ISO 27001:2022

Last updated: 2026-04-11 • ← All frameworks

Overview

ISO/IEC 27001:2022 is the international standard for Information Security Management Systems (ISMS). Certification requires an organization to establish, implement, maintain, and continually improve an ISMS, and to demonstrate through an external audit (Stage 1 documentation review and Stage 2 on-site or remote assessment) that the system operates effectively against the Annex A control set and the clauses of the standard.

Current status

In progress — targeting Q1 2027

Backbuild is working toward ISO 27001:2022 certification. The ISMS is established, a Statement of Applicability (SoA) covering all Annex A controls has been produced, internal audits are underway, and a certification body is being selected. The Stage 2 certification audit is targeted for Q1 2027.

ISMS scope

The ISMS covers the Backbuild SaaS platform and all customer-facing services, including the web application, API, worker fleet, build and release pipeline, data stores, and the supporting corporate systems used to operate and deliver the service. Scope boundaries, interfaces, and exclusions are documented in the ISMS scope statement available under NDA.

Annex A control coverage

Controls are implemented across the four Annex A themes introduced in the 2022 revision of the standard:

• Organizational controls (A.5): information security policies, roles and responsibilities, threat intelligence, supplier relationships, and cloud service management.
• People controls (A.6): screening, terms of employment, awareness and training, disciplinary process, and responsibilities after termination.
• Physical controls (A.7): secure areas, equipment protection, clear desk and screen, and secure disposal — largely inherited from Cloudflare and office providers and documented in the SoA.
• Technological controls (A.8): access control, cryptography, secure configuration, logging and monitoring, network security, secure development, and backup.

Risk management program

• Annual enterprise risk assessment: formal risk identification, analysis, and evaluation against defined criteria, with documented treatment decisions.
• Quarterly risk register reviews: risks are reassessed, new risks are added, and treatment plans are updated.
• Treatment plans: each accepted residual risk is mapped to compensating controls, owners, and review dates.
• Threat and vulnerability intelligence: feeds into the risk register and triggers ad-hoc assessments where warranted.

Continuous improvement

The ISMS is operated as a living system. Monthly management review meetings track objectives, audit findings, incidents, nonconformities, and corrective actions. Metrics are reported against documented information security objectives, and the results drive adjustments to policies, controls, and training. Internal audits cover all Annex A controls on a rolling schedule.

Relationship to SOC 2

The majority of ISO 27001 Annex A controls overlap with SOC 2 Trust Service Criteria. Backbuild maintains a single control library that is mapped to both frameworks, and the two certifications are being pursued in parallel to minimize duplicated audit effort and present customers with a consistent assurance picture.