Deployment Checklist
Organizational requirements that each deployment operator must address when deploying SirosID. These items are derived from platform compliance audits and represent controls that are outside the platform's scope.
23 checklist items across 3 frameworks.
Download the OSCAL Component Definition to bootstrap your own compliance assessment. Then work through the items below for your specific deployment.
ENISA EUDI Operator Deployment Checklist
Organizational requirements from ENISA EUDI Wallet Security Requirements v0.5 that must be addressed by each deployment operator. These items are not tracked as platform findings — they become actionable when an operator deploys SirosID.
| # | Item | Severity | Controls |
|---|---|---|---|
| 1 | EN-O-1 — ISMS and risk management framework | 🟠 high | SID-ORG-03 |
| 2 | EN-O-2 — Policies and practice statements | 🟠 high | SID-ORG-01, SID-ORG-06, SID-ORG-07 |
| 3 | EN-O-3 — Incident response and fraud management | 🟠 high | SID-OPS-01, SID-OPS-07 |
| 4 | EN-O-4 — Certification scheme operational requirements | 🟡 medium | SID-OPS-02, SID-OPS-05 |
Detailed Guidance
EN-O-1 — ISMS and risk management framework
Establish a formal ISMS or risk management framework (GEN-5-01). Map to CIR risk register (GEN-5-02). ISO 27001 certification recommended (GEN-7.1.1-02). Define formal organizational structure for wallet provider operations (GEN-7.1.1-01).
Framework references:
- EUDI:
GEN-5-01,GEN-5-02,GEN-7.1.1-01,GEN-7.1.1-02
EN-O-2 — Policies and practice statements
Create formal practice statement (GEN-6.1-01), terms and conditions (GEN-6.2-01), privacy policy (GEN-6.2-02), and information security policy (GEN-6.3-01). These are prerequisites for wallet provider certification.
Framework references:
- EUDI:
GEN-6.1-01,GEN-6.2-01,GEN-6.2-02,GEN-6.3-01
EN-O-3 — Incident response and fraud management
Establish formal incident response plan (GEN-7.9.2-01, CS-I.2-Incident) and fraud detection/management process (GEN-7.9.6-01, CS-I.2-Fraud).
Framework references:
- EUDI:
GEN-7.9.2-01,GEN-7.9.6-01,CS-I.2-Incident,CS-I.2-Fraud
EN-O-4 — Certification scheme operational requirements
Document ICT system architecture (CS-I.2-ICT). Establish formal loading and update process (CS-I.3-Load). PID provider certification is separate (CS-I.5-PID, usually national identity authority). Create surveillance process (CS-II.1-Surv) and public security documentation (CS-III-Public).
Framework references:
- EUDI:
CS-I.2-ICT,CS-I.3-Load,CS-I.5-PID,CS-II.1-Surv,CS-III-Public
GDPR Deployment Checklist for Data Controllers
GDPR compliance requirements that must be addressed by each deployment operator acting as data controller. These items are not tracked as platform findings — they become actionable when an operator deploys SirosID.
| # | Item | Severity | Controls |
|---|---|---|---|
| 1 | D-1 — MongoDB encryption at rest | 🟡 medium | SID-ORG-01 |
| 2 | D-2 — TLS everywhere | 🟡 medium | SID-ORG-01 |
| 3 | D-3 — Records of Processing Activities (ROPA) | 🟡 medium | SID-ORG-02 |
| 4 | D-4 — Data Protection Impact Assessment (DPIA) | 🟡 medium | SID-ORG-02 |
| 5 | D-5 — Data Processing Agreements | 🟡 medium | SID-ORG-03 |
| 6 | D-6 — Breach notification process | 🟡 medium | SID-ORG-04 |
| 7 | D-7 — Data subject rights procedures | 🟡 medium | SID-ORG-04 |
Detailed Guidance
D-1 — MongoDB encryption at rest
Enable storage engine encryption (WiredTiger encrypted storage engine or equivalent). GDPR Art. 32(1)(a).
D-2 — TLS everywhere
Enforce TLS 1.2+ on all connections: client → API, backend → MongoDB, backend → Redis, FaceTec → external, frontend → WebSocket. GDPR Art. 32(1)(a).
D-3 — Records of Processing Activities (ROPA)
Maintain a complete Art. 30 register covering all 11 processing activities identified in the PII inventory. Update to include missing activities and correct inaccuracies.
D-4 — Data Protection Impact Assessment (DPIA)
Conduct a DPIA for the wallet service. The service processes identity documents, biometric data (via FaceTec), and government-issued credentials at scale. GDPR Art. 35.
D-5 — Data Processing Agreements
Execute DPAs with Siros Foundation, FaceTec Inc. (third-country transfer), OIDC identity providers, and hosting/cloud provider. GDPR Art. 28.
D-6 — Breach notification process
Implement 72-hour notification process to supervisory authority (Art. 33) and communication to data subjects (Art. 34). The platform provides audit logs (SID-AUDIT-01) for detection.
D-7 — Data subject rights procedures
Implement procedures for right of access (Art. 15), rectification (Art. 16), erasure (Art. 17, depends on platform P-4), restriction (Art. 18), and data portability (Art. 20).
ISO 27001 Operator Deployment Checklist
ISO/IEC 27001:2022 Annex A requirements that must be addressed by each deployment operator. These items are not tracked as platform findings — they become actionable when an operator deploys SirosID.
| # | Item | Severity | Controls |
|---|---|---|---|
| 1 | ISO-O-1 — Information security policy framework | 🟠 high | SID-ORG-01, SID-ORG-02 |
| 2 | ISO-O-2 — External engagement procedures | 🟡 medium | SID-ORG-05 |
| 3 | ISO-O-3 — Asset management controls | 🟡 medium | |
| 4 | ISO-O-4 — Supplier security management | 🟡 medium | SID-ORG-04 |
| 5 | ISO-O-5 — Incident management framework | 🟠 high | SID-OPS-01 |
| 6 | ISO-O-6 — Business continuity controls | 🟠 high | SID-OPS-02 |
| 7 | ISO-O-7 — Independent review and compliance monitoring | 🟡 medium | |
| 8 | ISO-P-1 — Personnel security controls | 🟡 medium | SID-PPL-01, SID-PPL-02, SID-PPL-03 |
| 9 | ISO-PH-1 — Physical security controls | 🟡 medium | SID-PHY-01, SID-PHY-02 |
| 10 | ISO-T-1 — Capacity management and clock sync | 🟢 low | |
| 11 | ISO-T-2 — Backup and redundancy | 🟠 high | SID-OPS-02, SID-OPS-03 |
| 12 | ISO-T-4 — Software installation and outsourced development controls | 🟢 low | SID-OPS-05 |
Detailed Guidance
ISO-O-1 — Information security policy framework
Create formal information security policy (A.5.1), define roles and responsibilities (A.5.2), and document management responsibilities (A.5.4). These are foundational ISMS requirements.
Framework references:
- ISO 27001:
A.5.1,A.5.2,A.5.4
ISO-O-2 — External engagement procedures
Establish procedures for contact with authorities (A.5.5), special interest groups (A.5.6), and tracking legal/regulatory requirements (A.5.31, A.5.32).
Framework references:
- ISO 27001:
A.5.5,A.5.6,A.5.31,A.5.32
ISO-O-3 — Asset management controls
Create asset inventory (A.5.9), acceptable use policy (A.5.10), return of assets process (A.5.11), and labelling scheme (A.5.13).
Framework references:
- ISO 27001:
A.5.9,A.5.10,A.5.11,A.5.13
ISO-O-4 — Supplier security management
Define supplier security requirements (A.5.19), supplier agreements (A.5.20), and supplier monitoring process (A.5.22). Document cloud services security (A.5.23).
Framework references:
- ISO 27001:
A.5.19,A.5.20,A.5.22,A.5.23
ISO-O-5 — Incident management framework
Create incident management planning (A.5.24), response procedures (A.5.26), and lessons-learned process (A.5.27). Critical for operational readiness.
Framework references:
- ISO 27001:
A.5.24,A.5.26,A.5.27
ISO-O-6 — Business continuity controls
Establish continuity planning (A.5.29) and ICT readiness for continuity (A.5.30). Combined with backup (A.8.13) and redundancy (A.8.14), this is a high-impact gap cluster.
Framework references:
- ISO 27001:
A.5.29,A.5.30
ISO-O-7 — Independent review and compliance monitoring
Arrange independent security review (A.5.35), compliance monitoring (A.5.36), and document operating procedures (A.5.37).
Framework references:
- ISO 27001:
A.5.35,A.5.36,A.5.37
ISO-P-1 — Personnel security controls
Implement screening (A.6.1), employment T&C (A.6.2), security awareness training (A.6.3), disciplinary process (A.6.4), termination procedures (A.6.5), NDA framework (A.6.6), and remote working policy (A.6.7).
Framework references:
- ISO 27001:
A.6.1,A.6.2,A.6.3,A.6.4,A.6.5,A.6.6,A.6.7
ISO-PH-1 — Physical security controls
Establish physical perimeters (A.7.1), entry controls (A.7.2), facility security (A.7.3-6), supporting utilities (A.7.11), and cabling security (A.7.12). Equipment controls: clear desk (A.7.7), equipment siting (A.7.8), off-premises security (A.7.9), maintenance (A.7.13), and disposal (A.7.14).
Framework references:
- ISO 27001:
A.7.1,A.7.2,A.7.3,A.7.4,A.7.5,A.7.6,A.7.7,A.7.8,A.7.9,A.7.11,A.7.12,A.7.13,A.7.14
ISO-T-1 — Capacity management and clock sync
Implement capacity management (A.8.6), information deletion policy (A.8.10), and clock synchronization (A.8.17).
Framework references:
- ISO 27001:
A.8.6,A.8.10,A.8.17
ISO-T-2 — Backup and redundancy
Establish information backup procedures (A.8.13) and redundancy of processing facilities (A.8.14). Critical for data protection and business continuity.
Framework references:
- ISO 27001:
A.8.13,A.8.14
ISO-T-4 — Software installation and outsourced development controls
Define formal software installation controls (A.8.19) and outsourced development procedures (A.8.30). Define audit testing protection (A.8.34).
Framework references:
- ISO 27001:
A.8.19,A.8.30,A.8.34