Organisation: Shaping Tomorrow
Purpose: This document provides a concise, customer-facing statement of alignment with ISO/IEC 27001 and a mapping of key ISO 27001 clauses and Annex A control domains to Shaping Tomorrow's policies, processes, and operational evidence. It is intended to demonstrate information security maturity in lieu of formal ISO 27001 certification.
1. Statement of Alignment
Shaping Tomorrow operates an Information Security Management Framework that is aligned with the principles, structure, and intent of ISO/IEC 27001. While we are not currently ISO/IEC 27001 certified, we:
Apply a risk-based approach to information security
Maintain documented security policies and procedures
Implement technical and organisational controls consistent with ISO 27001 Annex A
Review and improve controls on an ongoing basis
This alignment statement and control mapping are provided to support customer due diligence, procurement, and security assurance activities.
2. Scope of Alignment
The scope of this alignment covers:
The Shaping Tomorrow platform and supporting cloud infrastructure
Customer data processed within the platform
Internal systems, tools, and endpoints used by employees and contractors
Third-party services that support platform delivery
3. ISO/IEC 27001 Clause Alignment (Management System)
|
ISO 27001 Clause |
Control Intent |
Shaping Tomorrow Approach |
Evidence Available |
|
Clause 4 – Context of the organisation |
Understand internal and external issues and stakeholder needs |
Information security risks and customer requirements considered in business planning |
Information Security Policy; risk assessment outputs |
|
Clause 5 – Leadership |
Leadership commitment and accountability |
Senior management oversight; nominated Information Security Lead |
Information Security Policy; management reviews |
|
Clause 6 – Planning |
Risk assessment and treatment |
Periodic risk assessments; documented risk treatment decisions |
Risk register; mitigation plans |
|
Clause 7 – Support |
Resources, competence, awareness, documentation |
Security responsibilities defined; onboarding includes security awareness |
Policies; onboarding materials |
|
Clause 8 – Operation |
Implement and operate controls |
Documented operational security processes |
Change management records; access reviews |
|
Clause 9 – Performance evaluation |
Monitoring, review, and audit |
Regular review of controls and incidents |
Review notes; incident logs |
|
Clause 10 – Improvement |
Continuous improvement |
Lessons learned from incidents and reviews feed improvements |
Updated policies; corrective actions |
4. ISO/IEC 27001 Annex A Control Mapping
The table below maps the primary ISO 27001 Annex A control domains to Shaping Tomorrow controls and evidence.
|
Annex A Domain |
Control Objective |
Shaping Tomorrow Controls |
Evidence / Artefacts |
|
A.5 – Information security policies |
Direction and support for information security |
Documented Information Security Policy reviewed annually |
Information Security Policy |
|
A.6 – Organisation of information security |
Clear roles and responsibilities |
Defined security ownership; segregation of duties |
Role descriptions; policy statements |
|
A.7 – Human resource security |
Security before, during, and after employment |
Access granted on least-privilege basis; access revoked on role change/exit |
Access control procedures |
|
A.8 – Asset management |
Identify and protect information assets |
Data classified; customer data treated as confidential |
Asset inventory; data handling guidelines |
|
A.9 – Access control |
Restrict access to information and systems |
Role-based access control; MFA where supported |
Access control policy; system configurations |
|
A.10 – Cryptography |
Protect data confidentiality and integrity |
Encryption in transit; encryption at rest where appropriate |
Architecture diagrams; platform controls |
|
A.11 – Physical & environmental security |
Prevent unauthorised physical access |
Cloud-hosted infrastructure with provider-managed physical security |
Cloud provider compliance statements |
|
A.12 – Operations security |
Secure system operations |
Logging, monitoring, patching, controlled change management |
Change records; monitoring logs |
|
A.13 – Communications security |
Secure data in networks |
Secure network architecture; TLS for data in transit |
Platform security architecture |
|
A.14 – System acquisition, development & maintenance |
Security built into systems |
Secure development practices; dependency updates |
Development practices; release controls |
|
A.15 – Supplier relationships |
Protect data handled by suppliers |
Supplier due diligence; contractual controls |
Supplier assessments; DPAs |
|
A.16 – Incident management |
Timely and effective response to incidents |
Documented incident response process; customer notification |
Incident response procedure; incident logs |
|
A.17 – Business continuity |
Maintain availability during disruption |
Regular backups; cloud redundancy; recovery planning |
Backup policies; DR arrangements |
|
A.18 – Compliance |
Meet legal and contractual obligations |
GDPR compliance; contractual security commitments |
Privacy policy; contracts |
5. Evidence Provision
Supporting evidence can be provided to customers upon reasonable request, including:
Information Security Policy
Incident Response Process description
Access control and user management procedures
Supplier security assurance statements
High-level platform security architecture overview
6. Disclaimer
This alignment statement demonstrates Shaping Tomorrow's conformance with ISO/IEC 27001 principles and control intent. It does not represent formal certification or third-party audit assurance, but reflects a pragmatic, proportionate, and continuously improving approach to information security.
Document Owner: Edward Chanter, Information Security Lead
Review Frequency: Annual or upon significant change
Last Review: 1 December 2025