ISO/IEC 27001:2022 Annex A Coverage
93
Annex A Controls
81
Covered
12
Operator Only
Annex A Control Mapping
| ISO Control | Coverage | SID Controls | Notes |
|---|---|---|---|
| A.5.1 Policies for information security | none | SID-ORG-01 | Operator must create and publish security policy. |
| A.5.2 Information security roles and responsibilities | none | SID-ORG-02 | |
| A.5.3 Segregation of duties | partial | SID-ORG-02, SID-ACCESS-01 | Platform enforces multi-tenant isolation; operator must segregate operational duties. |
| A.5.4 Management responsibilities | none | SID-ORG-01 | |
| A.5.5 Contact with authorities | none | SID-ORG-05 | |
| A.5.6 Contact with special interest groups | none | SID-ORG-05 | |
| A.5.7 Threat intelligence | partial | SID-ORG-03, SID-TRUST-02 | Platform provides trust registry intelligence; operator must monitor threat landscape. |
| A.5.8 Information security in project management | none | SID-OPS-08 | |
| A.5.9 Inventory of information and other associated assets | none | Operator must maintain asset inventory. Platform assets documented in setup_project.py. | |
| A.5.10 Acceptable use of information and other associated assets | none | SID-ORG-07 | |
| A.5.11 Return of assets | none | ||
| A.5.12 Classification of information | partial | SID-DATA-01, SID-DATA-02 | Platform classifies credential sensitivity via selective disclosure; operator must classify opera... |
| A.5.13 Labelling of information | none | ||
| A.5.14 Information transfer | full | SID-TRANS-01, SID-TRANS-02, SID-TRANS-03 | All transfers via TLS 1.2+, OID4VCI, OID4VP protocols. |
| A.5.15 Access control | full | SID-AUTH-01, SID-AUTH-02, SID-ACCESS-01, SID-ACCESS-02, SID-ACCESS-03 | FIDO2 auth, JWT sessions, multi-tenant isolation, rate limiting, consent. |
| A.5.16 Identity management | full | SID-AUTH-01, SID-AUTH-03 | WebAuthn identity binding + OIDC gate for external IdPs. |
| A.5.17 Authentication information | full | SID-AUTH-01, SID-CRYPTO-02, SID-CRYPTO-03 | FIDO2 credentials, PRF-derived keys, encrypted keystore. |
| A.5.18 Access rights | partial | SID-ACCESS-01, SID-ACCESS-04 | Platform enforces tenant isolation + SPOCP; operator manages user provisioning. |
| A.5.19 Information security in supplier relationships | none | SID-ORG-04 | |
| A.5.20 Addressing information security within supplier agreements | none | SID-ORG-04 | |
| A.5.21 Managing information security in the ICT supply chain | partial | SID-ORG-04, SID-OPS-04 | Platform: SBOM monitoring, dependency scanning. Operator: supply chain risk management. |
| A.5.22 Monitor, review and change management of supplier services | none | SID-ORG-04 | |
| A.5.23 Information security for use of cloud services | none | Operator must assess cloud provider security if using cloud hosting. | |
| A.5.24 Information security incident management planning and preparation | none | SID-OPS-01 | |
| A.5.25 Assessment and decision on information security events | partial | SID-OPS-01, SID-AUDIT-01 | Platform provides structured event logging; operator must classify and assess. |
| A.5.26 Response to information security incidents | none | SID-OPS-01 | |
| A.5.27 Learning from information security incidents | none | SID-OPS-01 | |
| A.5.28 Collection of evidence | partial | SID-AUDIT-01 | Platform produces structured audit logs; operator must preserve and manage evidence. |
| A.5.29 Information security during disruption | none | SID-OPS-02 | |
| A.5.30 ICT readiness for business continuity | none | SID-OPS-02 | |
| A.5.31 Legal, statutory, regulatory and contractual requirements | none | SID-ORG-05 | |
| A.5.32 Intellectual property rights | none | SID-ORG-05 | |
| A.5.33 Protection of records | partial | SID-CRYPTO-03, SID-OPS-03 | Platform encrypts credential records; operator must manage retention and backup. |
| A.5.34 Privacy and protection of PII | partial | SID-PRIV-01, SID-DATA-01, SID-DATA-02 | Platform provides selective disclosure and data minimization; operator handles DPIA, consent reco... |
| A.5.35 Independent review of information security | none | ||
| A.5.36 Compliance with policies, rules and standards for information security | none | ||
| A.5.37 Documented operating procedures | none | SID-ORG-06 | |
| A.6.1 Screening | none | SID-PPL-01 | |
| A.6.2 Terms and conditions of employment | none | SID-PPL-01 | |
| A.6.3 Information security awareness, education and training | none | SID-PPL-02 | |
| A.6.4 Disciplinary process | none | ||
| A.6.5 Responsibilities after termination or change of employment | none | ||
| A.6.6 Confidentiality or non-disclosure agreements | none | SID-PPL-03 | |
| A.6.7 Remote working | none | ||
| A.6.8 Information security event reporting | partial | SID-PPL-04, SID-AUDIT-01 | Platform provides event logging; operator must define reporting procedures. |
| A.7.1 Physical security perimeters | none | SID-PHY-01 | |
| A.7.2 Physical entry | none | SID-PHY-01 | |
| A.7.3 Securing offices, rooms and facilities | none | SID-PHY-01 | |
| A.7.4 Physical security monitoring | none | SID-PHY-01 | |
| A.7.5 Protecting against physical and environmental threats | none | SID-PHY-01 | |
| A.7.6 Working In secure areas | none | SID-PHY-01 | |
| A.7.7 Clear desk and clear screen | none | SID-PHY-02 | |
| A.7.8 Equipment siting and protection | none | SID-PHY-02 | |
| A.7.9 Security of assets off-premises | none | SID-PHY-02 | |
| A.7.10 Storage media | partial | SID-PHY-02, SID-CRYPTO-03 | Platform encrypts data at rest; operator manages media handling. |
| A.7.11 Supporting utilities | none | SID-PHY-01 | |
| A.7.12 Cabling security | none | SID-PHY-01 | |
| A.7.13 Equipment maintenance | none | SID-PHY-02 | |
| A.7.14 Secure disposal or re-use of equipment | none | SID-PHY-02 | |
| A.8.1 User end point devices | partial | SID-HARD-05, SID-CRYPTO-02 | Platform secures browser endpoint; operator may need to manage mobile devices. |
| A.8.2 Privileged access rights | partial | SID-AUTH-02, SID-HARD-03 | Platform separates admin API on dedicated port; operator manages admin user lifecycle. |
| A.8.3 Information access restriction | full | SID-ACCESS-01, SID-ACCESS-03, SID-ACCESS-04 | Multi-tenant isolation, SPOCP authorization, user consent. |
| A.8.4 Access to source code | none | SID-OPS-08 | Open-source repos with branch protection; operator must manage deployment pipeline access. |
| A.8.5 Secure authentication | full | SID-AUTH-01, SID-AUTH-02, SID-AUTH-03, SID-AUTH-04 | FIDO2/WebAuthn, JWT, OIDC, WebSocket auth. |
| A.8.6 Capacity management | none | Operator must plan capacity for wallet service. | |
| A.8.7 Protection against malware | partial | SID-OPS-04, SID-HARD-05 | Platform: CSP, SRI, SVG sanitization. Operator: endpoint protection on servers. |
| A.8.8 Management of technical vulnerabilities | partial | SID-OPS-04 | Platform: dependency scanning. Operator: vulnerability management process. |
| A.8.9 Configuration management | partial | SID-OPS-05 | Platform: confit configuration tool. Operator: production config management. |
| A.8.10 Information deletion | none | Operator must define data retention and deletion procedures per GDPR. | |
| A.8.11 Data masking | full | SID-DATA-01, SID-DATA-02, SID-PRIV-01 | SD-JWT and mDOC selective disclosure provide cryptographic data masking. |
| A.8.12 Data leakage prevention | partial | SID-HARD-01, SID-HARD-05, SID-PRIV-01 | Platform: error sanitization, CSP, minimal disclosure. Operator: DLP on infrastructure. |
| A.8.13 Information backup | none | SID-OPS-03 | |
| A.8.14 Redundancy of information processing facilities | none | SID-OPS-02 | |
| A.8.15 Logging | partial | SID-AUDIT-01, SID-OPS-06 | Platform: structured JSON logging. Operator: SIEM, retention, analysis. |
| A.8.16 Monitoring activities | partial | SID-AUDIT-01, SID-OPS-06 | |
| A.8.17 Clock synchronization | none | Operator must configure NTP on all wallet service hosts. | |
| A.8.18 Use of privileged utility programs | partial | SID-HARD-03 | Platform separates admin API; operator must restrict host-level utilities. |
| A.8.19 Installation of software on operational systems | none | SID-OPS-05 | |
| A.8.20 Networks security | partial | SID-TRANS-01, SID-TRANS-04 | Platform: TLS, SSRF protection. Operator: network security architecture. |
| A.8.21 Security of network services | partial | SID-TRANS-01, SID-TRANS-04 | |
| A.8.22 Segregation of networks | partial | SID-HARD-03 | Platform: separate admin/engine/public ports. Operator: network segmentation. |
| A.8.23 Web filtering | partial | SID-TRANS-04 | Platform: SafeHTTPClient blocks private IPs. Operator: outbound web filtering. |
| A.8.24 Use of cryptography | full | SID-CRYPTO-01, SID-CRYPTO-02, SID-CRYPTO-03, SID-CRYPTO-04, SID-CRYPTO-05, SID-KEY-01, SID-KEY-02 | Comprehensive cryptographic controls: HSM, PRF, AES-GCM, COSE, secure RNG, WSCA, IACA. |
| A.8.25 Secure development life cycle | none | SID-OPS-08 | |
| A.8.26 Application security requirements | full | SID-HARD-02, SID-HARD-04, SID-HARD-05 | Input validation, secure registration, browser security controls. |
| A.8.27 Secure system architecture and engineering principles | full | SID-HARD-03, SID-ACCESS-01, SID-KEY-01 | Network segmentation, multi-tenant isolation, WSCA delegation architecture. |
| A.8.28 Secure coding | full | SID-HARD-01, SID-HARD-02, SID-TRANS-04 | Error sanitization, input validation, SSRF protection. |
| A.8.29 Security testing in development and acceptance | none | SID-OPS-08 | |
| A.8.30 Outsourced development | none | SID-ORG-04 | |
| A.8.31 Separation of development, test and production environments | none | SID-OPS-08 | |
| A.8.32 Change management | none | SID-OPS-05 | |
| A.8.33 Test information | none | SID-OPS-08 | |
| A.8.34 Protection of information systems during audit testing | none | SID-OPS-08 |
Related Audit Findings
| Finding | Severity | Status | Owner | Controls |
|---|---|---|---|---|
| ISO-O-8 — Partial segregation of duties | 🟢 low | open | platform | SID-ORG-02, SID-ACCESS-01 |
| ISO-O-9 — Partial threat intelligence coverage | 🟡 medium | open | platform | SID-ORG-03, SID-TRUST-02 |
| ISO-O-10 — Partial information classification | 🟢 low | open | platform | SID-DATA-01, SID-DATA-02 |
| ISO-O-11 — Partial access rights management | 🟢 low | open | platform | SID-ACCESS-01, SID-ACCESS-04 |
| ISO-O-12 — Partial supply chain security | 🟡 medium | open | platform | SID-ORG-04, SID-OPS-04 |
| ISO-O-13 — Partial incident assessment and evidence handling | 🟡 medium | open | platform | SID-OPS-01, SID-AUDIT-01 |
| ISO-O-14 — Partial PII protection | 🟠 high | open | platform | SID-PRIV-01, SID-DATA-01, SID-DATA-02 |
| ISO-P-2 — Partial security event reporting | 🟢 low | open | platform | SID-PPL-04, SID-AUDIT-01 |
| ISO-PH-2 — Partial storage media controls | 🟢 low | open | platform | SID-PHY-02, SID-CRYPTO-03 |
| ISO-T-3 — Secure development lifecycle gaps | 🟡 medium | open | platform | SID-OPS-08 |
| ISO-T-5 — Partial endpoint and privileged access controls | 🟡 medium | open | platform | SID-AUTH-02, SID-HARD-03, SID-HARD-05, SID-CRYPTO-02 |
| ISO-T-6 — Partial vulnerability and malware protection | 🟡 medium | open | platform | SID-OPS-04, SID-HARD-05 |
| ISO-T-7 — Partial logging and monitoring | 🟡 medium | open | platform | SID-AUDIT-01, SID-OPS-06 |
| ISO-T-8 — Partial network security | 🟡 medium | open | platform | SID-TRANS-01, SID-TRANS-04, SID-HARD-03 |
| ISO-T-9 — Partial data leakage prevention | 🟢 low | open | platform | SID-HARD-01, SID-HARD-05, SID-PRIV-01 |