HQ Cortex
All compliance regimes

ISO/IEC 27001:2022 — Information Security

Information Security Management System covering 93 Annex A controls across organizational, people, physical, and technological themes.

Supported
2(14%)
In progress
9(64%)
Not yet planned
3(21%)
Tracked14

Why this matters: ISO 27001 is the international standard for an Information Security Management System (ISMS). HQ Cortex is not currently certified to ISO 27001, but we operate many of the technical controls that an ISMS would require, and we work with infrastructure partners (Vercel, PlanetScale, Clerk) who are themselves certified. This page is honest about which controls are operating today and which are not.

We are not currently certified to this standard. The mapping below shows where our day-to-day controls already align.

Status legend

  • SupportedWe can do this today.
  • In progressPartially in place or actively in development.
  • Not yet plannedNot yet started or not in scope.

Organizational & People Controls

  • Asset and data inventory

    In progress

    Maintain an inventory of information assets with owners and classification.

    In HQ Cortex: Core records (formulations, batches, suppliers) are inherently inventoried within the system; a dedicated information-asset register with classification labels is not yet exposed.

    ISO 27001 A.5.9

  • Information classification and labeling

    Not yet planned

    Classify records (Public, Internal, Confidential, Restricted) and apply consistent handling.

    In HQ Cortex: Not yet implemented.

    ISO 27001 A.5.12, A.5.13

  • Supplier and sub-processor management

    In progress

    Track sub-processors, security questionnaires, and contractual security clauses.

    In HQ Cortex: Sub-processors (Vercel, PlanetScale, Clerk, Vercel Blob, Upstash) are documented in the security page. A customer-facing change-notification feed is being added.

    ISO 27001 A.5.19–A.5.22

  • Incident management process

    In progress

    Defined detection, triage, severity, customer notification, and post-incident review process.

    In HQ Cortex: Internal escalation paths exist for production incidents; a formal in-app incident workflow with notification SLAs is being built.

    ISO 27001 A.5.24–A.5.27

  • Personnel security training

    Not yet planned

    Security awareness training for personnel handling production data.

    In HQ Cortex: Not yet formalized.

    ISO 27001 A.6.3

Identity & Access

  • Centralized RBAC and least privilege

    Supported

    Role-based access control with least privilege and periodic access review.

    In HQ Cortex: Role-based permission profiles enforce per-resource scopes server-side, so users only see and act on what their role allows.

    ISO 27001 A.5.15, A.5.18

  • Strong authentication

    In progress

    MFA, password policy, SSO/SAML, and protected credential storage.

    In HQ Cortex: Clerk provides hashed credential storage and MFA capability; SSO/SAML and enforced MFA are paid Clerk features being rolled in.

    ISO 27001 A.8.5

  • Privileged access management

    In progress

    Production database and infrastructure access requires elevated, time-bound, and logged credentials.

    In HQ Cortex: Production access is restricted to platform owners; a documented just-in-time elevation runbook is being formalized.

    ISO 27001 A.8.2

Application & Data Security

  • Secure software development lifecycle

    In progress

    Documented SDLC: code review, SAST/DAST, dependency scanning, security gates pre-release.

    In HQ Cortex: Mandatory peer code review and automated code-quality checks are in place before any change ships. Automated SAST, DAST, and dependency scanning in CI are not yet wired up.

    ISO 27001 A.8.25

  • Application security requirements

    Supported

    Authenticated transactions, replay protection, server-side input validation, non-repudiation.

    In HQ Cortex: Server-side input validation, authenticated API calls, file-upload ownership checks, and rate limits are in production.

    ISO 27001 A.8.26

  • Cryptography in transit and at rest

    In progress

    TLS 1.2+ in transit, AES-256 at rest, documented key management.

    In HQ Cortex: TLS in transit and AES-256 at rest are provided by Vercel and PlanetScale. Customer-managed keys (BYOK) and rotation policies are not yet documented.

    ISO 27001 A.8.24

  • Logging of regulated events

    In progress

    Authentication, authorization changes, data exports, and CRUD on sensitive records logged and retained ≥ 1 year.

    In HQ Cortex: Domain-specific audit logs are in place; a unified, append-only application security log with documented retention is being built.

    ISO 27001 A.8.15

  • Backup and tested restore

    In progress

    Daily encrypted backups with periodic restore tests and recorded evidence.

    In HQ Cortex: PlanetScale provides automated backups; documented restore-test cadence and customer-visible evidence are not yet published.

    ISO 27001 A.8.13

  • Vulnerability management with severity SLAs

    Not yet planned

    Continuous dependency scanning with documented patch SLAs by CVSS severity.

    In HQ Cortex: Not yet implemented as a continuous, automated process. Manual upgrades happen on issue.

    ISO 27001 A.8.8

References

Last reviewed: May 2026.