Statement of Applicability (SoA)
Document ID: ISMS-POL-005
Version: 1.0
Effective Date: December 29, 2025
Review Date: December 29, 2026
Classification: Internal
1. Purpose#
This Statement of Applicability (SoA) documents the ISO/IEC 27001:2022 Annex A controls applicable to anonym.legal, their implementation status, and justification for inclusion or exclusion.
2. Scope#
This SoA covers all information security controls relevant to the anonym.legal PII anonymization platform, including:
- Cloud-hosted infrastructure (Hetzner)
- Web application (web framework frontend)
- Backend services (Presidio Analyzer/Anonymizer)
- Database (relational database)
- Customer data processing
3. Control Selection Methodology#
Controls were selected based on:
- Risk assessment results
- Legal and regulatory requirements (GDPR)
- Business requirements
- Customer expectations
- Industry best practices
4. Control Categories Overview#
| Category | Total Controls | Applicable | Implemented | Partial | Not Applicable |
|---|---|---|---|---|---|
| A.5 Organizational | 37 | 25 | 20 | 5 | 12 |
| A.6 People | 8 | 6 | 4 | 2 | 2 |
| A.7 Physical | 14 | 5 | 5 | 0 | 9 |
| A.8 Technological | 34 | 30 | 28 | 2 | 4 |
| Total | 93 | 66 | 57 | 9 | 27 |
5. Detailed Control Status#
A.5 Organizational Controls#
| Control | Title | Applicable | Status | Justification |
|---|---|---|---|---|
| A.5.1 | Policies for information security | ✅ | Implemented | Information Security Policy documented |
| A.5.2 | Information security roles | ✅ | Implemented | Roles defined in RBAC system |
| A.5.3 | Segregation of duties | ✅ | Implemented | Admin/Editor/User role separation |
| A.5.4 | Management responsibilities | ✅ | Implemented | Documented in policies |
| A.5.5 | Contact with authorities | ✅ | Partial | GDPR contacts identified |
| A.5.6 | Contact with special interest groups | ❌ | N/A | Small organization |
| A.5.7 | Threat intelligence | ✅ | Partial | npm audit, security advisories |
| A.5.8 | Information security in project management | ✅ | Implemented | Security in development process |
| A.5.9 | Inventory of information | ✅ | Implemented | Asset inventory documented |
| A.5.10 | Acceptable use of information | ✅ | Implemented | Terms of Service, policies |
| A.5.11 | Return of assets | ❌ | N/A | SaaS model, no physical assets |
| A.5.12 | Classification of information | ✅ | Implemented | Data classification defined |
| A.5.13 | Labelling of information | ❌ | N/A | Automated system handling |
| A.5.14 | Information transfer | ✅ | Implemented | TLS encryption, secure APIs |
| A.5.15 | Access control | ✅ | Implemented | RBAC, plan-based gating |
| A.5.16 | Identity management | ✅ | Implemented | NextAuth.js, JWT sessions |
| A.5.17 | Authentication information | ✅ | Implemented | Password policy, 2FA |
| A.5.18 | Access rights | ✅ | Implemented | Role-based permissions |
| A.5.19 | Information security in supplier relationships | ✅ | Partial | Hetzner, Stripe reviewed |
| A.5.20 | Addressing security in supplier agreements | ✅ | Partial | Standard agreements |
| A.5.21 | Managing information security in ICT supply chain | ✅ | Implemented | Dependency management |
| A.5.22 | Monitoring, review of supplier services | ✅ | Partial | Uptime monitoring |
| A.5.23 | Information security for cloud services | ✅ | Implemented | Hetzner security config |
| A.5.24 | Information security incident management | ✅ | Implemented | Incident Response Plan |
| A.5.25 | Assessment and decision on events | ✅ | Implemented | Severity classification |
| A.5.26 | Response to information security incidents | ✅ | Implemented | Response procedures |
| A.5.27 | Learning from incidents | ✅ | Implemented | Post-incident review |
| A.5.28 | Collection of evidence | ✅ | Implemented | Log retention, audit trails |
| A.5.29 | Information security during disruption | ✅ | Implemented | Backup/recovery procedures |
| A.5.30 | ICT readiness for business continuity | ✅ | Implemented | Hetzner snapshots |
| A.5.31 | Legal, statutory, regulatory requirements | ✅ | Implemented | GDPR compliance |
| A.5.32 | Intellectual property rights | ✅ | Implemented | License compliance |
| A.5.33 | Protection of records | ✅ | Implemented | Data retention policy |
| A.5.34 | Privacy and protection of PII | ✅ | Implemented | Core business function |
| A.5.35 | Independent review of information security | ❌ | N/A | Small organization |
| A.5.36 | Compliance with security policies | ✅ | Implemented | Automated enforcement |
| A.5.37 | Documented operating procedures | ✅ | Implemented | Documentation in docs/ |
A.6 People Controls#
| Control | Title | Applicable | Status | Justification |
|---|---|---|---|---|
| A.6.1 | Screening | ❌ | N/A | Solo/small team |
| A.6.2 | Terms and conditions of employment | ❌ | N/A | Solo/small team |
| A.6.3 | Information security awareness | ✅ | Partial | Self-awareness |
| A.6.4 | Disciplinary process | ❌ | N/A | Solo/small team |
| A.6.5 | Responsibilities after termination | ✅ | Implemented | Credential revocation |
| A.6.6 | Confidentiality agreements | ✅ | Implemented | Customer agreements |
| A.6.7 | Remote working | ✅ | Implemented | Secure remote access |
| A.6.8 | Information security event reporting | ✅ | Implemented | Incident reporting |
A.7 Physical Controls#
| Control | Title | Applicable | Status | Justification |
|---|---|---|---|---|
| A.7.1 | Physical security perimeters | ✅ | Implemented | Hetzner data centers |
| A.7.2 | Physical entry | ✅ | Implemented | Hetzner controlled |
| A.7.3 | Securing offices, rooms, facilities | ❌ | N/A | Cloud-only |
| A.7.4 | Physical security monitoring | ✅ | Implemented | Hetzner monitoring |
| A.7.5 | Protecting against physical threats | ✅ | Implemented | Hetzner facilities |
| A.7.6 | Working in secure areas | ❌ | N/A | Cloud-only |
| A.7.7 | Clear desk and clear screen | ❌ | N/A | Remote work |
| A.7.8 | Equipment siting and protection | ✅ | Implemented | Hetzner data centers |
| A.7.9 | Security of assets off-premises | ❌ | N/A | Cloud-only |
| A.7.10 | Storage media | ❌ | N/A | No physical media |
| A.7.11 | Supporting utilities | ❌ | N/A | Hetzner managed |
| A.7.12 | Cabling security | ❌ | N/A | Hetzner managed |
| A.7.13 | Equipment maintenance | ❌ | N/A | Hetzner managed |
| A.7.14 | Secure disposal or re-use | ❌ | N/A | Hetzner managed |
A.8 Technological Controls#
| Control | Title | Applicable | Status | Justification |
|---|---|---|---|---|
| A.8.1 | User endpoint devices | ❌ | N/A | SaaS, no managed endpoints |
| A.8.2 | Privileged access rights | ✅ | Implemented | Admin role, SSH keys |
| A.8.3 | Information access restriction | ✅ | Implemented | RBAC, feature gating |
| A.8.4 | Access to source code | ✅ | Implemented | Private repository |
| A.8.5 | Secure authentication | ✅ | Implemented | Password policy, 2FA |
| A.8.6 | Capacity management | ✅ | Implemented | Hetzner scalable |
| A.8.7 | Protection against malware | ✅ | Implemented | Server hardening |
| A.8.8 | Management of technical vulnerabilities | ✅ | Implemented | npm audit, updates |
| A.8.9 | Configuration management | ✅ | Implemented | Infrastructure as code |
| A.8.10 | Information deletion | ✅ | Implemented | Data deletion procedures |
| A.8.11 | Data masking | ✅ | Implemented | Core business function |
| A.8.12 | Data leakage prevention | ✅ | Implemented | Encryption, access control |
| A.8.13 | Information backup | ✅ | Implemented | Hetzner snapshots |
| A.8.14 | Redundancy of information processing | ✅ | Partial | Single server (cost) |
| A.8.15 | Logging | ✅ | Implemented | Application/system logs |
| A.8.16 | Monitoring activities | ✅ | Implemented | Uptime, error tracking |
| A.8.17 | Clock synchronization | ✅ | Implemented | NTP configured |
| A.8.18 | Use of privileged utility programs | ✅ | Implemented | Restricted to admin |
| A.8.19 | Installation of software | ✅ | Implemented | Controlled deployment |
| A.8.20 | Networks security | ✅ | Implemented | Firewall, brute force protection |
| A.8.21 | Security of network services | ✅ | Implemented | TLS, secure protocols |
| A.8.22 | Segregation of networks | ✅ | Partial | Application isolation |
| A.8.23 | Web filtering | ❌ | N/A | Server-side only |
| A.8.24 | Use of cryptography | ✅ | Implemented | AES-256-GCM, TLS |
| A.8.25 | Secure development life cycle | ✅ | Implemented | Code review, testing |
| A.8.26 | Application security requirements | ✅ | Implemented | Security in design |
| A.8.27 | Secure system architecture | ✅ | Implemented | Defense in depth |
| A.8.28 | Secure coding | ✅ | Implemented | Best practices, linting |
| A.8.29 | Security testing in development | ✅ | Implemented | Unit testing, end-to-end testing, audit |
| A.8.30 | Outsourced development | ❌ | N/A | In-house development |
| A.8.31 | Separation of development, test, production | ✅ | Partial | Staging environment |
| A.8.32 | Change management | ✅ | Implemented | Version control, changelog |
| A.8.33 | Test information | ✅ | Implemented | Mock data for tests |
| A.8.34 | Protection during audit testing | ✅ | Implemented | Isolated test environment |
6. Exclusion Justifications#
Physical Controls (A.7.3, A.7.6, A.7.7, A.7.9-A.7.14)#
Justification: anonym.legal is a cloud-only SaaS platform hosted on Hetzner Cloud. Physical security is managed by Hetzner (ISO 27001 certified data centers). No physical premises or equipment are maintained.
People Controls (A.6.1, A.6.2, A.6.4)#
Justification: Small team/solo operation. Formal HR processes not applicable at current scale.
Endpoint Controls (A.8.1, A.8.23)#
Justification: SaaS model where customers use their own devices. No managed endpoints.
Outsourced Development (A.8.30)#
Justification: All development is performed in-house.
7. Implementation Evidence#
| Control Category | Evidence Location |
|---|---|
| Policies | docs/iso27001/ |
| Access Control | lib/roles.ts, lib/plan-features.ts |
| Authentication | lib/auth.ts, lib/auth/two-factor.ts |
| Encryption | lib/encryption.ts |
| Logging | Application logs, journalctl |
| Testing | tests/ directory |
| Change Management | docs/CHANGELOG.md |
| Configuration | app.config.js, web server configs |
8. Continuous Improvement#
Planned Improvements#
| Control | Current Status | Target Status | Timeline |
|---|---|---|---|
| A.5.35 | N/A | Consider external audit | Q2 2026 |
| A.8.14 | Partial | Full redundancy | Q3 2026 |
| A.8.22 | Partial | Full network segmentation | Q2 2026 |
9. Document Control#
| Version | Date | Author | Changes |
|---|---|---|---|
| 1.0 | 2025-12-29 | Security Team | Initial release |