Read-only demo with fictional data (Foundry Labs, Inc.). Nothing here is a real company.Get Controls for your own stack →

Statement of Applicability — ISO/IEC 27001:2022

Organization: Foundry Labs, Inc.

Report Date: July 11, 2026

This SoA is derived from the automated checks and manual controls currently tracked in this instance. Controls with mapped evidence are marked Included; controls with none are marked Excludedwith a placeholder justification. Before submitting to an auditor, review each row and record your organization's own applicability decision and justification — this page is a starting point, not a signed SoA.

93
Total Annex A controls
31
Included
10
Implemented
11
Not yet

Organizational (5.x)

CodeControlApplicabilityStatusEvidenceJustification
5.1Information security policiesincludedImplementedManual: Information security policy approvedIncluded: evidence in Scorifya Controls covers this Annex A control (1 item mapped).
5.2Security roles and responsibilitiesexcludedN/AExcluded: no evidence in Scorifya Controls maps to this Annex A control. Customer to document their applicability decision and justification.
5.3Separation of conflicting dutiesexcludedN/AExcluded: no evidence in Scorifya Controls maps to this Annex A control. Customer to document their applicability decision and justification.
5.4Management responsibilities for securityincludedImplementedManual: Management information security oversightIncluded: evidence in Scorifya Controls covers this Annex A control (1 item mapped).
5.5Contact with authoritiesexcludedN/AExcluded: no evidence in Scorifya Controls maps to this Annex A control. Customer to document their applicability decision and justification.
5.6Contact with special interest groupsexcludedN/AExcluded: no evidence in Scorifya Controls maps to this Annex A control. Customer to document their applicability decision and justification.
5.7Threat intelligenceincludedNot yetManual: Fraud risk assessmentIncluded: evidence in Scorifya Controls covers this Annex A control (1 item mapped).
5.8Security in project managementexcludedN/AExcluded: no evidence in Scorifya Controls maps to this Annex A control. Customer to document their applicability decision and justification.
5.9Inventory of information and other assetsincludedNot yetManual: Information asset inventory maintainedIncluded: evidence in Scorifya Controls covers this Annex A control (1 item mapped).
5.10Acceptable use of information and other assetsexcludedN/AExcluded: no evidence in Scorifya Controls maps to this Annex A control. Customer to document their applicability decision and justification.
5.11Return of assetsexcludedN/AExcluded: no evidence in Scorifya Controls maps to this Annex A control. Customer to document their applicability decision and justification.
5.12Classification of informationexcludedN/AExcluded: no evidence in Scorifya Controls maps to this Annex A control. Customer to document their applicability decision and justification.
5.13Labelling of informationexcludedN/AExcluded: no evidence in Scorifya Controls maps to this Annex A control. Customer to document their applicability decision and justification.
5.14Information transferexcludedN/AExcluded: no evidence in Scorifya Controls maps to this Annex A control. Customer to document their applicability decision and justification.
5.15Access control policyincludedPartialCheck: Key Vaults use Azure RBAC; Check: The default VPC network has been removed; Check: Uniform bucket-level access enabled on GCS bucketsIncluded: evidence in Scorifya Controls covers this Annex A control (3 items mapped).
5.16Identity managementincludedImplementedCheck: No credentials unused for 90+ days; Check: No stale Azure AD guest usersIncluded: evidence in Scorifya Controls covers this Annex A control (2 items mapped).
5.17Authentication informationincludedPartialCheck: Service account keys not older than 90 days; Check: Strong password policy configuredIncluded: evidence in Scorifya Controls covers this Annex A control (2 items mapped).
5.18Access rightsincludedImplementedManual: Quarterly user access reviewIncluded: evidence in Scorifya Controls covers this Annex A control (1 item mapped).
5.19Security in supplier relationshipsincludedImplementedManual: Annual vendor security reviewIncluded: evidence in Scorifya Controls covers this Annex A control (1 item mapped).
5.20Security in supplier agreementsincludedNot yetManual: Vendor DPAs / BAAs in placeIncluded: evidence in Scorifya Controls covers this Annex A control (1 item mapped).
5.21Security in the ICT supply chainexcludedN/AExcluded: no evidence in Scorifya Controls maps to this Annex A control. Customer to document their applicability decision and justification.
5.22Monitoring and review of supplier servicesexcludedN/AExcluded: no evidence in Scorifya Controls maps to this Annex A control. Customer to document their applicability decision and justification.
5.23Security for use of cloud servicesexcludedN/AExcluded: no evidence in Scorifya Controls maps to this Annex A control. Customer to document their applicability decision and justification.
5.24Incident management planning and preparationincludedPartialManual: Annual IR tabletop exercise; Manual: Incident response plan documentedIncluded: evidence in Scorifya Controls covers this Annex A control (2 items mapped).
5.25Assessment and decision on security eventsincludedImplementedCheck: CloudWatch alarm for root account usageIncluded: evidence in Scorifya Controls covers this Annex A control (1 item mapped).
5.26Response to security incidentsexcludedN/AExcluded: no evidence in Scorifya Controls maps to this Annex A control. Customer to document their applicability decision and justification.
5.27Learning from security incidentsexcludedN/AExcluded: no evidence in Scorifya Controls maps to this Annex A control. Customer to document their applicability decision and justification.
5.28Collection of evidenceexcludedN/AExcluded: no evidence in Scorifya Controls maps to this Annex A control. Customer to document their applicability decision and justification.
5.29Security during disruptionincludedNot yetManual: Business continuity plan documentedIncluded: evidence in Scorifya Controls covers this Annex A control (1 item mapped).
5.30ICT readiness for business continuityincludedNot yetManual: Annual disaster recovery testIncluded: evidence in Scorifya Controls covers this Annex A control (1 item mapped).
5.31Legal, statutory, regulatory, and contractual requirementsexcludedN/AExcluded: no evidence in Scorifya Controls maps to this Annex A control. Customer to document their applicability decision and justification.
5.32Intellectual property rightsexcludedN/AExcluded: no evidence in Scorifya Controls maps to this Annex A control. Customer to document their applicability decision and justification.
5.33Protection of recordsexcludedN/AExcluded: no evidence in Scorifya Controls maps to this Annex A control. Customer to document their applicability decision and justification.
5.34Privacy and protection of personal dataexcludedN/AExcluded: no evidence in Scorifya Controls maps to this Annex A control. Customer to document their applicability decision and justification.
5.35Independent review of information securityexcludedN/AExcluded: no evidence in Scorifya Controls maps to this Annex A control. Customer to document their applicability decision and justification.
5.36Compliance with policies, rules, and standardsexcludedN/AExcluded: no evidence in Scorifya Controls maps to this Annex A control. Customer to document their applicability decision and justification.
5.37Documented operating proceduresexcludedN/AExcluded: no evidence in Scorifya Controls maps to this Annex A control. Customer to document their applicability decision and justification.

People (6.x)

CodeControlApplicabilityStatusEvidenceJustification
6.1Personnel screeningincludedImplementedManual: Background checks for new hiresIncluded: evidence in Scorifya Controls covers this Annex A control (1 item mapped).
6.2Terms and conditions of employmentexcludedN/AExcluded: no evidence in Scorifya Controls maps to this Annex A control. Customer to document their applicability decision and justification.
6.3Security awareness, education, and trainingincludedImplementedManual: Annual security awareness trainingIncluded: evidence in Scorifya Controls covers this Annex A control (1 item mapped).
6.4Disciplinary processexcludedN/AExcluded: no evidence in Scorifya Controls maps to this Annex A control. Customer to document their applicability decision and justification.
6.5Responsibilities after termination or change of employmentincludedNot yetManual: Offboarding access revoked within 24hIncluded: evidence in Scorifya Controls covers this Annex A control (1 item mapped).
6.6Confidentiality and non-disclosure agreementsincludedImplementedManual: NDAs signed by all employeesIncluded: evidence in Scorifya Controls covers this Annex A control (1 item mapped).
6.7Remote workingexcludedN/AExcluded: no evidence in Scorifya Controls maps to this Annex A control. Customer to document their applicability decision and justification.
6.8Reporting security eventsincludedNot yetManual: Breach notification process documentedIncluded: evidence in Scorifya Controls covers this Annex A control (1 item mapped).

Physical (7.x)

CodeControlApplicabilityStatusEvidenceJustification
7.1Physical security perimetersexcludedN/AExcluded: no evidence in Scorifya Controls maps to this Annex A control. Customer to document their applicability decision and justification.
7.2Physical entryexcludedN/AExcluded: no evidence in Scorifya Controls maps to this Annex A control. Customer to document their applicability decision and justification.
7.3Securing offices, rooms, and facilitiesexcludedN/AExcluded: no evidence in Scorifya Controls maps to this Annex A control. Customer to document their applicability decision and justification.
7.4Physical security monitoringexcludedN/AExcluded: no evidence in Scorifya Controls maps to this Annex A control. Customer to document their applicability decision and justification.
7.5Protection against physical and environmental threatsexcludedN/AExcluded: no evidence in Scorifya Controls maps to this Annex A control. Customer to document their applicability decision and justification.
7.6Working in secure areasexcludedN/AExcluded: no evidence in Scorifya Controls maps to this Annex A control. Customer to document their applicability decision and justification.
7.7Clear desk and clear screenexcludedN/AExcluded: no evidence in Scorifya Controls maps to this Annex A control. Customer to document their applicability decision and justification.
7.8Equipment siting and protectionexcludedN/AExcluded: no evidence in Scorifya Controls maps to this Annex A control. Customer to document their applicability decision and justification.
7.9Security of assets off premisesexcludedN/AExcluded: no evidence in Scorifya Controls maps to this Annex A control. Customer to document their applicability decision and justification.
7.10Storage mediaexcludedN/AExcluded: no evidence in Scorifya Controls maps to this Annex A control. Customer to document their applicability decision and justification.
7.11Supporting utilitiesexcludedN/AExcluded: no evidence in Scorifya Controls maps to this Annex A control. Customer to document their applicability decision and justification.
7.12Cabling securityexcludedN/AExcluded: no evidence in Scorifya Controls maps to this Annex A control. Customer to document their applicability decision and justification.
7.13Equipment maintenanceexcludedN/AExcluded: no evidence in Scorifya Controls maps to this Annex A control. Customer to document their applicability decision and justification.
7.14Secure disposal or re-use of equipmentexcludedN/AExcluded: no evidence in Scorifya Controls maps to this Annex A control. Customer to document their applicability decision and justification.

Technological (8.x)

CodeControlApplicabilityStatusEvidenceJustification
8.1User endpoint devicesexcludedN/AExcluded: no evidence in Scorifya Controls maps to this Annex A control. Customer to document their applicability decision and justification.
8.2Privileged access rightsincludedPartialCheck: OS Login is enforced at the project level; Check: Primitive IAM roles (Owner/Editor) not assigned to users; Check: Privileged Identity Management activated for admin roles; Check: Root account has no active access keys; Manual: Privileged access reviewed quarterlyIncluded: evidence in Scorifya Controls covers this Annex A control (5 items mapped).
8.3Restriction of information accessexcludedN/AExcluded: no evidence in Scorifya Controls maps to this Annex A control. Customer to document their applicability decision and justification.
8.4Access to source codeexcludedN/AExcluded: no evidence in Scorifya Controls maps to this Annex A control. Customer to document their applicability decision and justification.
8.5Secure authenticationincludedPartialCheck: 2-Step Verification enforced for all Google Workspace users; Check: 2FA required for all org members; Check: MFA enabled for all IAM users; Check: MFA enforced via Security Defaults or Conditional AccessIncluded: evidence in Scorifya Controls covers this Annex A control (4 items mapped).
8.6Capacity managementexcludedN/AExcluded: no evidence in Scorifya Controls maps to this Annex A control. Customer to document their applicability decision and justification.
8.7Protection against malwareexcludedN/AExcluded: no evidence in Scorifya Controls maps to this Annex A control. Customer to document their applicability decision and justification.
8.8Management of technical vulnerabilitiesincludedPartialCheck: Dependabot security alerts enabled; Manual: Annual penetration testIncluded: evidence in Scorifya Controls covers this Annex A control (2 items mapped).
8.9Configuration managementincludedImplementedCheck: RDS instances use non-default master usernameIncluded: evidence in Scorifya Controls covers this Annex A control (1 item mapped).
8.10Information deletionexcludedN/AExcluded: no evidence in Scorifya Controls maps to this Annex A control. Customer to document their applicability decision and justification.
8.11Data maskingexcludedN/AExcluded: no evidence in Scorifya Controls maps to this Annex A control. Customer to document their applicability decision and justification.
8.12Data leakage preventionexcludedN/AExcluded: no evidence in Scorifya Controls maps to this Annex A control. Customer to document their applicability decision and justification.
8.13Information backupincludedNot yetCheck: S3 versioning enabled on critical bucketsIncluded: evidence in Scorifya Controls covers this Annex A control (1 item mapped).
8.14Redundancy of information processing facilitiesexcludedN/AExcluded: no evidence in Scorifya Controls maps to this Annex A control. Customer to document their applicability decision and justification.
8.15LoggingincludedPartialCheck: Azure Activity Log diagnostic settings configured; Check: Azure SQL server-level auditing enabled; Check: Cloud Audit Logs enabled for all services; Check: CloudTrail enabled in all regions; Check: CloudTrail log file validation enabled; Check: CloudWatch log groups retain at least 12 months; Check: Log Analytics workspaces retain logs for 90+ days; Check: Long-term log sink configuredIncluded: evidence in Scorifya Controls covers this Annex A control (8 items mapped).
8.16Monitoring activitiesincludedPartialCheck: GuardDuty enabled in all regions; Check: Microsoft Defender for Cloud enabled on key workloads; Check: VPC Flow Logs enabled; Check: VPC Flow Logs enabled on all subnetsIncluded: evidence in Scorifya Controls covers this Annex A control (4 items mapped).
8.17Clock synchronizationexcludedN/AExcluded: no evidence in Scorifya Controls maps to this Annex A control. Customer to document their applicability decision and justification.
8.18Use of privileged utility programsexcludedN/AExcluded: no evidence in Scorifya Controls maps to this Annex A control. Customer to document their applicability decision and justification.
8.19Installation of software on operational systemsexcludedN/AExcluded: no evidence in Scorifya Controls maps to this Annex A control. Customer to document their applicability decision and justification.
8.20Network securityincludedPartialCheck: Azure Storage account public blob access disabled; Check: GCS buckets block public access; Check: No NSG rule opens SSH/RDP to the internet; Check: No firewall rule opens SSH/RDP to the internet; Check: No security groups expose SSH/RDP/DB ports to the internet; Check: S3 public access block enabledIncluded: evidence in Scorifya Controls covers this Annex A control (6 items mapped).
8.21Security of network servicesexcludedN/AExcluded: no evidence in Scorifya Controls maps to this Annex A control. Customer to document their applicability decision and justification.
8.22Segregation of networksexcludedN/AExcluded: no evidence in Scorifya Controls maps to this Annex A control. Customer to document their applicability decision and justification.
8.23Web filteringexcludedN/AExcluded: no evidence in Scorifya Controls maps to this Annex A control. Customer to document their applicability decision and justification.
8.24Use of cryptographyincludedPartialCheck: Azure Key Vault in use for secrets management; Check: Azure PostgreSQL enforces SSL; Check: Azure SQL Transparent Data Encryption enabled; Check: Azure managed disks encrypted at rest; Check: Cloud SQL instances encrypted at rest; Check: Cloud SQL requires SSL connections; Check: Compute Engine disks are encrypted; Check: EBS default encryption enabled; Check: KMS symmetric keys rotate within 90 days; Check: Load balancer HTTPS listeners require TLS 1.2 or higher; Check: RDS instances encrypted at rest; Check: RDS instances enforce TLS at the parameter group; Check: S3 buckets encrypted at rest; Check: Secret scanning enabled; Check: Storage accounts require HTTPSIncluded: evidence in Scorifya Controls covers this Annex A control (15 items mapped).
8.25Secure development life-cycleincludedNot yetManual: Security requirements in SDLCIncluded: evidence in Scorifya Controls covers this Annex A control (1 item mapped).
8.26Application security requirementsexcludedN/AExcluded: no evidence in Scorifya Controls maps to this Annex A control. Customer to document their applicability decision and justification.
8.27Secure system architecture and engineering principlesexcludedN/AExcluded: no evidence in Scorifya Controls maps to this Annex A control. Customer to document their applicability decision and justification.
8.28Secure codingexcludedN/AExcluded: no evidence in Scorifya Controls maps to this Annex A control. Customer to document their applicability decision and justification.
8.29Security testing in development and acceptanceincludedNot yetCheck: Required status checks on default branchIncluded: evidence in Scorifya Controls covers this Annex A control (1 item mapped).
8.30Outsourced developmentexcludedN/AExcluded: no evidence in Scorifya Controls maps to this Annex A control. Customer to document their applicability decision and justification.
8.31Separation of development, test, and production environmentsexcludedN/AExcluded: no evidence in Scorifya Controls maps to this Annex A control. Customer to document their applicability decision and justification.
8.32Change managementincludedNot yetCheck: Default branch protection enabled; Manual: Change management approval processIncluded: evidence in Scorifya Controls covers this Annex A control (2 items mapped).
8.33Test informationexcludedN/AExcluded: no evidence in Scorifya Controls maps to this Annex A control. Customer to document their applicability decision and justification.
8.34Protection of information systems during audit testingexcludedN/AExcluded: no evidence in Scorifya Controls maps to this Annex A control. Customer to document their applicability decision and justification.

Generated by Scorifya Controls · July 11, 2026 · ISO/IEC 27001:2022 Annex A Statement of Applicability for Foundry Labs, Inc.