ISMS_Transparency_Plan.md

January 25, 2026 Β· View on GitHub

Hack23 Logo

🌐 Hack23 AB β€” ISMS Transparency Plan

Security Through Transparency and Open Documentation
Demonstrating Security Excellence Through Public ISMS Disclosure

Owner Version Effective Date Review Cycle

πŸ“‹ Document Owner: CEO | πŸ“„ Version: 2.2 | πŸ“… Last Updated: 2026-01-25 (UTC)
πŸ”„ Review Cycle: Annual | ⏰ Next Review: 2027-01-25


🎯 Purpose Statement

Hack23 AB's core philosophy is that transparency enhances security rather than diminishing it. This document outlines our strategy for making our Information Security Management System (ISMS) public, demonstrating our expertise and building trust, while carefully protecting sensitive information that could introduce risk.

This plan defines what is considered public, what is confidential, and the processes for maintaining our commitment to security through transparency.

β€” James Pether SΓΆrling, CEO/Founder


πŸ“œ Guiding Principles

  1. Default to Public: Policies, frameworks, and high-level procedures will be public unless a specific, documented risk is identified.
  2. Demonstrate, Don't Expose: The goal is to showcase our security maturity and processes, not to reveal secrets that could be exploited.
  3. Redact, Don't Hide: When a document contains a mix of public and sensitive information, we will redact the sensitive parts and publish the rest.
  4. Clarity and Rationale: The reason for keeping any information confidential will be clearly documented internally.

πŸ“Š Information Classification for Publication

This table defines the publication status of ISMS documents and the rationale.

Document / Information TypePublication StatusRationale & Redaction Rules
πŸ” Core Policies & Frameworks
πŸ” Information Security Policyβœ… PublicDemonstrates overall security posture. No sensitive details.
🏷️ Classification Frameworkβœ… PublicCore to our methodology; showcases our approach to risk.
πŸ”“ Open Source Policyβœ… PublicAligns with our open-source philosophy.
πŸ“ Style Guideβœ… PublicShows our commitment to quality and consistency.
πŸ—οΈ Security Architectureβœ… PublicZero-trust security architecture and infrastructure design public.
πŸ› οΈ Operational Policies
πŸ”‘ Access Control Policyβœ… PublicHigh-level policy is public. Specific roles and access lists are confidential.
βœ… Acceptable Use Policyβœ… PublicBehavioral expectations and usage standards public. Demonstrates security culture and professional conduct.
🏠 Physical Security Policyβœ… PublicHome office security framework and device protection standards public. Specific home addresses confidential.
πŸ”’ Cryptography Policyβœ… PublicApproved algorithms and standards are public. Key management procedures are confidential.
πŸ› οΈ Secure Development Policyβœ… PublicThe framework is public. Specific tool configurations are confidential.
🌐 Network Security Policyβœ… PublicNetwork architecture principles public. Specific configurations confidential.
πŸ“ Change Managementβœ… PublicProcess framework public. Specific change details confidential.
πŸ” Vulnerability Managementβœ… PublicProcess public. Active vulnerabilities confidential.
πŸ’Ύ Backup & Recovery Policyβœ… PublicPolicy framework public. Specific procedures confidential.
🚫 Segregation of Duties Policyβœ… PublicSingle-person company compensating controls public.
πŸ€– AI Governance Policyβœ… PublicAI governance framework and EU AI Act compliance public. AI vendor assessments confidential.
πŸ›‘οΈ OWASP LLM Security Policyβœ… PublicComprehensive LLM security framework demonstrating OWASP Top 10 alignment and implementation transparency. Shows foundation strength while clearly identifying future development areas.
🎯 Threat Modeling Policyβœ… PublicSTRIDE methodology and threat assessment framework public. Specific threat intelligence confidential.
πŸ”„ ISMS Workflowsβœ… PublicOperational workflow procedures and automation standards public.
πŸš€ Future Workflowsβœ… PublicPlanned automation and tooling roadmap public.
πŸ“± Mobile Device Management Policyβœ… PublicMobile device security framework and BYOD controls public. Specific device inventories confidential.
πŸ“‹ Management & Governance
πŸ’» Asset Register⚠️ RedactedComplete asset inventory public including all systems, services, and configurations. Only specific credentials, API keys, and account numbers replaced with [REDACTED].
πŸ“‰ Risk Register⚠️ RedactedComplete risk framework and all risks public. Only specific financial impact values replaced with [REDACTED].
οΏ½ Risk Assessment Methodologyβœ… PublicRisk assessment framework and scoring methodology public.
οΏ½πŸ”— Third-Party Managementβœ… PublicComplete policy framework and all procedures public.
🏒 Supplier Security Posture⚠️ RedactedComplete supplier assessments public including all details. Only specific contract pricing and sensitive commercial terms replaced with [REDACTED].
🀝 External Stakeholder Registryβœ… PublicProfessional network and regulatory contacts demonstrate stakeholder engagement and compliance readiness.
🚨 Response & Recovery Plans
🚨 Incident Response Planβœ… PublicComplete process framework and all procedures public.
πŸ”„ Business Continuity Planβœ… PublicComplete strategies and all recovery procedures public.
πŸ†˜ Disaster Recovery Planβœ… PublicComplete architecture and all technical procedures public.
πŸ“Š Metrics & Quality Assurance
πŸ“Š Security Metricsβœ… PublicLive KPI dashboard and performance measurement public.
πŸ“Š ISMS Metrics Dashboardβœ… PublicPolicy health monitoring and review tracking public.
πŸ“‹ ISMS QA Checklistβœ… PublicQuality assurance standards and checklist public.
πŸ“Š SWOT Analysisβœ… PublicStrategic positioning and assessment public.
πŸ“‹ Service Offerings & Partnerships
πŸ›οΈ NIS2 Compliance Serviceβœ… PublicNIS2 consulting service offerings and methodology public.
πŸ›‘οΈ CRA Conformity Assessmentβœ… PublicEU Cyber Resilience Act compliance process public.
🀝 Partnership Frameworkβœ… PublicPartnership models and collaboration framework public.
πŸ“Š Compliance & Legal
βœ… Compliance Checklistβœ… PublicDemonstrates our commitment to transparency and provides a clear, auditable trail of our compliance posture against key frameworks.
🏷️ Data Classification Policyβœ… PublicThe classification levels and handling rules are public. The classification of specific datasets is confidential.
πŸ”’ Privacy Policyβœ… PublicPrivacy framework and GDPR compliance public. Specific data processing agreements confidential.
🏒 Company Documentation
πŸ“Š Aktiebok❌ ConfidentialShare register details confidential.
πŸ“Š Annual Accountsβœ… PublicFiled annual reports are public record.
πŸ“‘ Articles of Associationβœ… PublicCorporate governance structure public.
πŸ“‹ Business Plan❌ ConfidentialFinancial projections, strategic roadmap, and revenue models confidential.
πŸ“Š Business Strategy❌ ConfidentialStrategic plans and business tactics confidential.
🏒 Company Information❌ ConfidentialCorporate structure and internal operations.
πŸ“„ Copyright Assignment Agreement❌ ConfidentialLegal agreements and IP management confidential.
πŸ” Information Security Strategyβœ… PublicStrategic security initiatives and competitive security positioning differentiation through radical transparency.
πŸ“… Marketing Plan❌ ConfidentialTactical marketing implementation, campaigns, and operational details confidential.
πŸ“ˆ Marketing Strategy❌ ConfidentialMarketing strategies and competitive analysis confidential.
🀝 Stakeholders Overview❌ ConfidentialInternal stakeholder alignment and strategic mapping confidential.
❌ Sensitive Information
Personal Data (CEO, future employees)❌ ConfidentialPer GDPR and privacy best practices.
Financial Records & Bank Details❌ ConfidentialPer Swedish Bookkeeping Act and security best practices.
Customer Data❌ ConfidentialAbsolute confidentiality is paramount for client trust and GDPR.
Active Security Vulnerabilities❌ ConfidentialPublic disclosure would be irresponsible.
Credentials, API Keys, Tokens❌ ConfidentialExtreme-level confidential data.
Risk Exposure Values❌ ConfidentialSpecific financial impacts could enable targeted attacks.
Supplier Contract Details❌ ConfidentialCommercial terms, costs, and performance details.

πŸ”§ Redaction and Publication Process

Radical Transparency Approach

Hack23 AB practices radical transparency - we publish complete ISMS documents with only specific sensitive values redacted. This demonstrates our security maturity and operational excellence while protecting only the most sensitive information.

What We Publish (Everything):

  • βœ… Complete processes, procedures, and technical details
  • βœ… All system configurations, architectures, and operational procedures
  • βœ… All contact information (roles, escalation paths, response procedures)
  • βœ… All supplier names, assessments, and security postures
  • βœ… All risk assessments, risk details, and mitigation strategies
  • βœ… Complete asset inventories with all systems and services

What We Redact (Minimal):

  • πŸ”’ Specific credentials, API keys, passwords, tokens
  • πŸ”’ Specific account numbers, account IDs (replaced with [REDACTED])
  • πŸ”’ Specific financial impact amounts in risks (e.g., "$1.8M" β†’ [REDACTED])
  • πŸ”’ Specific contract pricing and commercial terms
  • πŸ”’ Personal phone numbers and personal email addresses

Publication Process

  1. Create Internal Version: The complete document is created as the "source of truth."
  2. Create Public Version: An identical copy is made for public release.
  3. Apply Minimal Redactions: Only specific sensitive VALUES are replaced with [REDACTED] - structure and content remain intact.
  4. Add Redaction Header: Public versions include standardized header badges and notice (see below).
  5. Review: The CEO reviews to ensure only appropriate values are redacted.
  6. Publish: The document is published to the public GitHub repository.

ISMS-PUBLIC Header Requirements

All documents in the ISMS-PUBLIC repository must include the following elements after the standard document badges:

Required Header Badges:

<p align="center">
  <a href="https://github.com/Hack23/ISMS/blob/main/ISMS_Transparency_Plan.md"><img src="https://img.shields.io/badge/πŸ”“_PUBLIC_REDACTED_VERSION-Per_Transparency_Plan-blue?style=for-the-badge" alt="Public Redacted Version"/></a>
  <a href="https://github.com/Hack23/ISMS/blob/main/ISMS_Transparency_Plan.md"><img src="https://img.shields.io/badge/πŸ“‹_Redaction_Policy-ISMS__Transparency__Plan-informational?style=for-the-badge" alt="Transparency Plan"/></a>
</p>

Required Redaction Notice:

> ⚠️ **PUBLIC REDACTED VERSION:** This document has been redacted per our [ISMS Transparency Plan](https://github.com/Hack23/ISMS/blob/main/ISMS_Transparency_Plan.md). Sensitive values are replaced with `[REDACTED]`. Complete unredacted version maintained in private ISMS repository.

Document-Specific Redaction Notices:

  • Asset Register: "Sensitive values (personal emails, account IDs, financial amounts)"
  • Risk Register: "Sensitive values (financial impact amounts, ALE/SLE/VaR figures)"
  • Supplier Security Posture: "Sensitive values (contract pricing, monthly costs, financial impact amounts)"

Redaction Examples

  • Credentials: password: "abc123" becomes password: [REDACTED]
  • Account Numbers: Account: 172017021075 becomes Account: [REDACTED]
  • Financial Risk Values: ALE: €65,700 becomes ALE: [REDACTED]
  • Personal Contact: CEO: +46-XXX-XXX becomes CEO: [REDACTED]
  • Contract Pricing: $50/month becomes [REDACTED]/month

Everything else remains public and unredacted.


🌐 Publication Channels

Primary Documentation Repository

  • GitHub Public: hack23/ISMS-PUBLIC - Complete public ISMS documentation
  • Corporate Website: Links to documentation for client access

Documentation Mirrors


πŸ“Š Metrics & Review

Publication Metrics

  • Documents Published: Framework complete with ongoing updates
  • Public/Confidential Ratio: Approximately 70% public framework, 30% redacted operational details
  • Client Engagement: Documentation views, security inquiries generated

Key Dependencies

From our comprehensive supplier management approach:

  • Cloud Infrastructure: Critical dependency with robust continuity planning
  • Development Platforms: High-impact services with documented alternatives
  • Financial Services: Regulatory-compliant banking and payment processing
  • Supporting Services: Managed risk profile across operational tools

Risk Management Overview

Our systematic approach includes:

  • Comprehensive Risk Assessment: Full spectrum risk identification and classification
  • Regular Risk Reviews: Ongoing monitoring and reassessment cycles
  • Risk Treatment Planning: Appropriate mitigation strategies based on impact analysis
  • Continuous Improvement: Regular updates to risk management processes

Review Schedule

  • Monthly: Review redaction effectiveness and update metrics
  • Quarterly: Update publication classifications and risk assessments
  • Annually: Complete transparency strategy review
  • Ad-hoc: Following security incidents or significant business changes

🎯 Strategic & Governance

πŸ” Security Policies & Controls

βš™οΈ Operational Integration


πŸ“‹ Document Control:
βœ… Approved by: James Pether SΓΆrling, CEO
πŸ“€ Distribution: Public
🏷️ Classification: Confidentiality: Public
πŸ“… Effective Date: 2026-01-25
⏰ Next Review: 2027-01-25
🎯 Framework Compliance: ISO 27001 NIST CSF 2.0 CIS Controls