Vertix.

ISO/IEC 27001:2022

Information Security Management System.Aligned with the 93 Annex A controls.

Vertix operates an ISMS designed in conformity with ISO/IEC 27001:2022, supplemented by ISO 27017 (cloud), ISO 27018 (PII in cloud) and ISO 27799 (health informatics). Certification roadmap target Q4 2026.

ISMS establishedCertification: in progress · target Q4 2026

Annex A controls

93

Total scope

Implemented

62

In place, evidence-backed

Partial / Planned

27

On the roadmap

Not applicable

4

Justified scope exclusions

Annex A · four control themes

How the 93 controls are organised.

ISO/IEC 27001:2022 reorganised Annex A into four themes. The counts below reflect the current Statement of Applicability, last reviewed 2026-05-08.

A.5

27 / 37 implemented · 73%

Organizational controls

Information security policies, supplier relationships, incident management, classification, and privacy. The organisational layer of the ISMS.

27

In place

8

Partial

2

Planned

0

N/A

A.6

6 / 8 implemented · 75%

People controls

Screening, awareness training, confidentiality, remote working, event reporting. Controls that govern the human boundary of the system.

6

In place

2

Partial

0

Planned

0

N/A

A.7

10 / 14 implemented · 71%

Physical controls

Equipment, secure disposal, off-premises assets. Data-centre perimeter controls are delegated to AWS under the Shared Responsibility Model and verified via independent attestations.

10

In place

1

Partial

0

Planned

3

N/A

A.8

19 / 34 implemented · 56%

Technological controls

Access control, cryptography, vulnerability management, logging, secure development, network segregation, and AI-specific safeguards.

19

In place

12

Partial

2

Planned

1

N/A

ImplementedPartialPlannedN/A

ISMS principles

How we run the system. Not just the list of controls.

Plan-Do-Check-Act (PDCA)

The ISMS follows Clauses 4-10 of ISO/IEC 27001:2022. Risk assessment, controls implementation, performance evaluation, continual improvement.

Risk-based

Controls selected through formal risk assessment (R = P × I, threshold ≥ 9 mandates treatment). The Statement of Applicability (SoA) records the rationale for each Annex A control.

Defence in depth

Multiple independent control layers across organisational, people, physical and technological domains. No single control is the last line.

Healthcare weighting

Mental-health PHI carries triple weight in impact scoring per ISO 27799. The Patient Privacy Firewall (ADR-036) segregates patient data architecturally from research and AI training pipelines.

Framework cross-walk

One ISMS. Many regulators. Mapped explicitly.

ISO/IEC 27001:2022 is the base framework. Every Annex A control is mapped to its HIPAA, GDPR/LQPDP, and SOC 2 equivalent in our internal harmonisation matrix.

HIPAA Security Rule

45 CFR §§ 164.302-318

Access management, audit controls, integrity controls, transmission security, contingency planning. Cross-mapped to A.5.15-A.5.18, A.5.24-A.5.28, A.8.13-A.8.15, A.8.24.

GDPR / LQPDP 29/2021

Art. 32 + Art. 5 + Art. 25

Pseudonymisation, encryption, integrity, availability, regular testing. Cross-mapped to A.5.34, A.8.10-A.8.12, A.8.24, A.5.35.

SOC 2 Trust Services Criteria

Common Criteria (CC) + Availability (A1)

CC6 (logical access) ↔ A.5.15-A.5.18; CC7 (system operations) ↔ A.8.15-A.8.16; A1.2 (availability) ↔ A.8.13-A.8.14. SOC 2 Type II target · audit target Q4 2026.

ISO 27017:2015 (Cloud)

7 cloud-specific controls

AWS-aware controls absorbed within the Annex A framework (CLD.6.3.1, CLD.9.5.1, CLD.12.x, CLD.13.x).

ISO 27018:2019 (PII in Cloud)

12 PII-specific controls

Customer control over PII, prohibition of advertising use, transparency over sub-processing.

ISO 27799:2016 (Health informatics)

Healthcare-specific controls

Mental-health-data weighting in risk assessment (triple weight per ISO 27799); incident management with patient-safety impact.

Path to certification

From ISMS established to ISO/IEC 27001 certified.

Independent third-party certification follows a published preparation cadence. We do not market the badge before the audit issues it.

ISMS established · 93-control SoA published

Done · 2026-05-08

Internal audit + risk treatment plan closure

Q3 2026

External readiness assessment

Q3-Q4 2026

Stage 1 + Stage 2 certification audit

Q4 2026

ISO/IEC 27001:2022 certificate issued

Q4 2026 target

Coordinated disclosure

Found a vulnerability? Tell us first.

We follow a coordinated vulnerability disclosure model. Researchers and customers reporting in good faith receive acknowledgement within two business days and a remediation timeline within ten.

Email [email protected]Back to Security overview

Last reviewed 2026-05-08 · Document owner: Compliance Officer (see APP-01)

ISO/IEC 27001:2022 is the base ISMS framework, supplemented by ISO 27017:2015 (cloud), ISO 27018:2019 (PII in public cloud), and ISO 27799:2016 (health informatics). Detailed Statement of Applicability available to enterprise customers under NDA.