4Access to source code🛠️ Secure Development PolicyImplementedPR.AC-04
PR.AC-04: Access review & revocation.
CIS 16
CIS 16: Application Software Security.
A.8.5Secure authentication🔑 Access Control PolicyImplementedPR.AC-01
PR.AC-01: Identity lifecycle managed.
CIS 6.3
CIS 6.3: MFA for administrative access.
A.8.6Capacity managementAdd capacity monitoring sectionNot ImplementedPR.IP-01
PR.IP-01: Operational processes defined.
CIS 12.1
CIS 12.1: Maintain up‑to‑date network infrastructure (scalability & capacity).
A.8.7Protection against malware📱 Mobile Device Management Policy § Policy Enforcement - OS-native protection + ClamAVImplementedPR.PT-01
PR.PT-01: Malware protection on mobile (OS-native) and workstations (ClamAV)
CIS 10.2
CIS 10.2: Configure anti‑malware scanning on endpoints
A.8.8Technical vulnerability mgmt🔍 Vulnerability ManagementImplementedPR.MA-02
PR.MA-02: Remote maintenance authorized/monitored.
CIS 7.2
CIS 7.2: Establish remediation & patch prioritization process.
A.8.9Configuration managementAdd baseline config matrixNot ImplementedPR.IP-01
PR.IP-01: Config processes defined.
CIS 4.2
CIS 4.2: Maintain secure configuration baselines.
A.8.10Information deletion🏷️ Data Classification Policy § Retention & DisposalImplementedPR.DS-05
PR.DS-05: Data deletion & retention.
CIS 3.9
CIS 3.9: Secure disposal of sensitive data.
A.8.11Data masking🏷️ Data Classification Policy § Data Masking & TokenizationImplementedPR.DS-06
PR.DS-06: Data leakage prevention.
CIS 3.7
CIS 3.7: Encrypt data in transit (supports masking strategy).
A.8.12Data leakage prevention🏷️ Data Classification PolicyImplementedPR.DS-06
PR.DS-06: Data leakage prevention.
CIS 3.6
CIS 3.6: Restrict access to sensitive data.
A.8.13Information backup💾 Backup Recovery PolicyImplementedPR.DS-05
PR.DS-05: Data backup & retention.
CIS 11.2
CIS 11.2: Perform automated backups.
A.8.14RedundancyAdd redundancy / HA statementNot ImplementedRC.RP-01
RC.RP-01: Recovery plan executed.
CIS 11.3
CIS 11.3: Protect recovery data (resilience architecture).
A.8.15Logging💻 Asset Register § AWS SecurityImplementedDE.CM-01
DE.CM-01: Continuous monitoring.
CIS 8.2
CIS 8.2: Collect audit logs for defined events.
A.8.16Monitoring activities📊 Security Metrics💻 Asset Register § MonitoringImplementedDE.CM-01
DE.CM-01: Continuous monitoring.
CIS 8.6
CIS 8.6: Review and analyze collected logs.
A.8.17Clock synchronization🌐 Network Security Policy § Clock SynchronizationImplementedDE.CM-01
DE.CM-01: Monitoring (time integrity).
CIS 8.4
CIS 8.4: Standardize time sources across logging systems.
A.8.18Privileged utilities useAdd privileged tools approval listNot ImplementedPR.AC-03
PR.AC-03: Privileged access managed.
CIS 5.5
CIS 5.5: Review accounts & privileges periodically.
A.8.19Software installation controlsAdd approved software listNot ImplementedPR.PT-01
PR.PT-01: Endpoint protection policies.
CIS 2.3
CIS 2.3: Enforce approved software allowlisting.
A.8.20Network security🌐 Network Security PolicyImplementedPR.AC-04
PR.AC-04: Zero-trust architecture with comprehensive segmentation & monitoring
CIS 12.3
CIS 12: Complete network infrastructure management (12.1-12.8 covered)
A.8.20.1DNS Security Extensions (DNSSEC)🌐 Network Security Policy § Email SecurityImplementedPR.PT-04
PR.PT-04: DNS integrity protection with DNSSEC + DNS Firewall
CIS 12.3
CIS 12.3: DNS filtering + CIS 12.8: Network documentation via Route 53
A.8.21Security of network services🤝 Third Party Management🔗 SUPPLIERImplementedGV.SC-04
GV.SC-04: Network service providers monitored via supplier classification
CIS 15.6
CIS 15.6: Continuous network service provider monitoring
A.8.22Segregation of networks🌐 Network Security Policy § Zero-Trust ArchitectureImplementedPR.PT-02
PR.PT-02: Multi-tier network segmentation (DMZ/App/Data/Management)
CIS 12.8
CIS 12.8: Network segmentation via VPC architecture & security groups
A.8.23Web filtering🌐 Network Security Policy § DNS FirewallImplementedPR.PS-01
PR.PS-01: Route 53 DNS Firewall blocks malware/phishing/botnet
CIS 9.4
CIS 9.4: DNS-level web filtering with threat intelligence integration
A.8.24Use of cryptography🔒 Cryptography Policy🌐 Network Security Policy § TLSImplementedPR.DS-01
PR.DS-01: Comprehensive crypto (AES-256, TLS 1.3, AWS KMS integration)
CIS 3.5
CIS 3.5: Data encryption standards with network transport security
A.8.25Secure development life cycle🛠️ Secure Development PolicyImplementedPR.DS-07
PR.DS-07: Dev processes address security.
CIS 16.2
A.8.26Application security requirements🛠️ Secure Development PolicyImplementedPR.DS-07CIS 16.3
A.8.27Secure system architecture & engineering principles🛠️ Secure Development Policy • Architecture docsImplementedPR.IP-01CIS 16.1
A.8.28Secure coding🛠️ Secure Development PolicyImplementedPR.DS-07CIS 16.6
A.8.29Security testing in development & acceptanceAdd formal security testing scheduleImplementedPR.DS-07CIS 16.5
A.8.30Outsourced developmentNot currently outsourced; add due diligence templateNot ImplementedGV.SC-04
GV.SC-04: Supplier performance monitored.
CIS 15.6
CIS 15.6: Ongoing supplier monitoring.
A.8.31Separation of development, test & production🛠️ Secure Development Policy § PipelinesImplementedPR.AC-05CIS 16.4
A.8.32Change management📝 Change ManagementImplementedPR.MA-01CIS 16.7
A.8.33Test information🛠️ Secure Development Policy § Protection of Test Data🏷️ Data Classification Policy § Test Data GenerationImplementedPR.DS-06CIS 3.7
A.8.34Protection of information systems during audit testingAdd audit test isolation / hardening noteNot ImplementedDE.CM-01
DE.CM-01: Monitoring safeguards during testing.
CIS 18.1
CIS 18.1: Pen test controls (system protection).

🇪🇺 General Data Protection Regulation (GDPR)

GDPR ArticleRequirement SummaryHack23 Policy/EvidenceStatus
Art. 5Principles relating to processing of personal data🏷️ Data Classification PolicyImplemented
Art. 25Data protection by design and by default🛠️ Secure Development PolicyImplemented
Art. 30Records of processing activities (RoPA)💻 Asset RegisterImplemented
Art. 32Security of processing🔒 Cryptography Policy & 🔑 Access Control PolicyImplemented
Art. 33/34Notification of a personal data breach🚨 Incident Response PlanImplemented

🇪🇺 EU Cyber Resilience Act (CRA)

Essential Cybersecurity Requirements (Annex I)

CRA Annex I RequirementRequirement SummaryHack23 Policy/EvidenceStatus
§ 1.1Secure by Design & Default🛠️ Secure Development PolicyImplemented
§ 1.3Confidentiality, Integrity, Availability🔒 Cryptography Policy & 🔑 Access Control PolicyImplemented
§ 1.8Vulnerability Handling🔍 Vulnerability ManagementImplemented
§ 1.9Coordinated Vulnerability DisclosureSECURITY.md in each repo & 🔍 Vulnerability ManagementImplemented
§ 1.10Software Bill of Materials (SBOM)Open Source Policy & Release ArtifactsImplemented
§ 1.11Secure Updates📝 Change Management & SLSA AttestationsImplemented
§ 1.12Security Monitoring & Logging📊 Security Metrics & 🚨 Incident Response PlanImplemented

Annex II: Critical Products with Digital Elements (Article 6)

The EU Cyber Resilience Act defines specific product categories as "critical" or "important" under Annex II, subjecting them to enhanced cybersecurity requirements and mandatory third-party conformity assessment. While Hack23 AB's current products (CIA, Black Trigram, CIA Compliance Manager) are classified as "Standard (Non-commercial OSS)", this section demonstrates our capability to support clients developing critical products and our readiness for potential commercial expansion into critical infrastructure sectors.

Critical Product Classifications (Annex II, Class I & II)

The CRA defines 11 categories of critical products with digital elements. The following table assesses Hack23 AB's current applicability and potential consulting scenarios.

Annex II CategoryProduct ExamplesHack23 Current ApplicabilityConsulting OpportunitiesRelevant ISMS Policies
Class I(a) Identity & Access ManagementEnterprise IAM systems, SSO platforms, directory services🟡 Low: Current products use IAM but are not IAM-focused🟢 High: Consulting for IAM vendors, enterprise identity platforms🔑 Access Control Policy
Class I(b) Endpoint Security ToolsBrowsers, password managers, VPNs, endpoint protection🟡 Low: Not current product focus🟠 Medium: Consulting for security tool vendors, browser extensions🛠️ Secure Development Policy
Class I(c) Network Management SystemsFirewalls, routers, switches, IDS/IPS, network monitoring🟠 Medium: Network security policy expertise🟢 High: Consulting for network equipment vendors, SDN platforms🌐 Network Security Policy
Class I(d) Operating SystemsServer OS, desktop OS, mobile OS, embedded OS🟡 Low: Applications built on top of OS🟠 Medium: Consulting for OS vendors, enterprise deployment security🛠️ Secure Development Policy
Class I(e) Virtualization & ContainersHypervisors, container runtimes, orchestration platforms🟠 Medium: Container deployment experience (Docker, Kubernetes)🟢 High: Consulting for cloud platform providers, container security🛠️ Secure Development Policy
Class I(f) Microprocessors with Security FunctionsSecure elements, TPMs, secure enclaves, HSM processors🔴 Minimal: Hardware not in scope🟡 Low: Limited consulting applicability🔒 Cryptography Policy
Class I(g) Smart Cards & Authentication DevicesSmart cards, card readers, USB security tokens, secure elements🔴 Minimal: Hardware not in scope🟡 Low: Limited consulting applicability🔑 Access Control Policy
Class I(h) Hardware Security Modules (HSMs)Dedicated HSMs, cloud HSMs, key management appliances🟡 Low: HSM consumers, not providers🟠 Medium: Consulting for key management system integration🔒 Cryptography Policy
Class II(a) Industrial Automation & ControlSCADA systems, PLCs, DCS, industrial IoT gateways🔴 Minimal: Not current domain🟠 Medium: Consulting for industrial security, ICS/SCADA vendors🔐 Information Security Policy
Class II(b) Distributed Ledger TechnologiesBlockchain platforms, cryptocurrency wallets (with security functions)🔴 Minimal: Not current domain🟡 Low: Emerging consulting opportunity🔒 Cryptography Policy
Class II(c) Remote Access & Support ToolsRemote desktop software, remote administration tools, support platforms🟠 Medium: Remote work security policies🟢 High: Consulting for remote access vendors, enterprise tools🔑 Access Control Policy🌐 Network Security Policy

Legend:

  • 🟢 High: Strong applicability or consulting opportunity
  • 🟠 Medium: Moderate relevance or potential
  • 🟡 Low: Limited applicability
  • 🔴 Minimal: Not relevant to current operations

Enhanced Requirements for Critical Products

Critical products face significantly stricter requirements beyond Annex I essential cybersecurity requirements. The following table maps these enhanced obligations to Hack23 AB's readiness state and supporting policies.

CRA Article & RequirementRequirement SummaryHack23 Readiness AssessmentSupporting ISMS PoliciesImplementation Status
Art. 6(2) + Annex I § 1.8 Enhanced Vulnerability Handling24-hour notification for actively exploited critical vulnerabilities; coordinated disclosure with CERT-EU🟢 Ready: Vulnerability Management defines incident response timelines; SECURITY.md in all repos🔍 Vulnerability Management🚨 Incident Response PlanReady
Art. 6(3) + Annex I § 1.10 Comprehensive SBOM RequirementsMachine-readable SBOM (SPDX/CycloneDX); full dependency tree; supply chain transparency; vulnerability status🟢 Ready: SBOM generation in CI/CD pipelines; SLSA provenance attestations🔓 Open Source Policy🛠️ Secure Development PolicyReady
Art. 6(4) EU Cybersecurity CertificationMandatory certification under EUCC (European Common Criteria) or equivalent scheme recognized by ENISA🟡 Planned: External certification process; not required for current non-commercial OSS products🛡️ CRA Conformity Assessment ProcessPlanned
Art. 6(5) Third-Party Conformity AssessmentClass I products require notified body assessment; Class II self-assessment with enhanced documentation🟡 N/A: Current products are Standard classification; consulting readiness for client support🛡️ CRA Conformity Assessment Process🤝 Third Party ManagementNot Applicable
Art. 11(1) Technical Documentation (Annex V)Comprehensive technical file: architecture, risk assessments, test reports, conformity evidence🟢 Ready: SECURITY_ARCHITECTURE.md, THREAT_MODEL.md in all product repos🛠️ Secure Development Policy🎯 Threat ModelingReady
Art. 11(2) Vulnerability Handling DocumentationProcess documentation; disclosure timelines; incident response procedures; remediation SLAs🟢 Ready: Comprehensive vulnerability management framework with defined SLAs🔍 Vulnerability Management🚨 Incident Response PlanReady
Art. 11(6) Instructions for Secure UseUser documentation; secure configuration guidance; hardening recommendations; security best practices🟢 Ready: README.md security sections; deployment guides; configuration documentation in repos🛠️ Secure Development Policy✅ Acceptable Use PolicyReady
Art. 14 Support Period DeclarationMinimum 5-year security update support for critical products; end-of-support transparency🟠 Partial: Long-term OSS maintenance commitment; no formal 5-year declaration yet📝 Change Management💾 Backup Recovery PolicyPartial
Art. 15 Continuous Monitoring & UpdatesProactive vulnerability monitoring; timely security updates; automated update mechanisms where feasible🟢 Ready: GitHub Dependabot; automated security scanning; CI/CD security gates📊 Security Metrics🔍 Vulnerability ManagementReady
Art. 20 Market Surveillance CooperationEnhanced cooperation with national market surveillance authorities; incident reporting; compliance audits🟢 Ready: External stakeholder registry includes regulatory authorities; transparency commitment🤝 External Stakeholder Registry🚨 Incident Response PlanReady
Art. 54 Cybersecurity Incident ReportingReport significant incidents to CSIRT/ENISA within 24 hours; provide detailed incident analysis🟢 Ready: Incident response plan with escalation procedures and external notification processes🚨 Incident Response Plan🤝 External Stakeholder RegistryReady

Readiness Legend:

  • 🟢 Ready: Policies and processes in place, evidence available
  • 🟠 Partial: Framework exists, additional work needed for full compliance
  • 🟡 Planned: Requirement acknowledged, implementation planned
  • 🔴 Not Ready: Significant gap requiring implementation

EU Cybersecurity Certification Schemes

Critical products under CRA Article 6(4) must obtain certification under EU cybersecurity certification schemes. The following schemes are recognized under the EU Cybersecurity Act (CSA):

Certification SchemeScopeAssurance LevelsApplicability to Hack23 ConsultingStatus
EUCC (European Common Criteria)ICT products, processes, servicesBasic, Substantial, HighPrimary scheme for critical infrastructure products; applicable to identity systems, network equipment, OSRecognized
EUCS (EU Cloud Services)Cloud service providersBasic, Substantial, HighApplicable for cloud-based critical products; relevant for SaaS security consultingProposed
Sectoral SchemesDomain-specific (e.g., 5G, IoT)Varies by sectorEmerging schemes for industrial IoT, telecommunications, smart gridsEmerging

Hack23 AB Certification Readiness:

  • Current Status: No EU certification required for non-commercial OSS products
  • Consulting Capability: Framework understanding enables client guidance through certification processes
  • Future Preparation: ISMS policies align with EUCC Basic/Substantial assurance level requirements
  • Reference: 🛡️ CRA Conformity Assessment Process provides systematic assessment methodology adaptable to certification requirements

Consulting Service Positioning

Hack23 AB's comprehensive CRA Annex II readiness enables consulting services for clients developing critical products:

🎯 Target Client Scenarios:

  1. Identity & Access Management Vendors: Supporting IAM platform providers in achieving CRA Class I(a) compliance
  2. Network Equipment Manufacturers: Assisting firewall, IDS/IPS vendors with Class I(c) security documentation
  3. Cloud Platform Providers: Guiding hypervisor and container platform security for Class I(e) compliance
  4. Remote Access Tool Vendors: Supporting enterprise remote desktop and support tool compliance (Class II(c))
  5. Industrial Security: Consulting for SCADA/ICS vendors entering EU markets (Class II(a))

💼 Service Offerings:

  • CRA gap analysis and conformity roadmaps
  • Technical documentation preparation (Annex V)
  • SBOM generation and supply chain transparency implementation
  • Vulnerability management process establishment
  • EU cybersecurity certification scheme guidance (EUCC)
  • Notified body assessment preparation support

🔗 Evidence of Expertise:

  • 6 completed CRA conformity assessments (Standard classification)
  • Comprehensive ISMS framework aligned with ISO 27001, NIST CSF 2.0, CIS Controls v8.1
  • Public transparency: All security documentation available for client review
  • Technical implementation: SLSA 3, SBOM generation, security scanning in CI/CD

Product Conformity Assessments

The following products have completed CRA conformity assessments, demonstrating compliance with essential requirements.

🚀 Project📦 Product Type🏷️ CRA Classification📋 Assessment Status🔗 Reference Link
🕵️ CIA (Citizen Intelligence Agency)Political transparency platformStandard (Non-commercial OSS)Implemented📄 CRA Assessment
⚫ Black TrigramKorean martial arts gameStandard (Non-commercial OSS)Implemented📄 CRA Assessment
🛡️ CIA Compliance ManagerCompliance automation toolStandard (Non-commercial OSS)Implemented📄 CRA Assessment
🇪🇺 European Parliament MCP ServerPolitical intelligence MCP serverStandard (Non-commercial OSS)Implemented📄 CRA Assessment
🇪🇺 EU Parliament MonitorAutomated news generation platformStandard (Non-commercial OSS)Implemented📄 CRA Assessment
🗳️ RiksdagsmonitorSwedish parliament intelligence platformStandard (Non-commercial OSS)Implemented📄 CRA Assessment

Bookkeeping Act (Bokföringslagen)

RequirementHack23 Policy/EvidenceStatusNotes
7-year retention💾 Backup Recovery PolicyImplementedFinancial data retained in Bokio, with backups.
Swedish GAAP💻 Asset Register (Bokio)ImplementedBokio is used for accounting, adhering to Swedish standards.
Audit trail💻 Asset Register (Bokio)ImplementedAll financial transactions are logged in Bokio.
VAT reporting💻 Asset Register (Bokio)ImplementedVAT is managed and reported via Bokio.
Annual reportFinancial RecordsImplementedFirst annual report for FY2025 due in 2026.

Companies Act (Aktiebolagslagen)

RequirementHack23 Policy/EvidenceStatusNotes
Share registerAktiebok.md (Internal)ImplementedMaintained and stored securely.
Board meetingsMeeting Minutes (Internal)Partially ImplementedInformal as a single-shareholder company, but key decisions are documented.
Articles of AssociationCompany Registration DocsImplementedStandard template filed with Bolagsverket.
Capital requirementsBank Statements (SEB)Implemented25,000 SEK share capital deposited and maintained.

Data Protection Act (Dataskyddslagen - Complementing GDPR)

RequirementHack23 Policy/EvidenceStatusNotes
IMY RegistrationN/ANot ApplicableNot required for company size and processing activities.
Swedish language docsISMS DocumentationPartially ImplementedKey legal documents are in Swedish; ISMS is in English for international transparency.
Local representative💻 Asset RegisterImplementedCEO is resident in Sweden.

🛡️ SOC 2 Type II Trust Services Criteria

Overview

SOC 2 Type II certification demonstrates operational effectiveness of security, availability, processing integrity, confidentiality, and privacy controls over time. This mapping shows how Hack23 AB's ISMS controls align with the 2017 Trust Services Criteria established by the American Institute of Certified Public Accountants (AICPA).

SOC 2 Applicability:

  • CIA (Citizen Intelligence Agency) - Political transparency SaaS platform
  • Black Trigram - Educational gaming SaaS
  • CIA Compliance Manager - Compliance assessment SaaS
  • Cloud Consulting Services - AWS-based security consulting

Operational Effectiveness Evidence: All control implementations include frequency of execution, monitoring mechanisms, and historical effectiveness data demonstrating controls operate consistently over time (Type II requirement).

mindmap
  root(("🛡️ SOC 2 TSC"))
    (🔐 Common Criteria)
      CC1 COSO Principles
      CC2 Communication
      CC3 Risk Assessment
      CC4 Monitoring
      CC5 Control Activities
      CC6 Logical Access
      CC7 System Operations
      CC8 Change Management
      CC9 Risk Mitigation
    (⚡ Availability)
      A1.1 Availability Commitments
      A1.2 System Monitoring
      A1.3 Incident Management
    (📊 Processing Integrity)
      PI1.1 Processing Commitments
      PI1.2 Quality Monitoring
      PI1.3 Data Processing Controls
    (🔒 Confidentiality)
      C1.1 Confidentiality Commitments
      C1.2 Confidentiality Controls
    (🔐 Privacy)
      P1.0 Notice
      P2.0 Choice & Consent
      P3.0 Collection
      P4.0 Use & Retention
      P5.0 Access
      P6.0 Disclosure
      P7.0 Quality
      P8.0 Monitoring

🔐 CC1-CC5: Common Criteria - COSO Internal Control Principles

SOC 2 TSC RefTrust Services CriterionHack23 Policy/EvidenceOperational EffectivenessStatusISO 27001NIST CSF 2.0
CC1.1COSO Principle 1 - Integrity & Ethical Values🔐 Information Security PolicyCEO commitment reviewed annually; demonstrated through transparent ISMS publicationImplementedA.5.1GV.OV-01
CC1.2COSO Principle 2 - Board Independence🔐 Information Security Policy § Management Commitment🤝 External Stakeholder RegistryQuarterly stakeholder engagement; annual external consultation documentedImplementedA.5.4GV.OV-01
CC1.3COSO Principle 3 - Organizational Structure & Authority🔐 Information Security Policy § RolesCEO maintains comprehensive role documentation; reviewed annuallyImplementedA.5.2GV.RR-02
CC1.4COSO Principle 4 - Competence & DevelopmentProfessional certifications maintained; continuous learning via AWS/security trainingTraining hours tracked quarterly; certifications renewed per scheduleImplementedA.6.3PR.AT-01
CC1.5COSO Principle 5 - Accountability🔐 Information Security Policy § Management Commitment📉 Risk RegisterRisk ownership reviewed quarterly; mitigation actions tracked monthlyImplementedA.5.4GV.RR-02
CC2.1COSO Principle 13 - Relevant Information📊 Security Metrics provide continuous security posture visibilityMetrics collected daily; dashboards reviewed weekly; trends analyzed monthlyImplementedA.8.16DE.CM-01
CC2.2COSO Principle 14 - Internal CommunicationSecurity communications via ISMS documentation and 🚨 Incident Response PlanPolicy updates communicated immediately; quarterly ISMS reviewsImplementedA.5.24GV.PO-01
CC2.3COSO Principle 15 - External Communication🤝 External Stakeholder Registry + public ISMS transparencyStakeholder communications tracked; regulatory contacts maintained; quarterly engagementImplementedA.5.5RS.CO-01
CC3.1COSO Principle 6 - Objectives & Risk📉 Risk Register aligns risks to business objectivesRisk register updated monthly; business impact assessed quarterlyImplementedA.5.31ID.RA-01
CC3.2COSO Principle 7 - Risk Identification & Analysis📉 Risk Assessment MethodologyRisk assessments conducted quarterly; threat intelligence reviewed weeklyImplementedA.5.7ID.RA-04
CC3.3COSO Principle 8 - Fraud RiskFraud risks documented in 📉 Risk Register; financial controls via BokioFinancial reconciliation monthly; fraud indicators monitored continuouslyImplementedA.5.31ID.RA-03
CC3.4COSO Principle 9 - Change Risk📝 Change Management assesses change-related risksChange risk assessed for every change; impacts evaluated pre-implementationImplementedA.8.32PR.MA-01
CC4.1COSO Principle 16 - Ongoing & Separate Evaluations📊 Security Metrics § Compliance MonitoringAutomated monitoring continuous; manual reviews quarterly; external audits plannedImplementedA.5.36GV.IM-02
CC4.2COSO Principle 17 - Deficiency Evaluation & Communication🚨 Incident Response PlanControl deficiencies tracked; remediation plans created within 48hrs; reviewed monthlyImplementedA.5.27RS.IM-01
CC5.1COSO Principle 10 - Control ActivitiesComprehensive control catalog across 🔐 Information Security PolicyControls executed per policy schedules; effectiveness reviewed quarterlyImplementedA.5.37PR.IP-01
CC5.2COSO Principle 11 - Technology Controls🌐 Network Security Policy + 🛠️ Secure Development PolicyTechnology controls automated where possible; manual controls executed per scheduleImplementedA.8.20PR.PT-04
CC5.3COSO Principle 12 - Policies & ProceduresAll ISMS policies per STYLE_GUIDE.md standardsPolicies reviewed annually; procedures updated as needed; changes tracked in gitImplementedA.5.1GV.PO-01

🔐 CC6: Common Criteria - Logical and Physical Access Controls

SOC 2 TSC RefTrust Services CriterionHack23 Policy/EvidenceOperational EffectivenessStatusISO 27001NIST CSF 2.0
CC6.1Logical & physical access controls restrict access to authorized users🔑 Access Control PolicyAccess reviews conducted quarterly; MFA enforced on all accounts; authentication logs monitored dailyImplementedA.5.15PR.AC-01
CC6.2New access provisioned & authorized🔑 Access Control PolicyAccess requests documented; approval required pre-provisioning; provisioning logs retainedImplementedA.5.16PR.AC-02
CC6.3Access modifications & deactivations processed🔑 Access Control PolicyAccess changes logged; deactivation within 24hrs of role change; quarterly access reviewsImplementedA.5.18PR.AC-04
CC6.4Physical access restricted to authorized personnel🏠 Physical Security Policy § Home OfficeHome office security controls documented; cloud infrastructure via AWS SOC 2 certified datacentersImplementedA.7.3PR.PS-01
CC6.5Physical access points removed timely💻 Asset Register § Asset ReturnDevice access removed upon termination; physical media securely disposed per proceduresImplementedA.6.5PR.AC-04
CC6.6Logical access removed timely🔑 Access Control PolicyAccess revocation within 24hrs; automated alerts for dormant accounts; quarterly cleanupImplementedA.5.11PR.AC-04
CC6.7Logical & physical access restricted to authorized credentials🔑 Access Control PolicyMFA enforced 100%; password policies automated; credential rotation monitoredImplementedA.5.17PR.AC-01
CC6.8Segregation of duties & authorization workflows🚫 Segregation of Duties Policy15 incompatible role pairs documented; compensating controls (temporal, tool-based, audit); external validationImplementedA.5.3PR.AC-03

🔐 CC7: Common Criteria - System Operations (Monitoring, Change Mgmt, Risk Mitigation)

SOC 2 TSC RefTrust Services CriterionHack23 Policy/EvidenceOperational EffectivenessStatusISO 27001NIST CSF 2.0
CC7.1Threats & vulnerabilities detected & mitigated🔍 Vulnerability ManagementSAST/SCA/DAST scans on every commit; vulnerabilities remediated per SLA (Critical: 24hrs)ImplementedA.8.8DE.CM-08
CC7.2Security incidents identified, reported, investigated🚨 Incident Response PlanGuardDuty + Security Hub monitored 24/7; incidents classified per severity; response per runbooksImplementedA.5.24RS.AN-01
CC7.3System activities monitored for anomalies📊 Security Metrics + AWS CloudWatchCloudWatch alarms configured; anomaly detection via GuardDuty; logs analyzed continuouslyImplementedA.8.16DE.CM-01
CC7.4Environmental threats & disasters planned for🔄 Business Continuity Plan + 🆘 Disaster Recovery PlanBC/DR plans tested annually; RTO/RPO targets defined; multi-AZ AWS deploymentImplementedA.5.29RC.RP-01
CC7.5Capacity monitored & managed💻 Asset Register § AWS MonitoringAWS CloudWatch monitors capacity; autoscaling configured; capacity reviews quarterlyImplementedA.8.6PR.IP-01

🔐 CC8: Common Criteria - Change Management

SOC 2 TSC RefTrust Services CriterionHack23 Policy/EvidenceOperational EffectivenessStatusISO 27001NIST CSF 2.0
CC8.1Changes authorized, tested, documented, deployed📝 Change ManagementAll changes via pull requests; peer review required; automated testing; deployment logs retainedImplementedA.8.32PR.MA-01

🔐 CC9: Common Criteria - Risk Mitigation

SOC 2 TSC RefTrust Services CriterionHack23 Policy/EvidenceOperational EffectivenessStatusISO 27001NIST CSF 2.0
CC9.1Risk mitigation activities designed & deployed📉 Risk Register + Risk Treatment PlansRisk treatments implemented per priority; mitigation effectiveness reviewed quarterly; residual risk trackedImplementedA.8.9ID.RA-05
CC9.2Vendors & business partners evaluated for risks🤝 Third Party Management + 🔗 SUPPLIERSuppliers classified by criticality; security assessments conducted; performance monitored quarterlyImplementedA.5.19GV.SC-01

A1: Availability

SOC 2 TSC RefTrust Services CriterionHack23 Policy/EvidenceOperational EffectivenessStatusISO 27001NIST CSF 2.0
A1.1Availability commitments in SLAs & system design🔄 Business Continuity PlanRTO ≤4hrs, RPO ≤1hr for critical systems; multi-AZ deployment; availability monitored 24/7ImplementedA.5.30RC.RP-01
A1.2System capacity & performance monitored💻 Asset Register § Monitoring ServicesCloudWatch dashboards; performance metrics collected every 1min; alerts for threshold breachesImplementedA.8.6DE.CM-01
A1.3System incidents impact availability assessed & addressed🚨 Incident Response Plan § Classification & Response FrameworkAvailability impact classified (Critical/High/Medium/Low); response per severity; post-incident reviewsImplementedA.5.25RS.AN-01
A1.4System components critical to availability backed up💾 Backup Recovery PolicyAutomated daily backups; cross-region replication; immutable backup vaults; restoration tested quarterlyImplementedA.8.13PR.DS-05
A1.5Environmental protections for system availabilityAWS datacenter environmental controls (inherited) + 🆘 Disaster Recovery PlanAWS SOC 2 certified facilities; DRP tested annually; multi-region failover capabilityImplementedA.7.5RC.RP-01

📊 PI1: Processing Integrity

SOC 2 TSC RefTrust Services CriterionHack23 Policy/EvidenceOperational EffectivenessStatusISO 27001NIST CSF 2.0
PI1.1Processing commitments in agreementsService agreements specify processing requirements; 🛠️ Secure Development Policy ensures data integrityProcessing requirements documented; accuracy validated per test plans; monitoring continuousImplementedA.5.8PR.IP-01
PI1.2Processing inputs authorized & complete🛠️ Secure Development PolicyInput validation on all endpoints; schema validation enforced; rejected inputs loggedImplementedA.8.26PR.DS-07
PI1.3Processing complete, accurate, timelyApplication audit logging via Javers; data quality monitored; processing errors trackedProcessing completeness verified; error rates monitored; data quality dashboards reviewed weeklyImplementedA.8.26PR.IP-01
PI1.4Processing outputs complete, accurate, timelyUnit test coverage ≥80%; E2E testing validates outputs; 🛠️ Secure Development PolicyTest results published; coverage tracked per commit; output validation automatedImplementedA.8.29PR.DS-07
PI1.5Processing errors detected, corrected, reportedError handling per 🚨 Incident Response Plan; application error logs monitoredApplication errors logged; alerts for error rate thresholds; root cause analysis for recurring errorsImplementedA.5.25DE.CM-01

🔒 C1: Confidentiality

SOC 2 TSC RefTrust Services CriterionHack23 Policy/EvidenceOperational EffectivenessStatusISO 27001NIST CSF 2.0
C1.1Confidentiality commitments in agreements🏷️ Data Classification Policy + NDAs with customers/partnersData classifications defined; handling requirements per class; NDA registry maintainedImplementedA.5.12PR.DS-01
C1.2Confidential information protected at rest & in transit🔒 Cryptography Policy + 🌐 Network Security PolicyAES-256 encryption at rest; TLS 1.3 in transit; key rotation automated; encryption verified continuouslyImplementedA.8.24PR.DS-01
C1.3Confidential information disposed securely🏷️ Data Classification § Retention & DisposalSecure deletion procedures; disposal logs maintained; media sanitization per NIST 800-88ImplementedA.8.10PR.DS-05
C1.4Confidential information access restricted🔑 Access Control Policy + 🏷️ Data Classification PolicyAccess control per data classification; need-to-know enforced; access logs reviewed monthlyImplementedA.8.3PR.AC-02
C1.5Confidentiality breaches detected & addressed🚨 Incident Response PlanDLP monitoring continuous; breach detection automated; notification per GDPR (72hrs); post-breach reviewsImplementedA.5.26RS.MI-01

🔐 P1-P8: Privacy

SOC 2 TSC RefTrust Services CriterionHack23 Policy/EvidenceOperational EffectivenessStatusISO 27001NIST CSF 2.0
P1.0Notice: Privacy notice provided to data subjects🔐 Privacy Policy + privacy notices on all servicesPrivacy policies published; updated when processing changes; notice acknowledgment trackedImplementedA.5.34PR.DS-01
P2.0Choice & Consent: Explicit consent obtained for data processing🔐 Privacy Policy § Your Rights Under GDPR + consent management in applicationsConsent captured per GDPR Article 7; consent withdrawal supported; audit trail maintainedImplementedA.5.34PR.DS-01
P3.0Collection: Personal data collected per privacy notice🏷️ Data Classification Policy § PrivacyData minimization enforced; collection logged; purpose limitation documentedImplementedA.5.34PR.DS-01
P3.1Sensitive personal data identified & protected🏷️ Data Classification Policy § Privacy LevelsGDPR Article 9 special categories identified; enhanced protections applied; access restrictedImplementedA.5.34PR.DS-01
P3.2Personal data collected from third parties documented💻 Asset RegisterThird-party data sources documented; DPAs in place; data provenance trackedImplementedA.5.34GV.SC-02
P4.0Use, Retention, Disposal: Personal data used, retained, disposed per notice🏷️ Data Classification Policy § Records RetentionRetention periods enforced; automated deletion configured; disposal logs maintainedImplementedA.5.33PR.DS-04
P4.1Personal data retained per legal requirements🏷️ Data Classification Policy § Retention MatrixGDPR Article 17 compliance; legal hold processes; retention justified per basisImplementedA.5.33PR.DS-04
P4.2Personal data disposed securely per retention schedule🏷️ Data Classification § DisposalAutomated disposal workflows; cryptographic erasure for encrypted data; disposal verifiedImplementedA.8.10PR.DS-05
P5.0Access: Data subjects can access their personal data🔐 Privacy Policy § Your Rights Under GDPRGDPR Article 15 access requests processed within 30 days; identity verification required; access logs maintainedImplementedA.5.34PR.DS-01
P5.1Data subjects can correct inaccurate personal data🔐 Privacy Policy § Your Rights Under GDPRGDPR Article 16 rectification requests processed; corrections logged; notifications to third partiesImplementedA.5.34PR.DS-01
P6.0Disclosure: Personal data disclosed to third parties per notice🤝 Third Party ManagementDPAs with all processors; sub-processor register maintained; disclosure loggedImplementedA.5.20GV.SC-02
P6.1Personal data transferred internationally with adequate protection🏷️ Data Classification Policy + AWS region selectionEU/EEA data processing; SCCs with non-EEA processors; transfer impact assessmentsImplementedA.5.14PR.DS-02
P7.0Quality: Personal data maintained accurate & complete🏷️ Data Classification PolicyData quality validation; correction mechanisms; quality metrics monitoredImplementedA.5.34PR.DS-01
P8.0Monitoring: Privacy program compliance monitored📊 Security Metrics + GDPR compliance auditsPrivacy controls reviewed quarterly; data breach monitoring continuous; DPO consultation plannedImplementedA.5.36GV.IM-02

📊 SOC 2 Compliance Summary

Trust Services CategoryCriteria MappedImplementation StatusOperational EffectivenessAudit Readiness
CC1-CC5: COSO Principles17 criteriaImplementedContinuous monitoring + quarterly reviewsReady for Type II audit
CC6: Logical & Physical Access8 criteriaImplementedMFA enforced + quarterly access reviewsReady for Type II audit
CC7: System Operations5 criteriaImplemented24/7 monitoring + automated scanningReady for Type II audit
CC8: Change Management1 criterionImplementedAll changes via PR + automated testingReady for Type II audit
CC9: Risk Mitigation2 criteriaImplementedQuarterly risk reviews + supplier assessmentsReady for Type II audit
A1: Availability5 criteriaImplementedMulti-AZ deployment + quarterly DR testingReady for Type II audit
PI1: Processing Integrity5 criteriaImplemented80%+ test coverage + continuous validationReady for Type II audit
C1: Confidentiality5 criteriaImplementedAES-256 + TLS 1.3 + access controlsReady for Type II audit
P1-P8: Privacy14 criteriaImplementedGDPR compliant + 30-day response SLAReady for Type II audit
TOTAL62 criteria100% ImplementedType II evidence documentedAudit-ready

Type II Readiness Notes:

  • Observation Period: 6-12 months of control operation required for Type II
  • Evidence Collection: Automated monitoring + quarterly manual reviews provide continuous evidence
  • Exception Handling: All exceptions documented in 🚨 Incident Response Plan
  • Audit Artifacts: Logs retained per 🏷️ Data Classification § Retention (minimum 1 year)
  • Management Representations: CEO provides quarterly attestations to control effectiveness

💳 Payment Card Industry Data Security Standard (PCI DSS) v4.0

Overview

The Payment Card Industry Data Security Standard (PCI DSS) v4.0 establishes comprehensive security requirements for organizations that store, process, or transmit cardholder data. While Hack23 AB uses Stripe for payment processing with minimal cardholder data exposure, this mapping demonstrates:

  • Consulting Readiness: Comprehensive payment security understanding for fintech/payment sector clients
  • Future E-commerce Expansion: Preparedness for CIA, Black Trigram, or Compliance Manager subscriptions
  • Enterprise Security Posture: Demonstrates systematic approach to sensitive data protection
  • Supply Chain Security: Aligns with broader supplier security assessment frameworks

Current Applicability:

  • SAQ Type: SAQ A (Card-not-present, fully outsourced)
  • Merchant Level: Level 4 (<20,000 e-commerce transactions annually)
  • Cardholder Data Environment (CDE): Stripe handles all card data; Hack23 AB does NOT store, process, or transmit cardholder data
  • PCI DSS Scope: Minimal - primarily Requirement 12 (organizational security policies) applies

PCI DSS v4.0 Key Changes (Effective March 2024):

  • Customized implementation framework for flexible security controls
  • Enhanced multi-factor authentication requirements (Req 8.3.1, 8.4.2, 8.5.1)
  • Expanded logging and monitoring (Req 10.2, 10.3, 10.4)
  • Phishing-resistant authentication methods introduced
  • Targeted risk analysis requirements (Req 12.3.1-12.3.4)
mindmap
  root(("💳 PCI DSS v4.0"))
    🔒 Build & Maintain Secure Network
      Req 1: Firewalls
      Req 2: Secure Configuration
    🛡️ Protect Cardholder Data
      Req 3: Stored Data
      Req 4: Data in Transit
    🔍 Vulnerability Management
      Req 5: Malware Protection
      Req 6: Secure Software
    🔐 Access Control
      Req 7: Need-to-Know
      Req 8: Authentication
      Req 9: Physical Access
    📊 Monitoring & Testing
      Req 10: Logging
      Req 11: Security Testing
    📋 Information Security Policy
      Req 12: Policy Framework

Compliance Status:

  • Total Requirements
  • Sub-Requirements Mapped
  • Implemented
  • Not Applicable
  • Partial

Requirement 1: Install and Maintain Network Security Controls

Build and maintain a secure network and systems.

PCI DSS RefRequirement SummaryHack23 Policy/EvidenceStatusApplicabilityISO 27001NIST CSF 2.0CIS v8.1
Req 1.1.1Network security controls (firewalls/routers) documented and implemented🌐 Network Security Policy § Zero-Trust ArchitectureImplementedAWS WAF, Security Groups, NACLs documentedA.8.20PR.PT-04CIS 12.1
Req 1.2.1Network diagram showing cardholder data flows💻 Asset Register § AWS ServicesN/AN/A: Stripe handles all cardholder dataA.13.1.1ID.AM-03CIS 12.8
Req 1.2.7Review firewall/router configurations at least every 6 months🌐 Network Security Policy § Review CycleImplementedAnnual policy review + AWS Config continuous monitoringA.8.20PR.IP-01CIS 12.4
Req 1.3.1Restrict inbound traffic to only necessary services🌐 Network Security Policy § Network SegmentationImplementedSecurity Groups implement least privilege; private subnets for data tierA.8.22PR.PT-04CIS 12.2
Req 1.4.1Restrict outbound traffic from CDE to only necessary services🌐 Network Security PolicyN/AN/A: No CDE at Hack23 AB (Stripe hosted)A.8.22PR.PT-04CIS 12.3
Req 1.5.1Security groups/NACLs properly configured🌐 Network Security Policy § SegmentationImplementedMulti-tier architecture (DMZ/App/Data/Mgmt) with AWS Security GroupsA.8.22PR.AC-05CIS 12.2

Requirement 2: Apply Secure Configurations to All System Components

Do not use vendor-supplied defaults for system passwords and other security parameters.

PCI DSS RefRequirement SummaryHack23 Policy/EvidenceStatusApplicabilityISO 27001NIST CSF 2.0CIS v8.1
Req 2.1.1Change vendor default credentials before system deployment🔑 Access Control PolicyImplementedAll AWS services use unique IAM credentials; no default passwordsA.8.3PR.IP-01CIS 4.1
Req 2.2.1Configuration standards for system components developed and implemented💻 Asset RegisterImplementedAWS Well-Architected Framework + service-specific baselinesA.8.9PR.IP-01CIS 4.2
Req 2.2.2Enable only necessary services, protocols, daemons🌐 Network Security PolicyImplementedServerless architecture (Lambda) - minimal attack surfaceA.8.9PR.PT-03CIS 4.8
Req 2.2.7All security features for systems enabled/configured🌐 Network Security Policy🔒 Cryptography PolicyImplementedGuardDuty, Security Hub, Config, CloudTrail all enabledA.8.9PR.PT-01CIS 4.1
Req 2.3.1Wireless environments: Change default encryption keys at installationN/AN/AN/A: Cloud-native infrastructure; no on-premises wirelessA.8.23PR.AC-05CIS 12.6
Req 2.4.1Maintain inventory of system components💻 Asset RegisterImplementedComprehensive AWS service inventory with owners and classificationA.5.9ID.AM-01CIS 1.1

Requirement 3: Protect Stored Account Data

Protect stored cardholder data.

PCI DSS RefRequirement SummaryHack23 Policy/EvidenceStatusApplicabilityISO 27001NIST CSF 2.0CIS v8.1
Req 3.1.1Processes defined to limit data retention to business/legal requirements🏷️ Data Classification § Retention MatrixImplementedStripe payment data retention: 90 days (Stripe manages)A.8.10PR.DS-03CIS 3.3
Req 3.2.1Do not store sensitive authentication data after authorization🤝 Third Party Management § StripeN/AN/A: Stripe handles all card authentication; Hack23 AB never sees CVV/PINA.8.10PR.DS-01CIS 3.1
Req 3.3.1PAN (Primary Account Number) masked when displayed🤝 Third Party Management § StripeN/AN/A: Stripe provides masked card data in receipts; no PAN at Hack23A.8.11PR.DS-05CIS 3.13
Req 3.5.1Cryptographic keys securely stored🔒 Cryptography Policy § Key ManagementImplementedAWS KMS for encryption keys; Secrets Manager for credentialsA.8.24PR.DS-01CIS 3.11
Req 3.6.1Encryption key management processes/procedures documented🔒 Cryptography Policy § Key ManagementImplementedAWS KMS automatic key rotation; documented key lifecycleA.8.24PR.DS-01CIS 3.11

Requirement 4: Protect Cardholder Data with Strong Cryptography During Transmission

Encrypt transmission of cardholder data across open, public networks.

PCI DSS RefRequirement SummaryHack23 Policy/EvidenceStatusApplicabilityISO 27001NIST CSF 2.0CIS v8.1
Req 4.1.1Processes to identify cardholder data transmitted/received🤝 Third Party Management § Stripe IntegrationImplementedStripe.js tokenization; payment data never traverses Hack23 networkA.5.14ID.AM-03CIS 3.10
Req 4.2.1Strong cryptography and security protocols for transmitting cardholder data🔒 Cryptography Policy § TLS🌐 Network Security PolicyImplementedTLS 1.3 enforced; TLS 1.2 minimum fallback with strong cipher suitesA.8.24PR.DS-02CIS 3.10
Req 4.2.1.1Industry best practices used for strong cryptography🔒 Cryptography PolicyImplementedAES-256, RSA 2048+, ECDSA P-256; NIST/FIPS alignedA.8.24PR.DS-01CIS 3.11
Req 4.2.2PAN not sent via end-user messaging (email, SMS, chat)✅ Acceptable Use PolicyImplementedSecurity awareness training prohibits PAN transmissionA.5.10PR.AT-01CIS 14.5

Requirement 5: Protect All Systems and Networks from Malicious Software

Protect all systems against malware and regularly update anti-virus software or programs.

PCI DSS RefRequirement SummaryHack23 Policy/EvidenceStatusApplicabilityISO 27001NIST CSF 2.0CIS v8.1
Req 5.2.1Anti-malware software deployed on all systems commonly affected by malware📱 Mobile Device Management § Policy EnforcementImplementedClamAV on workstations; AWS GuardDuty malware detection on cloudA.8.7PR.PT-01CIS 10.2
Req 5.2.2Anti-malware definitions kept current🔍 Vulnerability ManagementImplementedClamAV updates daily; GuardDuty threat intelligence continuously updatedA.8.7PR.PT-01CIS 10.2
Req 5.2.3Anti-malware mechanisms actively running and cannot be disabled📱 Mobile Device Management PolicyImplementedOS-native protection enforced on mobile; ClamAV protected on workstationsA.8.7PR.PT-01CIS 10.5
Req 5.3.1Anti-malware performs periodic scans📱 Mobile Device Management PolicyImplementedDaily full scans; real-time protection activeA.8.7DE.CM-04CIS 10.2
Req 5.4.1Phishing attacks monitored and personnel trained✅ Acceptable Use PolicyImplementedSecurity awareness training includes phishing; AWS WorkMail spam filteringA.6.3PR.AT-01CIS 14.2

Requirement 6: Develop and Maintain Secure Systems and Software

Develop and maintain secure systems and applications.

PCI DSS RefRequirement SummaryHack23 Policy/EvidenceStatusApplicabilityISO 27001NIST CSF 2.0CIS v8.1
Req 6.2.1Bespoke/custom software developed securely per SDLC🛠️ Secure Development PolicyImplementedComprehensive SDLC with security gates at each phaseA.8.25PR.DS-07CIS 16.1
Req 6.2.2Software developers trained in secure coding at least annually🛠️ Secure Development PolicyPartialCEO maintains security certifications; formal training program plannedA.8.28PR.DS-07CIS 16.10
Req 6.3.1Security vulnerabilities identified and addressed🔍 Vulnerability ManagementImplementedSAST (SonarCloud), SCA (Dependabot), DAST (ZAP) in CI/CDA.8.8DE.CM-04CIS 7.1
Req 6.3.2Inventory of bespoke/custom software maintained💻 Asset Register § GitHub account and integrationsImplementedGitHub repositories tracked; SBOM generated per releaseA.5.9ID.AM-02CIS 2.1
Req 6.3.3Code changes reviewed before deployment🛠️ Secure Development PolicyImplementedAll changes via PR; automated + manual reviewA.8.32PR.DS-07CIS 16.7
Req 6.4.1Public-facing web applications protected against attacks🌐 Network Security PolicyImplementedAWS WAF with OWASP Core Rule Set; CloudFront DDoS protectionA.8.26PR.PT-01CIS 18.11
Req 6.4.2Payment page scripts managed to prevent unauthorized modification🔗 Supplier Management § StripeImplementedStripe.js loaded directly from Stripe CDN; Subresource Integrity (SRI) hashesA.8.28PR.DS-07CIS 16.11
Req 6.5.1Change control procedures for all system components📝 Change ManagementImplementedFormal change approval process; automated testing gatesA.8.32PR.IP-01CIS 16.7

Requirement 7: Restrict Access to System Components and Cardholder Data by Business Need to Know

Restrict access to cardholder data by business need to know.

PCI DSS RefRequirement SummaryHack23 Policy/EvidenceStatusApplicabilityISO 27001NIST CSF 2.0CIS v8.1
Req 7.1.1Access control systems configured to enforce privileges assigned to individuals🔑 Access Control PolicyImplementedAWS IAM Identity Center with RBAC; least privilege principleA.5.15PR.AC-04CIS 6.1
Req 7.1.2Access control systems set to "deny all" by default🔑 Access Control PolicyImplementedAWS IAM explicit deny-by-default; Security Groups implicit denyA.5.15PR.AC-03CIS 6.1
Req 7.2.1Access control policies documented and include roles/access🔑 Access Control Policy § ArchitectureImplementedComprehensive RBAC matrix documented in policyA.5.15GV.RR-02CIS 6.1
Req 7.2.2Privileges assigned to individuals based on job function🔑 Access Control Policy § MonitoringImplementedQuarterly access reviews verify role alignmentA.5.18PR.AC-04CIS 5.4
Req 7.3.1All access to system components and cardholder data logged💻 Asset Register § CloudTrailImplementedAWS CloudTrail logs all API calls; immutable audit logsA.8.15DE.CM-01CIS 8.2

Requirement 8: Identify Users and Authenticate Access to System Components

Identify and authenticate access to system components.

PCI DSS RefRequirement SummaryHack23 Policy/EvidenceStatusApplicabilityISO 27001NIST CSF 2.0CIS v8.1
Req 8.2.1Unique user IDs assigned to each person with computer access🔑 Access Control Policy § Identity ManagementImplementedAWS IAM Identity Center; no shared accountsA.5.16PR.AC-01CIS 5.1
Req 8.2.2Group, shared, or generic accounts prohibited🔑 Access Control PolicyImplementedAll access via individual IAM users/roles; shared accounts prohibitedA.5.16PR.AC-01CIS 5.1
Req 8.3.1Multi-factor authentication (MFA) for all non-console administrative access🔑 Access Control Policy § MFA StrategyImplementedMFA enforced for all AWS administrative access; hardware tokens requiredA.5.17PR.AC-01CIS 6.3
Req 8.3.2MFA for all access into CDE🔑 Access Control Policy § MFA StrategyN/AN/A: No CDE at Hack23 AB (Stripe hosted)A.5.17PR.AC-01CIS 6.3
Req 8.3.9MFA systems protected against replay attacks🔑 Access Control Policy § MFA StrategyImplementedAWS IAM uses time-based OTP (TOTP); WebAuthn for phishing-resistant authA.5.17PR.AC-01CIS 6.3
Req 8.4.2MFA for all remote network access from outside entity's network🔑 Access Control Policy § MFA StrategyImplementedAll remote access via AWS SSM with MFA; no VPN requiredA.5.17PR.AC-07CIS 6.3
Req 8.5.1MFA systems configured to prevent misuse🔑 Access Control Policy § MFA StrategyImplementedHardware MFA tokens; biometric authentication on mobile devicesA.5.17PR.AC-01CIS 6.3
Req 8.6.1Technical controls prevent reuse of passwords for 90 days🔑 Access Control PolicyImplementedAWS IAM password policy enforces password historyA.5.17PR.AC-01CIS 5.2
Req 8.6.2Passwords minimum length of 12 characters (or 8 if complex)🔑 Access Control PolicyImplementedAWS IAM: 14 character minimum; complexity requiredA.5.17PR.AC-01CIS 5.2

Requirement 9: Restrict Physical Access to Cardholder Data

Restrict physical access to cardholder data.

PCI DSS RefRequirement SummaryHack23 Policy/EvidenceStatusApplicabilityISO 27001NIST CSF 2.0CIS v8.1
Req 9.1.1Physical access controls limit access to cardholder data areas🏠 Physical Security PolicyImplementedHome office security documented; AWS datacenter controls inheritedA.7.2PR.AC-02CIS 13.1
Req 9.2.1Media backup procedures include secure storage💾 Backup Recovery PolicyImplementedAWS Backup with cross-region replication; immutable vaultsA.8.13PR.DS-01CIS 11.3
Req 9.4.1Media with cardholder data physically secured🏠 Physical Security PolicyN/AN/A: No physical media with cardholder data (cloud-only)A.7.10PR.DS-03CIS 3.2
Req 9.8.1POI (point-of-interaction) devices protected from tamperingN/AN/AN/A: No physical POI devices; online payments via Stripe onlyA.7.14PR.AC-02CIS 13.1

Requirement 10: Log and Monitor All Access to System Components and Cardholder Data

Track and monitor all access to network resources and cardholder data.

PCI DSS RefRequirement SummaryHack23 Policy/EvidenceStatusApplicabilityISO 27001NIST CSF 2.0CIS v8.1
Req 10.2.1Audit logs capture all individual user access💻 Asset Register § CloudTrailImplementedCloudTrail logs all AWS API calls with user identityA.8.15DE.CM-01CIS 8.2
Req 10.2.2Audit logs capture all actions taken by privileged users💻 Asset Register § CloudTrailImplementedCloudTrail captures root/admin actions; GuardDuty monitors privilege escalationA.8.15DE.CM-01CIS 8.2
Req 10.3.1-10.3.4Audit log entries include required details (user, type, date/time, source, outcome)💻 Asset Register § CloudTrailImplementedCloudTrail provides comprehensive event details per PCI DSS requirementsA.8.15DE.CM-01CIS 8.3
Req 10.4.1Audit logs reviewed at least daily📊 Security Metrics § Log MonitoringImplementedAutomated CloudWatch alarms + Security Hub findings reviewed dailyA.8.16DE.CM-01CIS 8.6
Req 10.5.1Audit logs retained for at least 12 months🏷️ Data Classification § RetentionImplementedCloudTrail logs retained 5 years (exceeds PCI DSS requirement)A.8.15PR.DS-04CIS 8.3
Req 10.6.1Time synchronization technology used🌐 Network Security Policy § Clock SynchronizationImplementedAWS time synchronization via NTP; EC2 instances use Amazon Time Sync ServiceA.8.17DE.CM-01CIS 8.4
Req 10.7.1Audit log failures handled (alerting, escalation)🚨 Incident Response PlanImplementedCloudWatch alarms trigger incident response for logging failuresA.8.15DE.CM-01CIS 8.2

Requirement 11: Test Security of Systems and Networks Regularly

Regularly test security systems and processes.

PCI DSS RefRequirement SummaryHack23 Policy/EvidenceStatusApplicabilityISO 27001NIST CSF 2.0CIS v8.1
Req 11.3.1External penetration testing performed at least annually🔍 Vulnerability Management § TestingImplementedDAST scanning via OWASP ZAP; external pen test planned annuallyA.8.29DE.CM-04CIS 18.2
Req 11.3.2Internal penetration testing performed at least annually🔍 Vulnerability Management § TestingImplementedAWS Inspector continuous vulnerability scanning; quarterly reviewsA.8.29DE.CM-04CIS 18.2
Req 11.4.1Intrusion detection/prevention techniques used to monitor traffic🌐 Network Security Policy § MonitoringImplementedAWS GuardDuty IDS/IPS; VPC Flow Logs; WAF monitoringA.8.16DE.CM-01CIS 13.2
Req 11.5.1File integrity monitoring (FIM) deployed💻 Asset Register § AWS ConfigImplementedAWS Config tracks configuration changes; immutable infrastructure via IaCA.8.32DE.CM-03CIS 3.14
Req 11.6.1Unauthorized wireless access points detected and remediatedN/AN/AN/A: Cloud-native infrastructure; no on-premises wireless networksA.8.21DE.CM-01CIS 12.6

Requirement 12: Support Information Security with Organizational Policies and Programs

Maintain a policy that addresses information security for all personnel.

PCI DSS RefRequirement SummaryHack23 Policy/EvidenceStatusApplicabilityISO 27001NIST CSF 2.0CIS v8.1
Req 12.1.1Information security policy established, published, maintained, disseminated🔐 Information Security PolicyImplementedComprehensive ISMS publicly available on GitHub; annual review cycleA.5.1GV.PO-01CIS 14.1
Req 12.2.1Acceptable use policies for end-user technologies documented✅ Acceptable Use PolicyImplementedComprehensive acceptable use policy covers all technology usageA.5.10PR.AT-01CIS 14.1
Req 12.3.1Targeted risk analysis performed at least annually📉 Risk Register🎯 Risk Assessment MethodologyImplementedQuarterly risk reviews; all risks in Risk RegisterA.8.2ID.RA-01CIS 18.1
Req 12.4.1Executive management establishes responsibility for protection of cardholder data🔐 Information Security Policy § Management CommitmentImplementedCEO designated as Information Security Officer with direct responsibilityA.5.2, A.5.4GV.RR-02, GV.OV-01CIS 14.3, 17.1
Req 12.5.1Inventory of system components maintained💻 Asset RegisterImplementedComprehensive asset register with 27+ AWS services documentedA.5.9ID.AM-01CIS 1.1
Req 12.6.1Security awareness program established and personnel trained✅ Acceptable Use Policy § TrainingImplementedSecurity awareness training documented; CEO maintains certificationsA.6.3PR.AT-01CIS 14.1
Req 12.8.1Service providers list maintained with security responsibilities documented🤝 Third Party Management🔗 SUPPLIERImplementedComprehensive supplier register with security posture trackingA.5.19GV.SC-01CIS 15.2
Req 12.9.1Third-party service providers acknowledge responsibility for cardholder data security🤝 Third Party ManagementImplementedStripe PCI DSS Level 1 certified; AWS PCI DSS Level 1 compliantA.5.20GV.SC-02CIS 15.4
Req 12.10.1Incident response plan created, tested, maintained🚨 Incident Response PlanImplementedComprehensive IRP with classification, escalation, communication proceduresA.5.24RS.RP-01CIS 17.4

PCI DSS v4.0 Compliance Summary

PCI DSS Requirement CategorySub-Requirements MappedImplementation StatusApplicability NotesReadiness Level
Req 1: Network Security Controls5 requirements4/5 Implemented 1/5 N/AAWS WAF, Security Groups, VPC architecture; CDE requirements N/A✅ Compliant
Req 2: Secure Configurations6 requirements5/6 Implemented 1/6 N/AAWS Well-Architected; wireless N/A (cloud-native)✅ Compliant
Req 3: Protect Stored Data5 requirements2/5 Implemented 3/5 N/AStripe handles all cardholder data storage✅ SAQ A Compliant
Req 4: Protect Data in Transit4 requirements4/4 ImplementedTLS 1.3 enforced; strong cryptography✅ Compliant
Req 5: Protect Against Malware5 requirements5/5 ImplementedClamAV + GuardDuty malware protection✅ Compliant
Req 6: Secure Systems & Software8 requirements7/8 Implemented 1/8 PartialDevSecOps pipeline; formal developer training planned🟡 Mostly Compliant
Req 7: Restrict Access5 requirements5/5 ImplementedAWS IAM RBAC; least privilege enforced✅ Compliant
Req 8: Identify & Authenticate9 requirements8/9 Implemented 1/9 N/AMFA enforced; hardware tokens; CDE access N/A✅ Compliant
Req 9: Physical Access4 requirements2/4 Implemented 2/4 N/ACloud-native; AWS datacenter controls inherited✅ SAQ A Compliant
Req 10: Logging & Monitoring7 requirements7/7 ImplementedCloudTrail immutable logs; 5-year retention✅ Compliant
Req 11: Security Testing5 requirements4/5 Implemented 1/5 N/ADAST/SAST/SCA in CI/CD; wireless N/A✅ Compliant
Req 12: Security Policies10 requirements10/10 ImplementedComprehensive ISMS with 35+ policies✅ Compliant
TOTAL73 sub-requirements63 Implemented, 9 N/A, 1 PartialSAQ A applicable✅ PCI DSS Ready

Self-Assessment Questionnaire (SAQ) Applicability:

  • Recommended SAQ: SAQ A (Card-not-present, fully outsourced)
  • SAQ A Criteria Met:
    • ✅ All payment processing outsourced to Stripe (PCI DSS Level 1 Service Provider)
    • ✅ No electronic storage, processing, or transmission of cardholder data
    • ✅ Payment page uses Stripe.js tokenization (no card data touches Hack23 AB servers)
    • ✅ All Hack23 AB systems isolated from Stripe payment systems
    • ✅ E-commerce only (no point-of-sale devices)

SAQ A Requirements: 22 requirements (subset of full PCI DSS)

  • Applicable to Hack23: Primarily Req 12 (organizational policies) + Req 2.2 (configuration standards) + Req 8 (authentication)
  • Implementation Status: 22/22 Compliant

Key Strengths:

  • Strong Cryptography: TLS 1.3, AES-256, AWS KMS integration
  • Comprehensive Logging: 5-year CloudTrail retention (exceeds 12-month requirement)
  • MFA Enforcement: Hardware tokens + biometric authentication
  • DevSecOps Pipeline: SAST/SCA/DAST integrated in CI/CD
  • Supplier Security: Stripe (Level 1) + AWS (Level 1) certified
  • Transparent ISMS: Public documentation demonstrates security maturity

Enhancement Opportunities:

  • 🟡 Req 6.2.2: Formal annual secure coding training program for developers
  • 📅 Req 11.3.1: Annual external penetration testing engagement
  • 📊 Quarterly: Attestation of Compliance (AOC) if processing volume increases

Consulting Value:

This comprehensive PCI DSS mapping demonstrates Hack23 AB's capability to:

  • Support clients with payment card processing requirements
  • Perform PCI DSS gap assessments and remediation roadmaps
  • Implement secure payment integration patterns (Stripe.js, tokenization)
  • Navigate SAQ selection and validation processes
  • Design cloud-native PCI DSS compliant architectures

📊 OpenSSF Scorecard Compliance Mapping

Overview

The OpenSSF (Open Source Security Foundation) Scorecard provides automated security health metrics for open source projects through continuous assessment of security best practices. Hack23 AB leverages OpenSSF Scorecard as both:

  • 🔒 Security Control Evidence: Real-time validation of supply chain security controls per ISO 27001 A.8.31, NIST CSF GV.SC, and CIS Control 16
  • 🏆 Competitive Differentiation: Public demonstration of enterprise-grade security practices attracting client trust
  • 📊 Continuous Improvement: Automated feedback driving security maturity advancement

Phase 1 Achievement (Q4 2025): Established solid scorecard foundation across all repositories (see live badges below), creating foundation for Phase 2 advancement.

Phase 2 Target (Q2 2026): >9.0 average with all repositories >8.8 minimum, demonstrating industry-leading open source security practices.


🎯 Phase 1 Achievement (Q4 2025)

RepositoryStatusScorecard Link
🏛️ Citizen Intelligence Agency🟡 GoodOpenSSF Scorecard
🎮 Black Trigram🟡 GoodOpenSSF Scorecard
📊 CIA Compliance Manager🟡 FairOpenSSF Scorecard
🇪🇺 European Parliament MCP Server🟡 FairOpenSSF Scorecard
🇪🇺 EU Parliament Monitor🟡 FairOpenSSF Scorecard
🗳️ Riksdagsmonitor🟡 FairOpenSSF Scorecard
🎮 Game Template🟡 FairOpenSSF Scorecard
☁️ Lambda in Private VPC🟡 FairOpenSSF Scorecard
🌐 Hack23 Homepage🟡 FairOpenSSF Scorecard
🔍 Sonar CloudFormation Plugin ⚠️ArchivedOpenSSF Scorecard
All RepositoriesSee live badges🟡 Phase 1 Complete

Phase 2 Target: >9.0 average (all repos >8.8 minimum) by Q2 2026

Strategic Value: Phase 1 achievement establishes credible baseline demonstrating systematic security practices. Gap to >9.0 target provides clear improvement roadmap for Phase 2, demonstrating continuous security maturity advancement to clients and stakeholders.


🔐 OpenSSF Check to ISO 27001 Mapping

All 16 OpenSSF Scorecard checks mapped to relevant ISO 27001:2022 Annex A controls, providing clear compliance traceability and demonstrating how automated security scanning validates manual control implementation.

OpenSSF CheckDescriptionISO 27001 ControlImportanceCurrent ScoreTarget
Binary-ArtifactsNo binary artifacts in repositoryA.8.31 (Development environment security)High🟡 Partial10/10
Branch-ProtectionProtected default branchA.8.32 (Change management)Critical🟡 Partial10/10
CI-TestsContinuous integration testingA.8.29 (Security testing)High✅ 10/1010/10
CII-Best-PracticesOpenSSF Best Practices badgeA.8.25 (Secure development lifecycle)High✅ 10/1010/10
Code-ReviewCode review before mergeA.8.33 (Test information)Critical✅ 10/1010/10
ContributorsMultiple contributorsA.5.30 (ICT readiness for business continuity)Medium✅ 10/1010/10
Dangerous-WorkflowNo dangerous GitHub Actions patternsA.8.28 (Secure coding)Critical✅ 10/1010/10
Dependency-Update-ToolAutomated dependency updatesA.8.31 (Requirements for development)High✅ 10/1010/10
FuzzingFuzz testing integrationA.8.29 (Security testing)Medium🔴 0/105/10
LicenseOpen source license presentA.5.32 (Intellectual property rights)Medium✅ 10/1010/10
MaintainedActive project maintenanceA.8.32 (Change management)High✅ 10/1010/10
Pinned-DependenciesDependencies pinned to specific versionsA.8.31 (Development security)High🟡 Partial10/10
PackagingSigned releases with provenanceA.8.31 (Development security)High🟡 SLSA L310/10
SASTStatic application security testingA.8.29 (Security testing)Critical✅ 10/1010/10
Security-PolicySECURITY.md with disclosure processA.5.24 (Incident planning)High✅ 10/1010/10
Signed-ReleasesCryptographically signed releasesA.8.24 (Cryptographic controls)High🟡 SLSA L310/10
Token-PermissionsLeast privilege GitHub ActionsA.5.15 (Access control)Critical✅ 10/1010/10
VulnerabilitiesKnown vulnerabilities patchedA.8.8 (Vulnerability management)Critical✅ 10/1010/10

Legend:

  • 10/10: Fully compliant
  • 🟡 Partial: Implementation in progress
  • 🔴 Gaps: Not implemented or failing

Evidence Source: Live OpenSSF Scorecards updated weekly via automated GitHub Actions workflow.


🎯 Gap Analysis: Current → 9.0 Improvement Path

Systematic analysis of priority improvements required to achieve Phase 2 target of >9.0 average scorecard, demonstrating clear roadmap and resource allocation strategy.

Priority 1 (Critical Compliance Impact):

  1. Binary-Artifacts (affects A.8.31) - Remove compiled binaries from git history using BFG Repo-Cleaner
  2. Branch-Protection (affects A.8.32) - Enable required signed commits + admin enforcement across all repositories
  3. Pinned-Dependencies (affects A.8.31) - Pin GitHub Actions to commit SHAs instead of tags for supply chain security

Priority 2 (High Compliance Value): 4. Signed-Releases (affects A.8.24) - Improve SLSA provenance attestation quality with enhanced verification steps 5. Fuzzing (affects A.8.29) - Add OSS-Fuzz or AFL++ integration for CIA repository (optional for frontend-only projects)

Expected Scorecard Impact:

  • Priority 1 completion: +0.9 points → 8.83 average
  • Priority 2 completion: +0.3 points → 9.13 average
  • Result: Exceeds Phase 2 >9.0 target

Methodology: These projected improvements are based on recalculating the current portfolio-wide OpenSSF Scorecard average assuming that all Priority 1 and Priority 2 checks reach 10/10 in every repository where they are currently below maximum, using the then-current Scorecard weighting for each check and repository, and rounding results to two decimals. The figures are directional planning estimates for the Hack23 repository set, not guarantees for individual repositories.

Implementation Timeline:

  • Q1 2026: Priority 1 items (binary artifacts, branch protection, pinned dependencies)
  • Q2 2026: Priority 2 items (SLSA provenance enhancement, fuzzing integration)

Resource Investment: Estimated 80 hours CEO time (120K SEK opportunity cost, calculated using an internal CEO consulting rate of 1,500 SEK/hour including salary, overhead, and on‑costs) delivering permanent security maturity advancement and competitive differentiation.


🔄 OpenSSF Check to NIST CSF 2.0 Mapping

OpenSSF Scorecard checks mapped to NIST Cybersecurity Framework 2.0 subcategories, demonstrating alignment with risk management framework and providing additional compliance evidence for enterprise clients.

OpenSSF CheckNIST CSF SubcategoryFunctionDescription
Binary-ArtifactsID.AM-02 (Software assets inventoried)IdentifyBinary artifact tracking validates software supply chain inventory
Branch-ProtectionPR.DS-06 (Integrity checking)ProtectProtected branches enforce integrity verification before merge
CI-TestsDE.CM-04 (Malicious code detection)DetectAutomated testing detects defects and security issues
CII-Best-PracticesGV.PO-01 (Organizational security policy)GovernBest practices badge demonstrates policy implementation
Code-ReviewPR.IP-06 (Data integrity)ProtectPeer review validates code integrity before production
Dangerous-WorkflowPR.DS-05 (Protections against data leaks)ProtectSecure workflow patterns prevent credential exposure
Dependency-Update-ToolID.RA-09 (Vulnerabilities identified)IdentifyAutomated dependency scanning identifies known vulnerabilities
FuzzingDE.CM-04 (Malicious code detection)DetectFuzz testing detects edge case security issues
SASTDE.CM-04 (Malicious code detection)DetectStatic analysis identifies security vulnerabilities in code
Security-PolicyRS.CO-02 (Incident reporting)RespondSECURITY.md establishes incident disclosure process
Signed-ReleasesPR.DS-02 (Data-in-transit protection)ProtectCryptographic signatures ensure release artifact integrity
Token-PermissionsPR.AC-04 (Access permissions managed)ProtectLeast privilege tokens reduce blast radius of compromise
VulnerabilitiesRS.MI-03 (Vulnerabilities mitigated)RespondVulnerability patching demonstrates remediation effectiveness
ContributorsGV.RR-01 (Roles and responsibilities established)GovernContributor governance ensures defined roles and accountable participation in the project
MaintainedPR.MA-01 (Systems maintenance)ProtectOngoing project maintenance supports secure operation and timely updates
PackagingID.SC-05 (Supplier and partner risk management)IdentifySecure software packaging strengthens software supply chain risk management

Framework Integration: OpenSSF Scorecard automation provides continuous evidence for 16 NIST CSF 2.0 subcategories, spanning the core framework functions (Govern, Identify, Protect, Detect, Respond, Recover).


🛡️ OpenSSF Check to CIS Controls v8.1 Mapping

OpenSSF Scorecard checks aligned with CIS Controls v8.1 Implementation Groups, demonstrating progressive security maturity and providing clear implementation guidance for enterprise security programs.

OpenSSF CheckCIS ControlImplementation GroupDescription
Binary-Artifacts16.7 (Secure software development)IG2Binary artifact management validates secure SDLC
Branch-Protection16.8 (Apply secure design principles)IG2Protected branches enforce secure change control
CI-Tests16.11 (Perform application security testing)IG2Automated testing validates security requirements
Code-Review16.9 (Separate production and non-production)IG2Peer review enforces separation of duties
Dependency-Update-Tool7.2 (Address vulnerabilities)IG1Automated patching reduces vulnerability exposure
Fuzzing16.11 (Application security testing)IG2Fuzz testing validates input handling security
SAST16.11 (Application security testing)IG2Static analysis identifies code-level vulnerabilities
Security-Policy17.2 (Incident response procedures)IG1SECURITY.md establishes coordinated disclosure
Signed-Releases16.7 (Secure software development)IG2Release signing validates software provenance
Vulnerabilities7.3 (Perform remediation actions)IG1Vulnerability remediation demonstrates patching effectiveness
CII-Best-PracticesN/A (No single direct CIS v8.1 Safeguard)N/AOpenSSF CII Best Practices span multiple governance and SDLC controls rather than a one-to-one CIS mapping.
ContributorsN/A (No single direct CIS v8.1 Safeguard)N/AContributor diversity relates to project resilience and continuity, which CIS treats as organizational context rather than a specific safeguard.
Dangerous-WorkflowN/A (Implementation detail across several safeguards)N/AHardening CI/CD workflows supports multiple CIS Controls (e.g., 4 & 16) but has no dedicated, uniquely mapped safeguard.
LicenseN/A (Governance / legal compliance outside CIS scope)N/AOpen source license compliance is primarily a legal and governance concern and is not directly enumerated as a CIS v8.1 safeguard.
MaintainedN/A (No single direct CIS v8.1 Safeguard)N/AActive maintenance supports secure operations and vulnerability management but does not correspond to a specific CIS safeguard.
Token-PermissionsN/A (Implementation detail for least privilege)N/ACI/CD token hardening enforces least privilege across several safeguards without a unique CIS v8.1 control identifier.

Implementation Group Coverage:

  • IG1 (Basic Cyber Hygiene): 3 checks fully implemented (Dependency-Update-Tool, Security-Policy, Vulnerabilities)
  • IG2 (Foundational): Multiple checks implemented with 3 requiring enhancement (Binary-Artifacts, Branch-Protection, Fuzzing)

🔗 Supply Chain Security Integration

OpenSSF Scorecard directly supports supply chain security controls documented in 🔗 Third Party Management and 🔓 Open Source Policy:

Current Implementation:

  • Dependency-Update-Tool (10/10): GitHub Dependabot active on all repos with automated PR creation
  • SAST (10/10): SonarCloud scanning on every commit with quality gate enforcement
  • Vulnerabilities (10/10): Zero critical vulnerabilities outstanding across all repositories
  • 🟡 Pinned-Dependencies (Partial): GitHub Actions need commit SHA pinning for reproducible builds
  • 🟡 Signed-Releases (SLSA L3): SLSA Level 3 provenance, targeting enhanced attestation quality

Phase 2 Improvements (Q1-Q2 2026):

  • Pin all GitHub Actions to commit SHAs (not tags) for supply chain attack prevention
  • Enhance SLSA provenance with additional verification steps and transparency logs
  • Consider OSS-Fuzz integration for CIA project (frontend-only projects excluded)
  • Implement binary artifact scanning and removal from git history

Evidence:


📊 Consulting Value Demonstration

Hack23 AB's comprehensive OpenSSF Scorecard implementation demonstrates capability to:

  • 🔍 Security Maturity Assessment: Evaluate open source project security posture using industry-standard automated checks
  • 📈 Continuous Improvement: Implement systematic security advancement roadmaps from baseline to excellence (current → 9.0+)
  • 🏆 Best Practice Implementation: Achieve industry-leading scorecard ratings through DevSecOps automation
  • 📋 Compliance Mapping: Align OpenSSF checks with ISO 27001, NIST CSF 2.0, and CIS Controls for multi-framework evidence
  • 🔗 Supply Chain Security: Protect software supply chains through automated dependency scanning and SLSA provenance
  • 🌐 Public Transparency: Leverage public scorecard badges for stakeholder trust and competitive differentiation

Client Application: This methodology directly transfers to client engagements requiring open source security assessment, DevSecOps pipeline enhancement, and automated security validation.


🇪🇺 NIS2 Directive (EU 2022/2555)

Overview

The Network and Information Security Directive 2 (NIS2) establishes cybersecurity requirements for essential and important entities across EU member states. While Hack23 AB may not be directly classified as a NIS2 entity, demonstrating NIS2 alignment provides significant value for:

  • Client Services: Many consulting clients ARE NIS2 entities requiring compliance support
  • Supply Chain Position: Potential classification as a "service provider" to NIS2 entities
  • Market Differentiation: Proactive compliance demonstrates security maturity
  • Swedish Market: MCF (Myndigheten för civilt försvar) administers Sweden's NIS2 transposition

Key NIS2 Timelines:

  • Directive Effective: October 17, 2024
  • Member State Transposition Deadline: October 17, 2024
  • Full Enforcement: October 17, 2025
  • Swedish Implementation: MCF regulations in effect since 2025

Article 20: Governance Requirements

NIS2 Article 20 establishes management body responsibilities for cybersecurity risk management.

NIS2 RequirementRequirement SummaryHack23 Policy/EvidenceStatusNotes
Art. 20(1)Management body approves cybersecurity risk-management measures🔐 Information Security Policy § Management CommitmentImplementedCEO (management body) reviews and approves all security policies quarterly
Art. 20(2)(a)Oversight of cybersecurity risk management🔐 Information Security Policy § Management Commitment📊 Security Metrics📉 Risk RegisterImplementedQuarterly risk reviews with CEO attestations
Art. 20(2)(b)Training for management members✅ Acceptable Use Policy § TrainingImplementedCEO maintains current security certifications and training
Art. 20(2)(c)Members participate in security training✅ Acceptable Use Policy § TrainingImplementedAll personnel complete security awareness training
Art. 20(2)(d)Management evaluates effectiveness🔐 Information Security Policy § Management Commitment📊 Security MetricsImplementedQuarterly security metrics review and effectiveness assessment

ISO 27001 Mapping: A.5.1, A.5.2, A.5.4
NIST CSF 2.0 Mapping: GV.OV-01, GV.PO-01, GV.RR-02
CIS Controls Mapping: CIS 14.1, CIS 17.1


Article 21: Cybersecurity Risk Management Measures

NIS2 Article 21(2) establishes 10 core cybersecurity risk management measures that entities must implement.

Art. 21(2)(a): Risk Analysis and Information System Security Policies

NIS2 RequirementRequirement SummaryHack23 Policy/EvidenceStatusCross-Reference
Art. 21(2)(a) - Risk AnalysisPolicies on risk analysis📉 Risk Register🎯 Risk Assessment MethodologyImplementedISO 27001: A.5.7, A.8.2
NIST CSF: ID.RA-01 to ID.RA-06
CIS: 7.1
Art. 21(2)(a) - Threat ModelingThreat intelligence integration🎯 Threat ModelingImplementedSTRIDE methodology, MITRE ATT&CK mapping
Art. 21(2)(a) - Security PoliciesInformation system security policies🔐 Information Security Policy🌐 Network Security PolicyImplementedISO 27001: A.5.1, A.8.1
NIST CSF: GV.PO-01
CIS: 14.1

Art. 21(2)(b): Incident Handling

NIS2 RequirementRequirement SummaryHack23 Policy/EvidenceStatusCross-Reference
Art. 21(2)(b) - Incident ResponsePolicies on incident handling🚨 Incident Response PlanImplementedISO 27001: A.5.24, A.5.25, A.5.26
NIST CSF: RS.AN-01 to RS.CO-05
CIS: 17.1-17.9
Art. 21(2)(b) - DetectionSecurity event detection and logging📊 Security Metrics § MonitoringImplementedCloudWatch, GuardDuty, Security Hub integration
Art. 21(2)(b) - CSIRT ContactContact with CSIRT-SE🤝 External Stakeholder RegistryImplementedCSIRT-SE, PTS, MCF contacts established

Art. 21(2)(c): Business Continuity, Crisis Management, and Disaster Recovery

NIS2 RequirementRequirement SummaryHack23 Policy/EvidenceStatusCross-Reference
Art. 21(2)(c) - Business ContinuityBusiness continuity planning🔄 Business Continuity PlanImplementedISO 27001: A.5.29, A.5.30
NIST CSF: RC.RP-01
CIS: N/A
Art. 21(2)(c) - Disaster RecoveryDisaster recovery procedures🆘 Disaster Recovery PlanImplementedISO 27001: A.8.13, A.8.14
NIST CSF: RC.CO-03
CIS: 11.1-11.5
Art. 21(2)(c) - Crisis ManagementCrisis communication and management🚨 Incident Response Plan § CommunicationImplementedEscalation procedures, stakeholder communication
Art. 21(2)(c) - RTO/RPORecovery objectives defined🏷️ Classification FrameworkImplementedRTO/RPO mapped to asset criticality levels

Art. 21(2)(d): Supply Chain Security

NIS2 RequirementRequirement SummaryHack23 Policy/EvidenceStatusCross-Reference
Art. 21(2)(d) - Supplier SecuritySupply chain security measures🤝 Third Party ManagementImplementedISO 27001: A.5.19, A.5.20, A.5.21
NIST CSF: GV.SC-01 to GV.SC-10
CIS: 15.1-15.7
Art. 21(2)(d) - Supplier RiskThird-party risk assessment🔗 SUPPLIERImplementedSupplier classification and security posture tracking
Art. 21(2)(d) - ContractsSecurity requirements in contracts🤝 Third Party Management § ContractsImplementedSecurity clauses, SLA requirements, audit rights

Art. 21(2)(e): Security in Acquisition, Development, and Maintenance

NIS2 RequirementRequirement SummaryHack23 Policy/EvidenceStatusCross-Reference
Art. 21(2)(e) - Secure DevelopmentSecurity in system development🛠️ Secure Development PolicyImplementedISO 27001: A.5.8, A.8.25-A.8.29
NIST CSF: PR.IP-01, PR.PS-01
CIS: 16.1-16.14
Art. 21(2)(e) - SDLCSecure SDLC implementation🛠️ Secure Development Policy § SDLCImplementedDevSecOps, security testing, code review
Art. 21(2)(e) - AcquisitionSecurity in procurement🤝 Third Party ManagementImplementedVendor security assessments
Art. 21(2)(e) - Vulnerability TestingSecurity testing requirements🔍 Vulnerability ManagementImplementedSAST, SCA, DAST, penetration testing

Art. 21(2)(f): Assessment and Testing of Risk Management Effectiveness

NIS2 RequirementRequirement SummaryHack23 Policy/EvidenceStatusCross-Reference
Art. 21(2)(f) - EffectivenessEvaluate risk management effectiveness📊 Security MetricsImplementedISO 27001: A.5.1, A.8.8
NIST CSF: GV.OV-03
CIS: 18.1-18.5
Art. 21(2)(f) - TestingRegular security testing and audits🔍 Vulnerability Management § TestingImplementedContinuous scanning, quarterly penetration testing
Art. 21(2)(f) - MetricsSecurity performance measurement📊 Security Metrics § KPIsImplemented15+ security KPIs tracked and reported

Art. 21(2)(g): Cryptography and Encryption

NIS2 RequirementRequirement SummaryHack23 Policy/EvidenceStatusCross-Reference
Art. 21(2)(g) - CryptographyCryptographic policies and procedures🔒 Cryptography PolicyImplementedISO 27001: A.8.24
NIST CSF: PR.DS-01, PR.DS-02, PR.DS-05
CIS: 3.6, 3.11
Art. 21(2)(g) - Data at RestEncryption for data at rest🔒 Cryptography Policy § StorageImplementedAES-256 encryption required
Art. 21(2)(g) - Data in TransitEncryption for data in transit🌐 Network Security Policy § TLSImplementedTLS 1.3 preferred, TLS 1.2 minimum
Art. 21(2)(g) - Key ManagementCryptographic key management🔒 Cryptography Policy § Key MgmtImplementedAWS KMS integration, key rotation

Art. 21(2)(h): Human Resources Security, Access Control, and Asset Management

NIS2 RequirementRequirement SummaryHack23 Policy/EvidenceStatusCross-Reference
Art. 21(2)(h) - HR SecurityPersonnel security policies✅ Acceptable Use PolicyImplementedISO 27001: A.6.1-A.6.8
NIST CSF: PR.AC-01
CIS: 14.1-14.9
Art. 21(2)(h) - Access ControlAccess control policies🔑 Access Control PolicyImplementedISO 27001: A.5.15-A.5.18, A.8.2-A.8.5
NIST CSF: PR.AC-01 to PR.AC-07
CIS: 5.1-5.6, 6.1-6.8
Art. 21(2)(h) - Asset ManagementAsset inventory and management💻 Asset RegisterImplementedISO 27001: A.5.9, A.5.10
NIST CSF: ID.AM-01 to ID.AM-06
CIS: 1.1-1.5, 2.1-2.8
Art. 21(2)(h) - Privileged AccessPrivileged access management🔑 Access Control Policy § PAMImplementedMFA enforced, quarterly access reviews

Art. 21(2)(i): Multi-Factor Authentication and Secure Communications

NIS2 RequirementRequirement SummaryHack23 Policy/EvidenceStatusCross-Reference
Art. 21(2)(i) - MFAMulti-factor authentication policies🔑 Access Control Policy § MFAImplementedISO 27001: A.5.17, A.5.18
NIST CSF: PR.AC-01
CIS: 6.3, 6.5
Art. 21(2)(i) - Secure CommsSecure voice, video, text communications🌐 Network Security Policy § CommunicationsImplementedISO 27001: A.5.14
NIST CSF: PR.DS-02
CIS: 3.10
Art. 21(2)(i) - Email SecuritySecure electronic communication systems🌐 Network Security Policy § EmailImplementedSPF, DKIM, DMARC, MTA-STS enforced

Art. 21(2)(j): Emergency Procedures

NIS2 RequirementRequirement SummaryHack23 Policy/EvidenceStatusCross-Reference
Art. 21(2)(j) - Emergency ProceduresSecured emergency communication systems🚨 Incident Response Plan § EmergencyImplementedISO 27001: A.5.24, A.5.29
NIST CSF: RS.CO-02, RS.CO-04
CIS: 17.7
Art. 21(2)(j) - Out-of-BandAlternative communication channels🤝 External Stakeholder RegistryImplementedMobile, email, emergency contact lists
Art. 21(2)(j) - Crisis CommsCrisis communication procedures🚨 Incident Response Plan § CommunicationImplementedEscalation matrix, stakeholder notification

Article 23: Incident Reporting Obligations

NIS2 Article 23 establishes mandatory incident notification timelines for significant cybersecurity incidents.

Reporting Timelines

NIS2 RequirementTimelineRequirement SummaryHack23 Policy/EvidenceStatus
Art. 23(4) - Early Warning≤ 24 hoursInitial notification of significant incident🚨 Incident Response Plan § NotificationImplemented
Art. 23(5) - Incident Notification≤ 72 hoursDetailed incident report with initial assessment🚨 Incident Response Plan § ReportingImplemented
Art. 23(6) - Final Report≤ 1 monthFinal report with root cause and remediation🚨 Incident Response Plan § Post-IncidentImplemented
Art. 23(7) - Progress UpdatesAs requestedIntermediate updates on request from authorities🚨 Incident Response PlanImplemented

Swedish Implementation (MCF):

  • National Authority: MCF (Myndigheten för civilt försvar)
  • CSIRT Contact: CERT-SE / CSIRT-SE
  • Telecom Incidents: PTS (Post & Telecom Authority)
  • Reporting Platform: MCF incident reporting platform operational
  • Reference: 🤝 External Stakeholder Registry maintains up-to-date authority contacts

Incident Significance Criteria

Incidents requiring reporting under NIS2 Art. 23(3) include those that:

CriterionDescriptionHack23 Assessment Process
Service DisruptionCaused or capable of causing severe operational disruption or financial losses🚨 Incident Response Plan § Classification - Severity matrix includes service impact assessment
Users AffectedAffected or capable of affecting other natural or legal personsImpact assessment includes customer/stakeholder analysis
Material DamageCaused or capable of causing considerable material or immaterial damageBusiness impact analysis per 🏷️ Classification Framework

ISO 27001 Mapping: A.5.24, A.5.25, A.5.26, A.5.28
NIST CSF 2.0 Mapping: RS.AN-01 to RS.AN-05, RS.CO-01 to RS.CO-05
CIS Controls Mapping: CIS 17.1-17.9


NIS2 Compliance Summary

NIS2 ArticleRequirements MappedImplementation StatusSwedish Transposition StatusReadiness Level
Article 20: Governance5 requirementsImplementedMCF guidance in effect✅ Compliant
Article 21(2)(a): Risk Analysis3 requirementsImplementedAligned with Swedish national risk assessment✅ Compliant
Article 21(2)(b): Incident Handling3 requirementsImplementedCSIRT-SE integration ready✅ Compliant
Article 21(2)(c): Business Continuity4 requirementsImplementedMCF crisis management alignment✅ Compliant
Article 21(2)(d): Supply Chain3 requirementsImplementedThird-party risk management active✅ Compliant
Article 21(2)(e): Secure Development4 requirementsImplementedDevSecOps implementation✅ Compliant
Article 21(2)(f): Effectiveness Testing3 requirementsImplementedContinuous security validation✅ Compliant
Article 21(2)(g): Cryptography4 requirementsImplementedModern cryptography standards✅ Compliant
Article 21(2)(h): Access Control4 requirementsImplementedMFA enforced, access governance✅ Compliant
Article 21(2)(i): MFA & Comms3 requirementsImplementedSecure communications infrastructure✅ Compliant
Article 21(2)(j): Emergency3 requirementsImplementedCrisis communication ready✅ Compliant
Article 23: Incident Reporting4 reporting timelinesImplemented24h/72h/1-month procedures defined✅ Compliant
TOTAL43 requirements100% ImplementedReady for MCF transposition✅ NIS2 Ready

Key Strengths:

  • Comprehensive Coverage: All Article 21 measures fully documented and implemented
  • Authority Integration: CSIRT-SE, MCF, PTS contacts established in 🤝 External Stakeholder Registry
  • Incident Response: 24h/72h/1-month reporting procedures operational
  • Framework Alignment: Full mapping to ISO 27001:2022, NIST CSF 2.0, CIS Controls v8.1
  • Swedish Context: Proactive monitoring of MCF transposition and national requirements
  • Client Value: Demonstrates NIS2 compliance capabilities for consulting services

Swedish Regulatory Context:

  • MCF (Myndigheten för civilt försvar): Primary national authority for NIS2 implementation
  • CERT-SE / CSIRT-SE: National Computer Security Incident Response Team for coordination
  • PTS (Post- och telestyrelsen): Sector-specific authority for telecom/digital infrastructure
  • Expected MCF Actions: National transposition regulations, reporting platform, guidance documents (in effect since 2025)
  • Hack23 Monitoring: Active monitoring of MCF consultations, draft regulations, and implementation guidance

🏥 Health Insurance Portability and Accountability Act (HIPAA)

Overview

The Health Insurance Portability and Accountability Act (HIPAA) establishes U.S. national standards for protecting sensitive patient health information. While Hack23 AB is a Swedish company primarily governed by GDPR and Swedish law, this section demonstrates our capability to support healthcare sector clients and consulting engagements requiring HIPAA compliance understanding.

Current Applicability: Hack23 AB does not currently process Protected Health Information (PHI) requiring HIPAA compliance. This mapping demonstrates consulting readiness and framework alignment for potential healthcare sector client engagements.

Framework Coverage:

  • Administrative Safeguards (45 CFR §164.308) - Policies, procedures, and processes to manage PHI security
  • Physical Safeguards (45 CFR §164.310) - Physical measures to protect electronic information systems
  • Technical Safeguards (45 CFR §164.312) - Technology-based controls to protect PHI
  • Organizational Requirements (45 CFR §164.314) - Business Associate Agreements and related contracts
  • Policies and Procedures (45 CFR §164.316) - Documentation and compliance requirements

Administrative Safeguards (45 CFR §164.308)

HIPAA RequirementRequirement SummaryHack23 Policy/EvidenceStatusISO 27001 MappingNIST CSF 2.0 MappingCIS Controls v8.1
§164.308(a)(1)(i)Security Management Process🔐 Information Security PolicyImplementedA.5.1, A.5.2GV.PO-01CIS 14.1
§164.308(a)(1)(ii)(A)Risk Analysis📊 Risk Assessment Methodology📉 Risk RegisterImplementedA.8.2ID.RA-01CIS 18.1
§164.308(a)(1)(ii)(B)Risk Management📉 Risk Register🔍 Vulnerability ManagementImplementedA.8.2ID.RA-02CIS 7.1
§164.308(a)(1)(ii)(C)Sanction Policy✅ Acceptable Use PolicyImplementedA.6.4GV.RR-03CIS 14.3
§164.308(a)(1)(ii)(D)Information System Activity Review📊 Security Metrics💻 Asset RegisterImplementedA.8.16DE.CM-01CIS 8.2
§164.308(a)(2)Assigned Security Responsibility🔐 Information Security Policy § Management CommitmentImplementedA.5.2, A.5.4GV.RR-02 GV.OV-01CIS 14.3 CIS 17.1
§164.308(a)(3)(i)Workforce Security🔑 Access Control PolicyImplementedA.6.1, A.6.2PR.AC-01CIS 5.1
§164.308(a)(3)(ii)(A)Authorization and/or Supervision🔑 Access Control Policy § Monitoring & ComplianceImplementedA.5.18PR.AC-04CIS 5.4
§164.308(a)(3)(ii)(B)Workforce Clearance Procedure🔑 Access Control PolicyImplementedA.5.16PR.AC-01CIS 6.1
§164.308(a)(3)(ii)(C)Termination Procedures💻 Asset Register § Asset ReturnImplementedA.5.11PR.AC-04CIS 5.6
§164.308(a)(4)(i)Information Access Management🔑 Access Control PolicyImplementedA.5.15PR.AC-01CIS 6.1
§164.308(a)(4)(ii)(B)Access Authorization🔑 Access Control Policy § Monitoring & ComplianceImplementedA.5.18PR.AC-04CIS 6.1
§164.308(a)(4)(ii)(C)Access Establishment and Modification🔑 Access Control PolicyImplementedA.5.16PR.AC-01CIS 5.4
§164.308(a)(5)(i)Security Awareness and Training✅ Acceptable Use PolicyImplementedA.6.3PR.AT-01CIS 14.1
§164.308(a)(5)(ii)(A)Security Reminders✅ Acceptable Use PolicyImplementedA.6.3PR.AT-01CIS 14.2
§164.308(a)(5)(ii)(B)Protection from Malicious Software🔍 Vulnerability ManagementImplementedA.8.7PR.DS-01CIS 10.1
§164.308(a)(5)(ii)(C)Log-in Monitoring📊 Security MetricsImplementedA.8.15DE.CM-01CIS 8.2
§164.308(a)(5)(ii)(D)Password Management🔑 Access Control Policy § MFAImplementedA.5.17PR.AC-01CIS 6.3
§164.308(a)(6)(i)Security Incident Procedures🚨 Incident Response PlanImplementedA.5.24, A.5.25, A.5.26RS.AN-01CIS 17.1
§164.308(a)(6)(ii)Response and Reporting🚨 Incident Response PlanImplementedA.5.26RS.CO-02CIS 17.2
§164.308(a)(7)(i)Contingency Plan🔄 Business Continuity PlanImplementedA.5.29, A.5.30PR.IP-09CIS 11.1
§164.308(a)(7)(ii)(A)Data Backup Plan💾 Backup Recovery PolicyImplementedA.8.13PR.IP-04CIS 11.2
§164.308(a)(7)(ii)(B)Disaster Recovery Plan🌪️ Disaster Recovery PlanImplementedA.5.30RC.RP-01CIS 11.5
§164.308(a)(7)(ii)(C)Emergency Mode Operation Plan🔄 Business Continuity PlanImplementedA.5.29PR.IP-09CIS 11.1
§164.308(a)(7)(ii)(D)Testing and Revision Procedures🌪️ Disaster Recovery PlanImplementedA.5.30RC.RP-01CIS 11.5
§164.308(a)(7)(ii)(E)Applications and Data Criticality Analysis🏷️ Data Classification PolicyImplementedA.5.12ID.AM-03CIS 3.4
§164.308(a)(8)Evaluation📊 Security MetricsImplementedA.5.37GV.IM-01CIS 18.2
§164.308(b)(1)Business Associate Contracts🤝 Third Party ManagementImplementedA.5.19, A.5.20GV.SC-02CIS 15.4

Physical Safeguards (45 CFR §164.310)

HIPAA RequirementRequirement SummaryHack23 Policy/EvidenceStatusISO 27001 MappingNIST CSF 2.0 MappingCIS Controls v8.1
§164.310(a)(1)Facility Access Controls🏢 Physical Security PolicyImplementedA.7.1, A.7.2PR.AC-02CIS 12.1
§164.310(a)(2)(i)Contingency Operations🔄 Business Continuity PlanImplementedA.7.13PR.IP-09CIS 11.1
§164.310(a)(2)(ii)Facility Security Plan🏢 Physical Security PolicyImplementedA.7.2PR.AC-02CIS 12.2
§164.310(a)(2)(iii)Access Control and Validation Procedures🏢 Physical Security PolicyImplementedA.7.2PR.AC-02CIS 12.3
§164.310(a)(2)(iv)Maintenance Records💻 Asset RegisterImplementedA.7.14PR.MA-01CIS 12.4
§164.310(b)Workstation Use✅ Acceptable Use Policy📱 Mobile Device Management PolicyImplementedA.7.7PR.AC-01CIS 4.1
§164.310(c)Workstation Security📱 Mobile Device Management PolicyImplementedA.7.7, A.7.8PR.DS-01CIS 4.2
§164.310(d)(1)Device and Media Controls💻 Asset RegisterImplementedA.7.11, A.7.14PR.DS-03CIS 3.2
§164.310(d)(2)(i)Disposal🏷️ Data Classification PolicyImplementedA.7.10, A.7.14PR.DS-03CIS 3.14
§164.310(d)(2)(ii)Media Re-use💻 Asset RegisterImplementedA.7.14PR.DS-03CIS 3.2
§164.310(d)(2)(iii)Accountability💻 Asset RegisterImplementedA.5.9ID.AM-01CIS 1.1
§164.310(d)(2)(iv)Data Backup and Storage💾 Backup Recovery PolicyImplementedA.8.13PR.IP-04CIS 11.2

Technical Safeguards (45 CFR §164.312)

HIPAA RequirementRequirement SummaryHack23 Policy/EvidenceStatusISO 27001 MappingNIST CSF 2.0 MappingCIS Controls v8.1
§164.312(a)(1)Access Control🔑 Access Control PolicyImplementedA.5.15, A.5.16PR.AC-01CIS 6.1
§164.312(a)(2)(i)Unique User Identification🔑 Access Control Policy § ArchitectureImplementedA.5.16PR.AC-01CIS 5.1
§164.312(a)(2)(ii)Emergency Access Procedure🔄 Business Continuity PlanImplementedA.5.29PR.IP-09CIS 11.1
§164.312(a)(2)(iii)Automatic Logoff🔑 Access Control PolicyImplementedA.8.5PR.AC-07CIS 4.3
§164.312(a)(2)(iv)Encryption and Decryption🔒 Cryptography PolicyImplementedA.8.24PR.DS-01CIS 3.11
§164.312(b)Audit Controls📊 Security Metrics💻 Asset RegisterImplementedA.8.15DE.CM-01CIS 8.2
§164.312(c)(1)Integrity🔒 Cryptography PolicyImplementedA.8.24PR.DS-06CIS 3.14
§164.312(c)(2)Mechanism to Authenticate ePHI🔒 Cryptography PolicyImplementedA.8.24PR.DS-06CIS 3.14
§164.312(d)Person or Entity Authentication🔑 Access Control Policy § MFAImplementedA.5.17PR.AC-01CIS 6.3
§164.312(e)(1)Transmission Security🌐 Network Security Policy🔒 Cryptography PolicyImplementedA.5.14, A.8.24PR.DS-02CIS 3.10
§164.312(e)(2)(i)Integrity Controls🔒 Cryptography PolicyImplementedA.8.24PR.DS-06CIS 3.10
§164.312(e)(2)(ii)Encryption🔒 Cryptography PolicyImplementedA.8.24PR.DS-02CIS 3.10

Organizational Requirements (45 CFR §164.314)

HIPAA RequirementRequirement SummaryHack23 Policy/EvidenceStatusISO 27001 MappingNIST CSF 2.0 MappingCIS Controls v8.1
§164.314(a)(1)Business Associate Contracts or Other Arrangements🤝 Third Party Management🔗 SUPPLIERImplementedA.5.19, A.5.20GV.SC-02CIS 15.4
§164.314(a)(2)(i)Business Associate Contracts🤝 Third Party ManagementImplementedA.5.20GV.SC-02CIS 15.4
§164.314(a)(2)(ii)Other Arrangements🤝 Third Party ManagementImplementedA.5.21GV.SC-04CIS 15.6

Policies and Procedures and Documentation Requirements (45 CFR §164.316)

HIPAA RequirementRequirement SummaryHack23 Policy/EvidenceStatusISO 27001 MappingNIST CSF 2.0 MappingCIS Controls v8.1
§164.316(a)Policies and Procedures🔐 Information Security PolicyAll ISMS PoliciesImplementedA.5.1GV.PO-01CIS 14.1
§164.316(b)(1)DocumentationAll ISMS PoliciesImplementedA.5.1GV.PO-01CIS 14.1
§164.316(b)(1)(i)Time Limit🏷️ Data Classification Policy § RetentionImplementedA.5.33PR.DS-04CIS 3.3
§164.316(b)(1)(ii)AvailabilityAll ISMS PoliciesImplementedA.5.1GV.PO-01CIS 14.1
§164.316(b)(2)(i)UpdatesAll ISMS Policies § Review CyclesImplementedA.5.1GV.PO-01CIS 14.1

HIPAA Compliance Summary

Coverage: 60 HIPAA Security Rule requirements mapped to existing Hack23 ISMS policies

Implementation Status:

  • Implemented: 60 requirements (100%)
  • 🟡 Partial: 0 requirements (0%)
  • Not Implemented: 0 requirements (0%)

Consulting Readiness: Hack23 AB's comprehensive ISMS framework aligns with all HIPAA Security Rule requirements, demonstrating consulting readiness for healthcare sector clients requiring:

  • Covered Entity Support: Healthcare providers, health plans, healthcare clearinghouses
  • Business Associate Guidance: Technology vendors, consultants, contractors handling PHI
  • HIPAA Gap Assessments: Security Risk Analysis (§164.308(a)(1)(ii)(A)) and compliance evaluation
  • Security Control Implementation: Technical safeguards, access controls, encryption, audit logging
  • Incident Response for PHI Breaches: Breach notification alignment (§164.408) with existing incident response framework

Related Documentation:


🎯 Strategic & Governance

🛡️ Security Policies

💻 Asset & Risk Management

⚙️ Operational Procedures


📋 Document Control:
✅ Approved by: James Pether Sörling, CEO 📤 Distribution: Public 🏷️ Classification: Confidentiality: Public 📅 Effective Date: 2026-05-10 ⏰ Next Review: 2026-11-10 🎯 Framework Compliance: ISO 27001 NIST CSF 2.0 CIS Controls