Organization: Foundry Labs, Inc.
Report Date: July 11, 2026
This SoA is derived from the automated checks and manual controls currently tracked in this instance. Controls with mapped evidence are marked Included; controls with none are marked Excludedwith a placeholder justification. Before submitting to an auditor, review each row and record your organization's own applicability decision and justification — this page is a starting point, not a signed SoA.
| Code | Control | Applicability | Status | Evidence | Justification |
|---|---|---|---|---|---|
| 5.1 | Information security policies | included | Implemented | Manual: Information security policy approved | Included: evidence in Scorifya Controls covers this Annex A control (1 item mapped). |
| 5.2 | Security roles and responsibilities | excluded | N/A | — | Excluded: no evidence in Scorifya Controls maps to this Annex A control. Customer to document their applicability decision and justification. |
| 5.3 | Separation of conflicting duties | excluded | N/A | — | Excluded: no evidence in Scorifya Controls maps to this Annex A control. Customer to document their applicability decision and justification. |
| 5.4 | Management responsibilities for security | included | Implemented | Manual: Management information security oversight | Included: evidence in Scorifya Controls covers this Annex A control (1 item mapped). |
| 5.5 | Contact with authorities | excluded | N/A | — | Excluded: no evidence in Scorifya Controls maps to this Annex A control. Customer to document their applicability decision and justification. |
| 5.6 | Contact with special interest groups | excluded | N/A | — | Excluded: no evidence in Scorifya Controls maps to this Annex A control. Customer to document their applicability decision and justification. |
| 5.7 | Threat intelligence | included | Not yet | Manual: Fraud risk assessment | Included: evidence in Scorifya Controls covers this Annex A control (1 item mapped). |
| 5.8 | Security in project management | excluded | N/A | — | Excluded: no evidence in Scorifya Controls maps to this Annex A control. Customer to document their applicability decision and justification. |
| 5.9 | Inventory of information and other assets | included | Not yet | Manual: Information asset inventory maintained | Included: evidence in Scorifya Controls covers this Annex A control (1 item mapped). |
| 5.10 | Acceptable use of information and other assets | excluded | N/A | — | Excluded: no evidence in Scorifya Controls maps to this Annex A control. Customer to document their applicability decision and justification. |
| 5.11 | Return of assets | excluded | N/A | — | Excluded: no evidence in Scorifya Controls maps to this Annex A control. Customer to document their applicability decision and justification. |
| 5.12 | Classification of information | excluded | N/A | — | Excluded: no evidence in Scorifya Controls maps to this Annex A control. Customer to document their applicability decision and justification. |
| 5.13 | Labelling of information | excluded | N/A | — | Excluded: no evidence in Scorifya Controls maps to this Annex A control. Customer to document their applicability decision and justification. |
| 5.14 | Information transfer | excluded | N/A | — | Excluded: no evidence in Scorifya Controls maps to this Annex A control. Customer to document their applicability decision and justification. |
| 5.15 | Access control policy | included | Partial | Check: Key Vaults use Azure RBAC; Check: The default VPC network has been removed; Check: Uniform bucket-level access enabled on GCS buckets | Included: evidence in Scorifya Controls covers this Annex A control (3 items mapped). |
| 5.16 | Identity management | included | Implemented | Check: No credentials unused for 90+ days; Check: No stale Azure AD guest users | Included: evidence in Scorifya Controls covers this Annex A control (2 items mapped). |
| 5.17 | Authentication information | included | Partial | Check: Service account keys not older than 90 days; Check: Strong password policy configured | Included: evidence in Scorifya Controls covers this Annex A control (2 items mapped). |
| 5.18 | Access rights | included | Implemented | Manual: Quarterly user access review | Included: evidence in Scorifya Controls covers this Annex A control (1 item mapped). |
| 5.19 | Security in supplier relationships | included | Implemented | Manual: Annual vendor security review | Included: evidence in Scorifya Controls covers this Annex A control (1 item mapped). |
| 5.20 | Security in supplier agreements | included | Not yet | Manual: Vendor DPAs / BAAs in place | Included: evidence in Scorifya Controls covers this Annex A control (1 item mapped). |
| 5.21 | Security in the ICT supply chain | excluded | N/A | — | Excluded: no evidence in Scorifya Controls maps to this Annex A control. Customer to document their applicability decision and justification. |
| 5.22 | Monitoring and review of supplier services | excluded | N/A | — | Excluded: no evidence in Scorifya Controls maps to this Annex A control. Customer to document their applicability decision and justification. |
| 5.23 | Security for use of cloud services | excluded | N/A | — | Excluded: no evidence in Scorifya Controls maps to this Annex A control. Customer to document their applicability decision and justification. |
| 5.24 | Incident management planning and preparation | included | Partial | Manual: Annual IR tabletop exercise; Manual: Incident response plan documented | Included: evidence in Scorifya Controls covers this Annex A control (2 items mapped). |
| 5.25 | Assessment and decision on security events | included | Implemented | Check: CloudWatch alarm for root account usage | Included: evidence in Scorifya Controls covers this Annex A control (1 item mapped). |
| 5.26 | Response to security incidents | excluded | N/A | — | Excluded: no evidence in Scorifya Controls maps to this Annex A control. Customer to document their applicability decision and justification. |
| 5.27 | Learning from security incidents | excluded | N/A | — | Excluded: no evidence in Scorifya Controls maps to this Annex A control. Customer to document their applicability decision and justification. |
| 5.28 | Collection of evidence | excluded | N/A | — | Excluded: no evidence in Scorifya Controls maps to this Annex A control. Customer to document their applicability decision and justification. |
| 5.29 | Security during disruption | included | Not yet | Manual: Business continuity plan documented | Included: evidence in Scorifya Controls covers this Annex A control (1 item mapped). |
| 5.30 | ICT readiness for business continuity | included | Not yet | Manual: Annual disaster recovery test | Included: evidence in Scorifya Controls covers this Annex A control (1 item mapped). |
| 5.31 | Legal, statutory, regulatory, and contractual requirements | excluded | N/A | — | Excluded: no evidence in Scorifya Controls maps to this Annex A control. Customer to document their applicability decision and justification. |
| 5.32 | Intellectual property rights | excluded | N/A | — | Excluded: no evidence in Scorifya Controls maps to this Annex A control. Customer to document their applicability decision and justification. |
| 5.33 | Protection of records | excluded | N/A | — | Excluded: no evidence in Scorifya Controls maps to this Annex A control. Customer to document their applicability decision and justification. |
| 5.34 | Privacy and protection of personal data | excluded | N/A | — | Excluded: no evidence in Scorifya Controls maps to this Annex A control. Customer to document their applicability decision and justification. |
| 5.35 | Independent review of information security | excluded | N/A | — | Excluded: no evidence in Scorifya Controls maps to this Annex A control. Customer to document their applicability decision and justification. |
| 5.36 | Compliance with policies, rules, and standards | excluded | N/A | — | Excluded: no evidence in Scorifya Controls maps to this Annex A control. Customer to document their applicability decision and justification. |
| 5.37 | Documented operating procedures | excluded | N/A | — | Excluded: no evidence in Scorifya Controls maps to this Annex A control. Customer to document their applicability decision and justification. |
| Code | Control | Applicability | Status | Evidence | Justification |
|---|---|---|---|---|---|
| 6.1 | Personnel screening | included | Implemented | Manual: Background checks for new hires | Included: evidence in Scorifya Controls covers this Annex A control (1 item mapped). |
| 6.2 | Terms and conditions of employment | excluded | N/A | — | Excluded: no evidence in Scorifya Controls maps to this Annex A control. Customer to document their applicability decision and justification. |
| 6.3 | Security awareness, education, and training | included | Implemented | Manual: Annual security awareness training | Included: evidence in Scorifya Controls covers this Annex A control (1 item mapped). |
| 6.4 | Disciplinary process | excluded | N/A | — | Excluded: no evidence in Scorifya Controls maps to this Annex A control. Customer to document their applicability decision and justification. |
| 6.5 | Responsibilities after termination or change of employment | included | Not yet | Manual: Offboarding access revoked within 24h | Included: evidence in Scorifya Controls covers this Annex A control (1 item mapped). |
| 6.6 | Confidentiality and non-disclosure agreements | included | Implemented | Manual: NDAs signed by all employees | Included: evidence in Scorifya Controls covers this Annex A control (1 item mapped). |
| 6.7 | Remote working | excluded | N/A | — | Excluded: no evidence in Scorifya Controls maps to this Annex A control. Customer to document their applicability decision and justification. |
| 6.8 | Reporting security events | included | Not yet | Manual: Breach notification process documented | Included: evidence in Scorifya Controls covers this Annex A control (1 item mapped). |
| Code | Control | Applicability | Status | Evidence | Justification |
|---|---|---|---|---|---|
| 7.1 | Physical security perimeters | excluded | N/A | — | Excluded: no evidence in Scorifya Controls maps to this Annex A control. Customer to document their applicability decision and justification. |
| 7.2 | Physical entry | excluded | N/A | — | Excluded: no evidence in Scorifya Controls maps to this Annex A control. Customer to document their applicability decision and justification. |
| 7.3 | Securing offices, rooms, and facilities | excluded | N/A | — | Excluded: no evidence in Scorifya Controls maps to this Annex A control. Customer to document their applicability decision and justification. |
| 7.4 | Physical security monitoring | excluded | N/A | — | Excluded: no evidence in Scorifya Controls maps to this Annex A control. Customer to document their applicability decision and justification. |
| 7.5 | Protection against physical and environmental threats | excluded | N/A | — | Excluded: no evidence in Scorifya Controls maps to this Annex A control. Customer to document their applicability decision and justification. |
| 7.6 | Working in secure areas | excluded | N/A | — | Excluded: no evidence in Scorifya Controls maps to this Annex A control. Customer to document their applicability decision and justification. |
| 7.7 | Clear desk and clear screen | excluded | N/A | — | Excluded: no evidence in Scorifya Controls maps to this Annex A control. Customer to document their applicability decision and justification. |
| 7.8 | Equipment siting and protection | excluded | N/A | — | Excluded: no evidence in Scorifya Controls maps to this Annex A control. Customer to document their applicability decision and justification. |
| 7.9 | Security of assets off premises | excluded | N/A | — | Excluded: no evidence in Scorifya Controls maps to this Annex A control. Customer to document their applicability decision and justification. |
| 7.10 | Storage media | excluded | N/A | — | Excluded: no evidence in Scorifya Controls maps to this Annex A control. Customer to document their applicability decision and justification. |
| 7.11 | Supporting utilities | excluded | N/A | — | Excluded: no evidence in Scorifya Controls maps to this Annex A control. Customer to document their applicability decision and justification. |
| 7.12 | Cabling security | excluded | N/A | — | Excluded: no evidence in Scorifya Controls maps to this Annex A control. Customer to document their applicability decision and justification. |
| 7.13 | Equipment maintenance | excluded | N/A | — | Excluded: no evidence in Scorifya Controls maps to this Annex A control. Customer to document their applicability decision and justification. |
| 7.14 | Secure disposal or re-use of equipment | excluded | N/A | — | Excluded: no evidence in Scorifya Controls maps to this Annex A control. Customer to document their applicability decision and justification. |
| Code | Control | Applicability | Status | Evidence | Justification |
|---|---|---|---|---|---|
| 8.1 | User endpoint devices | excluded | N/A | — | Excluded: no evidence in Scorifya Controls maps to this Annex A control. Customer to document their applicability decision and justification. |
| 8.2 | Privileged access rights | included | Partial | Check: OS Login is enforced at the project level; Check: Primitive IAM roles (Owner/Editor) not assigned to users; Check: Privileged Identity Management activated for admin roles; Check: Root account has no active access keys; Manual: Privileged access reviewed quarterly | Included: evidence in Scorifya Controls covers this Annex A control (5 items mapped). |
| 8.3 | Restriction of information access | excluded | N/A | — | Excluded: no evidence in Scorifya Controls maps to this Annex A control. Customer to document their applicability decision and justification. |
| 8.4 | Access to source code | excluded | N/A | — | Excluded: no evidence in Scorifya Controls maps to this Annex A control. Customer to document their applicability decision and justification. |
| 8.5 | Secure authentication | included | Partial | Check: 2-Step Verification enforced for all Google Workspace users; Check: 2FA required for all org members; Check: MFA enabled for all IAM users; Check: MFA enforced via Security Defaults or Conditional Access | Included: evidence in Scorifya Controls covers this Annex A control (4 items mapped). |
| 8.6 | Capacity management | excluded | N/A | — | Excluded: no evidence in Scorifya Controls maps to this Annex A control. Customer to document their applicability decision and justification. |
| 8.7 | Protection against malware | excluded | N/A | — | Excluded: no evidence in Scorifya Controls maps to this Annex A control. Customer to document their applicability decision and justification. |
| 8.8 | Management of technical vulnerabilities | included | Partial | Check: Dependabot security alerts enabled; Manual: Annual penetration test | Included: evidence in Scorifya Controls covers this Annex A control (2 items mapped). |
| 8.9 | Configuration management | included | Implemented | Check: RDS instances use non-default master username | Included: evidence in Scorifya Controls covers this Annex A control (1 item mapped). |
| 8.10 | Information deletion | excluded | N/A | — | Excluded: no evidence in Scorifya Controls maps to this Annex A control. Customer to document their applicability decision and justification. |
| 8.11 | Data masking | excluded | N/A | — | Excluded: no evidence in Scorifya Controls maps to this Annex A control. Customer to document their applicability decision and justification. |
| 8.12 | Data leakage prevention | excluded | N/A | — | Excluded: no evidence in Scorifya Controls maps to this Annex A control. Customer to document their applicability decision and justification. |
| 8.13 | Information backup | included | Not yet | Check: S3 versioning enabled on critical buckets | Included: evidence in Scorifya Controls covers this Annex A control (1 item mapped). |
| 8.14 | Redundancy of information processing facilities | excluded | N/A | — | Excluded: no evidence in Scorifya Controls maps to this Annex A control. Customer to document their applicability decision and justification. |
| 8.15 | Logging | included | Partial | Check: Azure Activity Log diagnostic settings configured; Check: Azure SQL server-level auditing enabled; Check: Cloud Audit Logs enabled for all services; Check: CloudTrail enabled in all regions; Check: CloudTrail log file validation enabled; Check: CloudWatch log groups retain at least 12 months; Check: Log Analytics workspaces retain logs for 90+ days; Check: Long-term log sink configured | Included: evidence in Scorifya Controls covers this Annex A control (8 items mapped). |
| 8.16 | Monitoring activities | included | Partial | Check: GuardDuty enabled in all regions; Check: Microsoft Defender for Cloud enabled on key workloads; Check: VPC Flow Logs enabled; Check: VPC Flow Logs enabled on all subnets | Included: evidence in Scorifya Controls covers this Annex A control (4 items mapped). |
| 8.17 | Clock synchronization | excluded | N/A | — | Excluded: no evidence in Scorifya Controls maps to this Annex A control. Customer to document their applicability decision and justification. |
| 8.18 | Use of privileged utility programs | excluded | N/A | — | Excluded: no evidence in Scorifya Controls maps to this Annex A control. Customer to document their applicability decision and justification. |
| 8.19 | Installation of software on operational systems | excluded | N/A | — | Excluded: no evidence in Scorifya Controls maps to this Annex A control. Customer to document their applicability decision and justification. |
| 8.20 | Network security | included | Partial | Check: Azure Storage account public blob access disabled; Check: GCS buckets block public access; Check: No NSG rule opens SSH/RDP to the internet; Check: No firewall rule opens SSH/RDP to the internet; Check: No security groups expose SSH/RDP/DB ports to the internet; Check: S3 public access block enabled | Included: evidence in Scorifya Controls covers this Annex A control (6 items mapped). |
| 8.21 | Security of network services | excluded | N/A | — | Excluded: no evidence in Scorifya Controls maps to this Annex A control. Customer to document their applicability decision and justification. |
| 8.22 | Segregation of networks | excluded | N/A | — | Excluded: no evidence in Scorifya Controls maps to this Annex A control. Customer to document their applicability decision and justification. |
| 8.23 | Web filtering | excluded | N/A | — | Excluded: no evidence in Scorifya Controls maps to this Annex A control. Customer to document their applicability decision and justification. |
| 8.24 | Use of cryptography | included | Partial | Check: Azure Key Vault in use for secrets management; Check: Azure PostgreSQL enforces SSL; Check: Azure SQL Transparent Data Encryption enabled; Check: Azure managed disks encrypted at rest; Check: Cloud SQL instances encrypted at rest; Check: Cloud SQL requires SSL connections; Check: Compute Engine disks are encrypted; Check: EBS default encryption enabled; Check: KMS symmetric keys rotate within 90 days; Check: Load balancer HTTPS listeners require TLS 1.2 or higher; Check: RDS instances encrypted at rest; Check: RDS instances enforce TLS at the parameter group; Check: S3 buckets encrypted at rest; Check: Secret scanning enabled; Check: Storage accounts require HTTPS | Included: evidence in Scorifya Controls covers this Annex A control (15 items mapped). |
| 8.25 | Secure development life-cycle | included | Not yet | Manual: Security requirements in SDLC | Included: evidence in Scorifya Controls covers this Annex A control (1 item mapped). |
| 8.26 | Application security requirements | excluded | N/A | — | Excluded: no evidence in Scorifya Controls maps to this Annex A control. Customer to document their applicability decision and justification. |
| 8.27 | Secure system architecture and engineering principles | excluded | N/A | — | Excluded: no evidence in Scorifya Controls maps to this Annex A control. Customer to document their applicability decision and justification. |
| 8.28 | Secure coding | excluded | N/A | — | Excluded: no evidence in Scorifya Controls maps to this Annex A control. Customer to document their applicability decision and justification. |
| 8.29 | Security testing in development and acceptance | included | Not yet | Check: Required status checks on default branch | Included: evidence in Scorifya Controls covers this Annex A control (1 item mapped). |
| 8.30 | Outsourced development | excluded | N/A | — | Excluded: no evidence in Scorifya Controls maps to this Annex A control. Customer to document their applicability decision and justification. |
| 8.31 | Separation of development, test, and production environments | excluded | N/A | — | Excluded: no evidence in Scorifya Controls maps to this Annex A control. Customer to document their applicability decision and justification. |
| 8.32 | Change management | included | Not yet | Check: Default branch protection enabled; Manual: Change management approval process | Included: evidence in Scorifya Controls covers this Annex A control (2 items mapped). |
| 8.33 | Test information | excluded | N/A | — | Excluded: no evidence in Scorifya Controls maps to this Annex A control. Customer to document their applicability decision and justification. |
| 8.34 | Protection of information systems during audit testing | excluded | N/A | — | Excluded: no evidence in Scorifya Controls maps to this Annex A control. Customer to document their applicability decision and justification. |
Generated by Scorifya Controls · July 11, 2026 · ISO/IEC 27001:2022 Annex A Statement of Applicability for Foundry Labs, Inc.