Trust · ISO 27001:2022 · DEC-V11-80 · Q1-2027 milestone

ISO 27001:2022 · ROSS · EU-first audit canon · BSI/TÜV preference

93 Annex A controls (organizational · people · physical · technological) · ISMS framework · EU auditor canon · dual-cert path con SOC 2 70-80% control overlap · evidence reuse.

Status · preparation phase · NO claim certification real
Section 1

93 Annex A controls · 4 domains

ISO 27001:2022 update (vs 2013) reduce de 114 controles a 93 · reorganiza en 4 domains canonical. ROSS Statement of Applicability (SoA) justifica aplicabilidad cada control en contexto SaaS multi-tenant voice agent EU.

A.5 · Organizational controls
37 controls
Políticas información security · roles + responsabilidades · threat intelligence · supplier relationships · cloud services usage · incident management · BCP. Mayor cluster Annex A.
A.6 · People controls
8 controls
Screening · terms + conditions employment · awareness training · disciplinary process · remote working · confidentiality + NDA. Cubre human factor.
A.7 · Physical controls
14 controls
Physical security perimeters · entry controls · physical security monitoring · clear desk + screen · secure disposal · equipment maintenance. Relevante on-prem + co-location.
A.8 · Technological controls
34 controls
User endpoint devices · privileged access rights · authentication · cryptography · secure development · web filtering · network security · monitoring + logging. Cluster técnico crítico.
Section 2

ISMS Framework canonical

Information Security Management System (ISMS) sigue ciclo PDCA · Plan · Do · Check · Act. ROSS ISMS scope: SaaS multi-tenant production (Hetzner k3s EU sovereign) + voice agent infrastructure (Sara) + audit-trail SHA-256 chained + DPIA generator + compliance tooling.

ISMS governance · Patxi Compliance owner + Will CTO architecture sign + David CEO ultimate sign. Monthly ISMS management review · quarterly internal audit · annual external surveillance audit post-certification.

Section 3

EU auditor canon · BSI/TÜV preference

EU customers regulados (banking · insurance · healthcare · defensa · government) priorizan auditor con EU-presence + EU-headquarters. ROSS auditor shortlist · BSI Group (UK · EU-recognized) · TÜV SÜD (DE · primary candidate) · TÜV Rheinland (DE) · DNV (NO/EU) · DEKRA (DE).

Big-4 (PwC · KPMG · EY · Deloitte) NO obligatorio · ROSS prioriza EU-headquarters + SaaS/cloud expertise + competitive pricing (~30-40% menos que Big-4). Auditor sign target Q3-2026 · Stage 1 audit Q4-2026.

Section 4

Dual-cert SOC 2 · evidence reuse 70-80%

Phase 1 · ISMS Foundation
Q3-2026
  • ISMS scope definition · risk assessment methodology firmada
  • Statement of Applicability (SoA) · 93 controls justificación
  • Reuse evidence SOC 2 Phase 1 · ~70% overlap canonical
Phase 2 · Stage 1 audit
Q4-2026
  • BSI/TÜV auditor engagement firmada · EU-first canon
  • Stage 1 audit · documentation review · readiness assessment
  • Gap remediation cycle · 90 días pre-Stage 2
Phase 3 · Stage 2 + certification
Q1-2027
  • Stage 2 audit · controls operating effectiveness on-site
  • Certification issued · 3-year cycle + annual surveillance
  • Public registry listing · BSI/TÜV directory

Vanta + Probo dual-cert tooling permite mapeo automático SOC 2 CC · ISO 27001 Annex A · 70-80% overlap. Evidence collected una vez · reusada ambas auditorías. Audit cost compartido ~30% savings vs independent paths.

EU regulated customer · ISO 27001 questionnaire preview

EU regulated customer (banking · insurance · healthcare) security questionnaire walkthrough · ISO 27001 + GDPR + AI Act cross-mapping · 30 min.

Book ROSS Hour · ISO 27001 prep walkthrough
AI Act art 50 disclosure · contenido generado con asistencia IA (Claude · Anthropic) · revisión humana firmada Will CTO + Patxi Compliance · DEC-V11-80.