TehoTrust Centre

Controls

ISO/IEC 27001 readiness status, not a certification claim.

Infrastructure Security

ControlStatus
A.8.13Information backups evidenced

Production database backups, point-in-time recovery, and restore-test evidence are maintained for the critical Activity Analysis database.

C
A.8.14Redundancy treatment decision tracked

High availability and private-networking treatment is documented as an open readiness decision before production certification scope.

PC
A.8.15Logging enabled for production services

Administrative and service activity is logged through the managed cloud and application control plane for review and incident response.

C
A.8.16Monitoring configured for critical services

Operational monitoring and alerting are configured for the production portal, supporting services, and scheduled automation paths.

C
A.8.20Network security controls maintained

Production infrastructure uses managed network controls, restricted service exposure, and deployment-specific access boundaries.

C

Organizational Security

ControlStatus
A.5.1Information security policies maintained

The core security policy suite is drafted and versioned; formal communication and operating evidence remain part of the readiness track.

PC
A.5.2Security roles and responsibilities assigned

Security ownership, escalation routes, and operational responsibilities are documented for the active Teho team.

C
A.5.15Access control policy enforced

Access is limited to authorised team members and deployment-specific service roles with evidence retained for review.

C
A.5.18Access rights reviewed

User and administrative access rights are tracked and reviewed against the current team and deployment scope.

C
A.5.35Independent security review pending

Independent review is not yet complete and remains a required readiness item before an external certification claim.

NC

Internal Security Procedures

ControlStatus
A.5.24Incident response plan maintained

Incident planning, severity handling, communications, and client notification expectations are documented.

C
A.5.25Security events assessed

Security events are triaged through documented escalation and assessment procedures.

C
A.5.26Incident response procedures defined

Response runbooks cover containment, investigation, communication, and remediation responsibilities.

C
A.5.27Incident learning process defined

Post-incident review and remediation tracking are part of the documented operating model.

C
ISO-R007Incident tabletop exercise evidence pending

A tabletop exercise is planned to preserve operating evidence for the incident response process.

PC

AI Security & Compliance

ControlStatus
AI-001Optional AI providers named before signature

Where optional AI providers are used, the vendor, data category, region, and transfer basis are named before signature.

C
AI-002Deployment-specific AI classification

AI-enabled classification is configured per deployment and limited to the agreed engagement purpose.

C
AI-003Non-LLM deployment paths available

Clients can request non-LLM or reduced-data paths where the engagement risk profile requires it.

C
AI-004AI evidence captured in review pack

AI use, model/provider choice, and deployment controls are captured in the security review pack when relevant.

PC

Product Security

ControlStatus
A.8.2Privileged access controlled

Privileged access is restricted to named administrators and deployment-scoped service roles.

C
A.8.3Information access restricted

Application access is scoped by role, deployment, and approved operational need.

C
A.8.5Secure authentication enforced

Administrative and service access require authenticated sessions or deployment-scoped credentials.

C
A.8.24Cryptography used for protected data

TLS is used for service interfaces and managed encryption is used for storage services in production deployments.

C
A.8.29Security testing included before release

Security checks, dependency review, and targeted verification are included in the release process for touched surfaces.

C

Data and Privacy

ControlStatus
A.5.34Privacy and PII responsibilities documented

Controller and processor responsibilities, optional providers, data categories, and deployment-specific privacy terms are documented.

C
SP-001Baseline boundary documented before rollout

The business question, teams, workflows, signal categories, exclusions, reviewer audience, and reporting level are named before a Baseline begins.

C
SP-002Team-level reporting thresholds enforced

Baseline outputs are constrained to team or workflow-level findings, with below-threshold small-group activity suppressed from named reporting.

C
SP-003Optional evidence approval required

Screenshot, semantic, or LLM-enabled evidence paths are deployment-specific and require explicit approval before use.

C
A.8.10Data deletion procedures established

Retention and deletion procedures are agreed before deployment, with deletion evidence available on request.

C
A.8.11Data masking supported where required

Sensitive fields can be reduced, excluded, or masked depending on the deployment and review scope.

C
A.8.12Data leakage controls maintained

Exports, service access, and optional AI paths are constrained to the agreed deployment scope.

C
A.5.20Supplier agreements under readiness review

Supplier terms and subprocessor disclosures are maintained, with final evidence narrowed to the actual deployment scope.

PC

C: Compliant-ready PC: Partially compliant NC: Not compliant OC: Owner confirmation required