What ISO 27001 means here
ISO/IEC 27001:2022 is the international benchmark for an Information Security Management System (ISMS). It requires us to identify information security risks, implement controls from Annex A, and continuously improve those controls through audit.
Our current status
Mercurium Analytics is operating a Stage-1 ready ISMS aligned to ISO/IEC 27001:2022. External certification audit is planned for Q4 2026. All Annex A controls listed below are implemented today — the path to certification is about independent verification, not missing controls.
Controls we operate
Organisational
- Documented information security policy, reviewed annually by leadership.
- Asset register, classification scheme and data-handling guidelines.
- Supplier security reviews for every sub-processor with a written DPA.
- Quarterly internal audit against Annex A; findings tracked to closure.
People
- Background checks on all staff; confidentiality clauses in every employment contract.
- Mandatory security training on hire and annually; phishing simulations.
- Access-review cadence: every 90 days, with automated revocation on role change.
Physical
- No customer data on employee laptops by default — we work exclusively inside managed cloud environments.
- Encrypted, MDM-managed endpoints with forced screen lock and remote wipe.
Technological
- Encryption in transit (TLS 1.3) and at rest (AES-256 KMS-backed).
- Principle of least privilege on every production system; SSO everywhere.
- Automated vulnerability scanning on every commit and nightly on all hosts.
- Centralised logging with tamper-evident storage and 12-month retention.
- Disaster recovery: RTO 4 hours, RPO 15 minutes, tested quarterly.
- Penetration testing by an independent CREST-accredited provider, annually.
Request evidence
Security-savvy buyers can request our Security Questionnaire responses, most recent pentest summary and draft Statement of Applicability by emailing contact@mercurium-analytics.com. We respond under NDA within 3 working days.