ISO 27001 Controls Mapping

2.1Scope and Applicability

This document covers the 2022 edition of ISO/IEC 27001 Annex A. Controls deemed not applicable due to the AI-operated model (e.g. A.6.2.1 screening candidates — Nutan has no employees) are explicitly marked as N/A with justification.

2.2A.5.1 · Policies for Information Security

A written information security policy is maintained and reviewed on every release. The policy is encoded in agent workflows that enforce it automatically.

2.3A.5.2 · Information Security Roles and Responsibilities

Roles are defined by scoped agent permissions. The founder holds overall accountability.

2.4A.5.3 · Segregation of Duties

Segregation is enforced by separating the proposing agent and the reviewing agent for any sensitive change. No single agent can both author and approve.

2.5A.5.7 · Threat Intelligence

Threat feeds are consumed automatically by the monitoring agent. Indicators of compromise are cross-checked against the production boundary.

2.6A.5.15 · Access Control

Access is authenticated via standards-based OAuth. Authorisation is scoped per-user per-resource. No shared credentials exist.

2.7A.5.17 · Authentication Information

Authentication tokens are stored exclusively in the operating system's secure keychain and are never written to disk, logs, or configuration.

2.8A.5.23 · Information Security for Use of Cloud Services

Cloud services are selected based on privacy footprint. Sub-processors are listed publicly at nutan.ai/sub-processors.

2.9A.5.29 · Information Security During Disruption

The local-first architecture preserves core product functionality during disruption. Users can prep, capture meetings, and review prior data without connectivity.

2.10A.5.30 · ICT Readiness for Business Continuity

Service continuity is tested by continuous deployment — each release verifies the restore path.

2.11A.5.34 · Privacy and Protection of PII

PII is minimised by architecture. When processed, it is protected with field-level encryption and access logging.

2.12A.6 · People Controls

Applicability. The A.6 control family assumes human employees. Nutan has no employees. The control intent — that people with access behave according to policy — is met by the scoped-permission model applied to agents. Specific controls:

• A.6.1 Screening: N/A (no employees). Agent provenance is verified at deployment.
• A.6.2 Terms and conditions: Encoded in the thesis and agent workflow definitions.
• A.6.3 Awareness and training: Not applicable to agents.
• A.6.4 Disciplinary process: Agents that produce non-compliant output are automatically rolled back.
• A.6.5 Responsibilities after termination: N/A.

2.13A.7 · Physical Controls

Applicability. Nutan operates no physical facilities. Physical controls are satisfied by the hosting provider under their own certification. Customer devices are the responsibility of the customer; Nutan's architecture assumes the device is trusted.

2.14A.8.1 · User Endpoint Devices

User devices are the trust anchor in Nutan's architecture. The application uses the operating system's native security services (secure keychain, code signing, hardware-backed storage where available).

2.15A.8.2 · Privileged Access Rights

No privileged user access exists in production. The founder has no back-door to customer data. Agent permissions are scoped to the minimum required for each workflow.

2.16A.8.3 · Information Access Restriction

Information access is restricted at the application layer. Each authenticated request carries the user's identity and is scoped to their own data.

2.17A.8.5 · Secure Authentication

Authentication uses standards-based OAuth with automatic token rotation. Passwords are not stored.

2.18A.8.6 · Capacity Management

Capacity is managed automatically by the hosting provider. Nutan's traffic is predictable due to the on-device processing model.

2.19A.8.7 · Protection Against Malware

Dependencies are pinned, automatically scanned, and updated through the two-agent review process.

2.20A.8.8 · Technical Vulnerabilities

Vulnerabilities are managed via automated scanning and prioritised remediation. Critical fixes are deployed within 24 hours of discovery.

2.21A.8.9 · Configuration Management

Configuration is version-controlled and reviewed on every change. Drift is detected and alerted.

2.22A.8.10 · Information Deletion

User-initiated deletion runs atomically and deletes all associated data in a single operation. Audit logs are preserved as required by GDPR Article 17(3)(e).

2.23A.8.11 · Data Masking

PII in audit logs is masked before persistence. Email addresses are hashed for indexing purposes and stored in plaintext only in the encrypted record itself.

2.24A.8.12 · Data Leakage Prevention

The primary DLP control is architectural: meeting content never leaves the user's device by default. Any egress is explicit and user-initiated.

2.25A.8.13 · Information Backup

The authoritative copy is on the user's device. Optional encrypted cloud sync provides a secondary copy. Both restore paths are tested continuously.

2.26A.8.14 · Redundancy

Redundancy is provided by the hosting provider. The local-first architecture means that Nutan's service disruption does not affect day-to-day product use.

2.27A.8.15 · Logging

An immutable audit trail records every action. Logs are structured, timestamped, and redacted of PII.

2.28A.8.16 · Monitoring Activities

Monitoring activities cover authentication, authorisation, configuration change, and data access events. Anomalies are alerted in real time.

2.29A.8.17 · Clock Synchronisation

All servers use NTP-synchronised clocks. Log timestamps are in UTC.

2.30A.8.21 · Network Security

Network traffic uses modern TLS with strict transport security. No unencrypted channels exist.

2.31A.8.23 · Web Filtering

Not applicable to Nutan's product surface. Server-side output is filtered by content security policies.

2.32A.8.24 · Use of Cryptography

Cryptography follows current industry standards. Keys are generated per-device, stored in the OS secure keychain, and rotated on a schedule.

2.33A.8.25 · Secure Development Lifecycle

Changes follow the two-agent proposal-and-review process. Security requirements are enforced via automated checks that block non-compliant deploys.

2.34A.8.27 · Secure System Architecture

Architecture decisions prioritise minimising the processing footprint. The local-first choice is the largest architectural control in the environment.

2.35A.8.28 · Secure Coding

Secure coding is enforced by the AI agents that produce and review the code. The same attestor that authors a change does not review it.

2.36A.8.32 · Change Management

All changes are proposed, reviewed, tested, and deployed through a single automated pipeline with full audit trail.

2.37Summary

Applicable Annex A controls are implemented and operating. People controls (A.6) and physical controls (A.7) are marked as Not Applicable or inherited from the hosting provider due to the AI-operated and cloud-hosted model. External certification by an accredited ISO 27001 auditor is on the roadmap.