ISO 27001 — Vissibl TODO

🔴 Overdue — Action Required Now

🔑

Review all API keys for exposure

Check GitHub commit history and logs for leaked credentials. Store all keys in Azure Key Vault.

Hitesh Due 2026-02-24 — OVERDUE Overdue

📧

Create security@vissibl.ai email address

Required ISO 27001 security contact point. Configure forwarding for Jonathan + Hitesh. Add to IRP and policies.

Jonathan Blocking

⏸ Waiting on Team — Pre-Audit

🎯

Jira Security Gate Review subtask template

Auto-attaches to every Epic. Gate 1 (Design) · Gate 2 (Pre-Release) · Gate 3 (Post-Release). Follow-up sent 2026-02-26.

Hitesh Waiting

🛡️

Register on CISA threat intelligence portal

Evidence for A.5.7 Threat Intelligence. AlienVault OTX confirmed. Follow-up sent 2026-02-26.

Hitesh Waiting

🧪

Penetration testing — approve scope & quote

Quote: $3,000. Budget: $5,000–$10,000. Scope: SaaS platform, Azure infra, API endpoints, Kubernetes. Required before Stage 2.

Sean + Hitesh Waiting Approval

🟠 Pre-Stage 1 Audit — Open Tasks

🔐

Implement IP whitelist for API keys

Store in Azure Key Vault. Verify dev → staging → production.

Andre / Hitesh Due 2026-03-08 Pre-Audit

🔍

Enable GitHub secret scanning

Prevents API key exposure in public repositories. TTX-001 action item.

Hitesh Due 2026-03-10 Pre-Audit

📊

Document Azure monitoring alert triggers

Thresholds, what triggers alerts, response procedures.

Hitesh Due 2026-03-01 Pre-Audit

📜

Renew GitHub + Miro ISO 27001 certificates

GitHub: Enterprise compliance portal (new cert available). Miro: trust.miro.com or security@miro.com.

Jonathan Pre-Audit

🏢

Vendor compliance — Xero, Bayzat, Deel

Request ISO 27001 certs · Review contracts for security clauses · Verify SSO/MFA · Complete supplier questionnaire · Tier 1 approval (CEO + CTO + ISMS).

Jonathan Pre-Audit

⚖️

Verify SoD controls in production

GitHub branch protection on main · Azure pipeline approvals · Kubernetes RBAC namespace separation.

Hitesh / Uwaifo Pre-Audit

📋

Customer breach notification training

Practice breach notification procedures with team. TTX-001 action item.

Jonathan Due 2026-03-10 Pre-Audit

🔒

Evaluate rate limiting for API endpoints

Helps detect large-scale data scraping attempts. TTX-001 action item.

Hitesh Due 2026-03-15 Pre-Audit

🎓 Security Awareness Training — 9 / 11 Complete

9 / 11 certified

✅

Sean Hurley

100% · Feb 24

✅

Hitesh Nalamwar

100% · Feb 20

✅

Fletcher Miles

100% · Feb 20

✅

Jonathan Sternberg

100% · Feb 20

✅

Safee Ul Azeem

92% · Feb 20

✅

Ilya Kolotaev

100% · Feb 20

✅

Ahmed Badr

100% · Feb 25

✅

Raja Vashishtha

80% · Feb 25

✅

Uwaifo Idehenre

97% · Feb 21

❌

Andrei Kovalev

Not started

❌

Nita Craig

Not started

🔒 Statement of Applicability — Controls (93 total)

44 Implemented (47%)

36 Partial (39%)

6 Planned (6%)

7 Not Applicable

🟢 Post-Stage 1 / Stage 2 Prep

💾

PostgreSQL backup retention → 35 days + soft delete on storage

Currently 7 days. Azure Portal → PostgreSQL Flexible Server → Backup. Enable soft delete on all 4 storage containers.

DevOpsStage 2

🧪

First backup restoration test (PITR)

PostgreSQL point-in-time recovery per PROC-002 § 7.2. Never been tested.

DevOpsStage 2

📈

Increase log retention 30 → 90+ days

Azure Log Analytics workspace. Required per ISMS-STD-008.

HiteshStage 2

🔑

Secrets rotation policy and schedule

Database passwords · API keys (GCP, WhatsApp, Resend) · JWT signing keys.

HiteshStage 2

🏗️

Complete ISMS-ARCH-001 System Architecture

Network diagrams and data flow documentation.

HiteshStage 2

📝

Schedule first Management Review (ISMS-REV-001)

Required for clause 9.3. Create meeting minutes.

JonathanStage 2

🔍

Complete ISMS-AUDIT-002 Internal Audit Report

Address findings and document corrective actions.

JonathanStage 2