ISO 27001 Compliance

ISO/IEC 27001 is the international standard for information security management systems (ISMS). It provides a systematic approach to managing sensitive company and customer information, ensuring it remains secure through a comprehensive set of policies, processes, and controls.

Sahayogi One Private Limited recognises ISO 27001 as the benchmark for information security management and has structured its security practices to align with the requirements of this standard across the BoSS platform and all related services.

Our decision to align with ISO 27001 without formal certification reflects our commitment to maintaining high security standards while operating at our current scale. As our organisation grows, we intend to pursue formal certification when the timing and business context are appropriate.

This page describes the specific areas where our practices align with ISO 27001 controls. We are transparent about this distinction and encourage our customers to evaluate our security practices on their merits.

We maintain a documented information security management framework that covers:

• Defined information security policies reviewed and approved by management
• Clear assignment of information security roles and responsibilities
• Segregation of duties to reduce the risk of unauthorised modification or misuse
• Regular management review of our security posture and improvement plans
• Documented procedures for all critical security processes

Aligned with ISO 27001 Clause 6 (Planning), we conduct structured risk assessments:

• Identification of information assets and their value to the organisation
• Assessment of threats and vulnerabilities relevant to each asset
• Evaluation of risk likelihood and potential impact
• Selection and implementation of appropriate risk treatment measures
• Periodic reassessment as our platform and threat landscape evolve

Our access control measures align with ISO 27001 Annex A.9:

• Role-based access control (RBAC) across all platform functions
• Unique user identification and authentication for all users
• Multi-factor authentication for administrative and sensitive access
• Regular review and revocation of access rights
• Audit logging of all access events and administrative actions
• Principle of least privilege applied across infrastructure and application layers

We implement cryptographic controls aligned with ISO 27001 Annex A.10:

• All data in transit encrypted using TLS 1.2 or higher
• Sensitive data at rest encrypted using AES-256 or equivalent
• Secure key management practices with regular key rotation
• Password hashing using industry-standard algorithms (bcrypt)
• API authentication using secure token-based mechanisms

Our cloud infrastructure is hosted with providers that maintain SOC 2 Type II and ISO 27001 certifications for their physical data centres. This includes:

• Controlled physical access to data centre facilities
• Environmental controls (cooling, fire suppression, power redundancy)
• 24/7 monitoring and security personnel at hosting facilities
• Equipment maintenance and secure disposal procedures

Our operational security practices align with ISO 27001 Annex A.12:

• Documented operating procedures for critical processes
• Change management controls for all infrastructure and application changes
• Capacity management and performance monitoring
• Separation of development, testing, and production environments
• Protection against malware through layered defences
• Regular backup procedures with tested restoration processes
• Logging and monitoring of system events and security incidents

We maintain an incident management process aligned with ISO 27001 Annex A.16:

• Defined incident response procedures with clear roles and escalation paths
• Classification of incidents by severity and impact
• Timely notification to affected parties and relevant authorities
• Post-incident review and implementation of corrective measures
• Lessons learned documentation and process improvement

Our business continuity measures align with ISO 27001 Annex A.17:

• Defined recovery time and recovery point objectives for critical services
• Redundant infrastructure to ensure service availability
• Regular backup and disaster recovery testing
• Documented business continuity plans reviewed periodically

We assess the security practices of our technology partners and service providers:

• Due diligence on third-party security posture before engagement
• Contractual obligations for data protection and security
• Regular review of supplier compliance with agreed security requirements
• Minimisation of data shared with third parties to what is strictly necessary

Aligned with the Plan-Do-Check-Act (PDCA) cycle at the core of ISO 27001, we commit to:

• Regular internal review of our security policies and practices
• Tracking and addressing nonconformities and areas for improvement
• Staying current with evolving security threats and best practices
• Investing in security training and awareness for our team
• Evaluating the path to formal ISO 27001 certification as we scale

For questions about our information security practices, please contact: