Status — readiness pack mapped to ISO/IEC 27001:2022. Berserk ApS is not currently ISO/IEC 27001:2022 certified, but we do maintain a mapped readiness posture against both the management-system clauses (4–10) and all 93 Annex A controls. This page is the buyer-facing ISO 27001 readiness extract: it shows what is already in place, where the deliberate gaps are, and how the current control set maps to the standard. We will pursue formal certification when customer requirements and company stage make it proportionate.
This page tells a buyer:
For the procurement-friendly summary see the Trust Overview. For the framework-mapped controls in detail see the Security Whitepaper and the filled CAIQ v4.
These are the management-system clauses an auditor opens first. They cover the governance scaffolding around the technical controls.
| Clause | Topic | Status | Where it lives |
|---|---|---|---|
| 4 | Organizational context, interested parties | Partial | Scope and interested parties documented in our internal Information Security Policy. Formal "interested parties" register on the roadmap. |
| 5 | Leadership, policy, roles | Yes | CEO ownership stated across every internal policy header; this trust pack is the public expression of the policy. |
| 6 | Risk assessment, risk treatment, Statement of Applicability | Partial | Quarterly risk register and a control matrix mapping every NIS2 / NIST CSF / Annex A control to a policy and an evidence file. SoA in NDA-share form (NDA). |
| 7 | Resources, competence, awareness, document control | Partial | Onboarding briefing covers core policies; competence matrix and document-control procedure are roadmap items. |
| 8 | Operational planning and control | Yes | Runbooks under the internal procedures pack: incident response, breach notification, backup/restore, access provisioning, vulnerability disclosure. |
| 9 | Monitoring, internal audit, management review | Planned | Internal-audit procedure and management-review cadence are roadmap items before any Stage 1 audit. |
| 10 | Nonconformity, corrective action, continual improvement | Partial | Lessons-learned process documented in the incident response runbook; generalised continual-improvement procedure is a roadmap item. |
Annex A of ISO 27001:2022 organises 93 controls into four themes.
Policy, supplier and customer relationships, classification, threat intelligence, identity, contracts, evidence, monitoring, intelligence-driven response.
| Control area | Status | Where it lives |
|---|---|---|
| A.5.1 Information-security policy and topic-specific policies | Yes | Twelve internal policies covering the full Article 21(2) measure set; this trust pack is the publicly-stated extract. |
| A.5.7 Threat intelligence | Partial | Manual review of CFCS / CERT-SE / ENISA bulletins; no automated TI feed yet. |
| A.5.9 Inventory of information and other associated assets | Yes | Codebase + dependency + service inventory shipped per-image at /sbom.cdx.json. |
| A.5.10 Acceptable use | Yes | HR Security Policy §"Acceptable use" (internal). |
| A.5.12 Classification of information | Yes | Public / Internal / Confidential / Customer-data classes named in the data-handling policy. |
| A.5.14 Information transfer | Yes | Customer-data transfer rules in the DPA template; transit encryption documented in the Security Whitepaper. |
| A.5.15–A.5.18 Access control, identity, authentication, access rights | Partial | Per-user accounts on SaaS; SSH-key authentication. Open: 2FA on SSH and every cloud console (R-ACCESS-01); per-user accounts on dev/prod hosts (R-PROD-02); aggregated audit logging (R-ACCESS-02). |
| A.5.19–A.5.23 Supplier and cloud-services relationships | Yes | Sub-processors list, DPA, supply-chain security policy (internal). |
| A.5.24–A.5.28 Incident management | Yes | Coordinated Vulnerability Disclosure + internal incident response policy + breach notification procedure with NIS2 Art.23 timing. |
| A.5.30 ICT readiness for business continuity | Partial | Business-continuity policy in place; first end-to-end recovery rehearsal scheduled (R-RECOVERY-01). |
| A.5.31–A.5.34 Legal, IP, privacy, identification of records | Yes | Pre-release License Terms, DPA, licence-policy (permissive-only) and data-handling policy (internal). |
| A.5.36–A.5.37 Compliance and documented operating procedures | Yes | Control matrix maps every applicable Annex A control to a policy + evidence reference; full matrix available under NDA. |
Screening, terms, awareness, disciplinary, remote working, reporting.
| Control | Status | Where |
|---|---|---|
| A.6.1 Screening (background checks) | Planned | Open gap. Not done at current size; required before personnel hold standing administrator access to customer environments under the managed offering. |
| A.6.2 Terms and conditions of employment | Yes | Confidentiality + IP-assignment in every employment / contractor agreement (HR Security Policy). |
| A.6.3 Awareness, education, training | Partial | Onboarding briefing exists; annual refresher session is roadmap (R-PEOPLE-01). |
| A.6.4 Disciplinary process | Yes | Per Danish labour law and the employment agreement. |
| A.6.5 Responsibilities after termination | Yes | Leaver checklist in the access-provisioning procedure: revoke SSH key, rotate shared credentials, close SaaS accounts. |
| A.6.6 Confidentiality / NDA | Yes | Confidentiality clause in every employment / contractor agreement; mutual NDA available to enterprise customers on request. |
| A.6.7 Remote working | Yes | Personnel laptops are full-disk encrypted and password-locked; access via Netbird overlay. |
| A.6.8 Information-security event reporting | Yes | On-call channel + security@bzrk.dev for personnel and external reporters. |
Mostly inherited from suppliers with their own ISO 27001 / 27017 / 27018 certifications.
| Control area | Status | Where |
|---|---|---|
| A.7.1–A.7.4 Secure areas, perimeter, entry, monitoring | Inherited | Inherited from Hetzner (ISO 27001, ISO 9001, ISO 14001, ISO 50001) for our datacenter and from Proton, GitHub for SaaS. |
| A.7.5–A.7.6 Protection from environmental threats / working in secure areas | Inherited | Inherited from Hetzner. |
| A.7.7 Clear desk / clear screen | Yes | Personnel laptops auto-lock; HR Security Policy's acceptable-use clause. |
| A.7.8–A.7.14 Equipment siting, supporting utilities, cabling, maintenance, off-site, secure disposal, unattended user equipment, off-premises | Inherited + Yes | Datacentre items inherited from Hetzner; personnel-equipment items in HR Security Policy and asset-management policy. |
Endpoints, network, crypto, dev, monitoring, vulnerability management, backup, logging.
| Control area | Status | Where |
|---|---|---|
| A.8.1 User endpoint devices | Partial | Full-disk encrypted, password-locked. Centralised MDM-class enforcement is deployed via self-hosted endpoint-management tooling; rollout to every existing laptop and host is tracked under R-PROD-06. |
| A.8.2 Privileged access rights | Partial | On-call announce-before-action; two-person rule for irreversible production-data ops. Per-user prod accounts open (R-PROD-02). |
| A.8.3–A.8.4 Information access restriction / source code | Yes | GitHub team-based RBAC; K8s ServiceAccount-per-service. |
| A.8.5 Secure authentication | Partial | SSH-key + 2FA on Proton + GitHub. SSH 2FA enforcement is roadmap (R-ACCESS-01). |
| A.8.6 Capacity management | Yes | Service-level metrics, alerting, admission control documented in the architecture docs. |
| A.8.7 Protection against malware | Yes | Vendored toolchain neutralises registry-poisoning class; CI runs without public-network access; TruffleHog runs on the daily master security scan. |
| A.8.8 Management of technical vulnerabilities | Yes | Daily dependency-advisory scanning across every ecosystem plus per-image SBOM scanning; a single advisory-exception register feeds all of them for consistency. |
| A.8.9 Configuration management | Partial | Terraform + Helm baselines for VMs and K8s. Drift detection is roadmap. |
| A.8.10 Information deletion | Yes | Customer-data deletion at engagement end is documented in the data-handling policy and the DPA. |
| A.8.11 Data masking | N/A | Customer telemetry stays in customer environment; we do not mask, the customer chooses what to share. |
| A.8.12 Data leakage prevention | Partial | TruffleHog secrets detection on the daily master scan; standard egress monitoring on production. |
| A.8.13 Information backup | Partial | S3-as-trust-root model documented; first end-to-end recovery rehearsal scheduled (R-RECOVERY-01). |
| A.8.14 Redundancy | Inherited + Planned | Inherited at the storage layer; cross-region replication on roadmap. |
| A.8.15–A.8.16 Logging / monitoring activities | Partial | Per-service logs; aggregated audit logging is roadmap (R-ACCESS-02). |
| A.8.17 Clock synchronization | Yes | NTP across the cluster. |
| A.8.18–A.8.19 Privileged utility programs / installation of software on operational systems | Yes | Production access is gated; software installation on production hosts is via Bazel-built images, not interactive. |
| A.8.20–A.8.22 Network controls / network services / segregation | Yes | Netbird overlay; per-service ServiceAccount; IP plan documented in deployment-architecture. |
| A.8.23 Web filtering | N/A | Not applicable at our scale. |
| A.8.24 Use of cryptography | Yes | Cryptography policy with approved primitives (rustls + aws-lc-rs for TLS; AES-256-GCM / ChaCha20-Poly1305 for symmetric; Ed25519 / ECDSA P-256 for signatures). |
| A.8.25–A.8.31 Secure development, separation, change, test, outsourced | Partial | Secure-development policy: compiler-enforced lints (no unwrap/panic/silent fallback in production), AI-agent secure-baseline guardrails, threat modelling on new external surfaces. |
| A.8.32 Change management | Partial | PR-based with required automated CI checks; production change tracking via Helm + Terraform. |
| A.8.33 Test information | Yes | Test fixtures use synthetic data; the engineering rule against mock-database tests in production-divergent paths reduces the test-info risk. |
| A.8.34 Protection of information systems during audit | Yes | Audits are remote-attestation-based at present; no production instrumentation by external auditors. |
We maintain an internal SoA: a row per Annex A control, marked
applicable Y/N, with a justification and a reference to the
implementing policy or evidence. The SoA is NDA available to
enterprise customers under NDA on request to security@bzrk.dev.
The summary table on this page is not the SoA — it is a public extract for procurement reviewers. The SoA is the document an auditor opens first; it carries every control with its applicability decision and rationale.
Several Annex A controls are satisfied through ISO-certified suppliers. Material inheritances:
| Supplier | Their certifications | Controls we inherit |
|---|---|---|
| Hetzner Online GmbH | ISO 27001, ISO 9001, ISO 14001, ISO 50001 | A.7 (physical) for our internal cluster |
| Proton AG | ISO 27001, SOC 2 Type II, GDPR-aligned | A.5.14 / A.5.23 for email + credentials |
| GitHub, Inc. (Microsoft) | ISO 27001, SOC 2 Type II | A.5.23 for source-code hosting |
Their certificates are linkable from each provider's trust page; we keep the verified copies for buyer review on request.
Approximate sequencing if we elect to pursue certification, aligned with the planned managed-offering launch:
| Phase | Duration | Output |
|---|---|---|
| Internal audit programme stand-up | 1 month | R-ISMS-01 (audit + review cadence), R-ISMS-02 (document control + competence matrix), R-ISMS-03 (continual improvement), R-ISMS-04 (interested-parties register), information-security objectives |
| Close roadmap items | 2–3 months | Items still showing Partial or Planned in the clause and Annex A tables above, plus the "Planned for Managed Offering" grouping on the Security Roadmap. |
| First internal audit | 1 month | Findings register; close findings |
| Pre-audit readiness pack | 1 month | Final SoA, management-review minutes |
| Stage 1 + Stage 2 with accredited body | 2–3 months | Certificate |
For the full per-item view across every framework — not only the ISO 27001 audit path — see the consolidated Security Roadmap. We have not booked an auditor. When we do, the typical accredited bodies for Nordic SaaS are BSI, DNV, A-LIGN, and Schellman.
Email security@bzrk.dev with what your procurement team needs and
we will share what's appropriate under NDA.
2026-05-05.