Cognium ISMS Portal

Dashboard

Documentation

Policies

SOPs

Templates

Registers

Runbooks

Governance

ISMS Core

Risk Management

Internal Audit

Mgmt Review

Compliance

ISO 27001:2022

SOC 2 Type II

AI Governance

Evidence

Evidence Collection

Incidents

Technical

Architecture

System

Audit Log

Settings

Cognium Inc.

ISMS Portal v2.0

SOC 2 Type II Compliance

Trust Services Criteria tracking and evidence management

Implementation Rate: 67%

Total Controls: 51; Trust Services Criteria

Implemented: 34; 67% of total

In Progress: 13; 25% of total

Planned: 4; 8% of total

Progress Rate: 92%; Implemented + Partial

CCRequired

Common Criteria

26/33 implemented

Availability

2/3 implemented

Processing Integrity

4/5 implemented

Confidentiality

2/2 implemented

Privacy

0/8 implemented

Showing 51 of 51 controls

	Control	Name	Status	Owner	Evidence	Last Tested
	CC1.1	Commitment to Integrity and Ethical Values	Implemented	CEO	3	10/15/2024
Description The entity demonstrates a commitment to integrity and ethical values. Justification Code of Conduct, ethics policies, and background checks implemented Linked Policies POL-001 POL-013 Linked SOPs None linked Evidence Types Code of Conduct Employee Acknowledgments Background Check Records
	CC1.2	Board Independence and Oversight	Implemented	CEO	2	10/15/2024
Description The board of directors demonstrates independence from management and exercises oversight. Justification Board resolution establishing security program oversight documented Linked Policies POL-001 Linked SOPs SOP-041 Evidence Types Board Resolution Meeting Minutes Organizational Chart
	CC1.3	Management Structure and Authority	Implemented	COO	3	10/15/2024
Description Management establishes structures, reporting lines, and appropriate authorities and responsibilities. Justification RACI matrix and role assignments documented in ISMS Linked Policies POL-001 Linked SOPs None linked Evidence Types Org Chart RACI Matrix Job Descriptions
	CC1.4	Commitment to Competence	Implemented	COO	4	10/15/2024
Description The entity demonstrates a commitment to attract, develop, and retain competent individuals. Justification Security awareness training program and skills development in place Linked Policies POL-012 Linked SOPs SOP-037 SOP-038 Evidence Types Training Records Competency Assessments Certifications
	CC1.5	Accountability for Internal Control	Implemented	ISO	2	10/15/2024
Description The entity holds individuals accountable for their internal control responsibilities. Justification Control owners register and performance reviews include security responsibilities Linked Policies POL-001 Linked SOPs None linked Evidence Types Control Owners Register Performance Reviews Incident Reports
	CC2.1	Information Quality for Internal Control	Implemented	ISO	3	10/15/2024
Description The entity obtains or generates and uses relevant, quality information to support internal control. Justification Security metrics dashboard and regular reporting implemented Linked Policies POL-001 Linked SOPs SOP-025 Evidence Types Security Reports Metrics Dashboard Management Reports
	CC2.2	Internal Communication of Objectives	Implemented	ISO	4	10/15/2024
Description The entity internally communicates information necessary for internal control to function. Justification Security policies communicated via onboarding and ongoing awareness Linked Policies POL-012 Linked SOPs SOP-037 Evidence Types Policy Acknowledgments Training Materials Internal Communications
	CC2.3	External Communication	Partial	ISO	2	10/15/2024
Description The entity communicates with external parties regarding matters affecting internal control. Justification Customer security documentation in development; incident notification procedures exist Linked Policies POL-004 POL-011 Linked SOPs SOP-015 SOP-032 Evidence Types Customer Communications Incident Notifications Vendor Communications
	CC3.1	Risk Assessment Objectives	Implemented	ISO	3	10/15/2024
Description The entity specifies objectives with sufficient clarity to enable identification of risks. Justification ISMS scope and objectives documented; risk assessment methodology established Linked Policies POL-001 Linked SOPs SOP-020 Evidence Types ISMS Scope Risk Assessment Methodology Security Objectives
	CC3.2	Risk Identification and Analysis	Implemented	ISO	4	10/15/2024
Description The entity identifies risks to achievement of objectives and analyzes how risks should be managed. Justification Risk register maintained with regular assessments Linked Policies POL-001 Linked SOPs SOP-020 SOP-021 Evidence Types Risk Register Risk Assessment Reports Threat Analysis
	CC3.3	Fraud Risk Consideration	Partial	ISO	1	10/15/2024
Description The entity considers the potential for fraud in assessing risks. Justification Fraud risk included in risk assessments; formal fraud risk assessment planned Linked Policies POL-001 Linked SOPs SOP-020 Evidence Types Fraud Risk Assessment Risk Register
	CC3.4	Change Impact Assessment	Implemented	ISO	5	12/20/2024
Description The entity identifies and assesses changes that could significantly affect internal control. Justification Change management process includes security impact assessment Linked Policies POL-005 Linked SOPs SOP-003 SOP-004 Evidence Types Change Records Impact Assessments RFC Forms
	CC4.1	Ongoing and Separate Evaluations	Implemented	ISO	4	12/20/2024
Description The entity selects, develops, and performs ongoing and/or separate evaluations. Justification Continuous monitoring via security tools; annual internal audits Linked Policies POL-001 Linked SOPs SOP-022 SOP-025 Evidence Types Monitoring Reports Internal Audit Reports Security Metrics
	CC4.2	Deficiency Communication and Remediation	Implemented	ISO	3	10/15/2024
Description The entity evaluates and communicates internal control deficiencies in a timely manner. Justification Corrective action log maintained; findings tracked to closure Linked Policies POL-001 Linked SOPs None linked Evidence Types Corrective Action Log Management Reports Remediation Evidence
	CC5.1	Selection and Development of Control Activities	Implemented	ISO	3	10/15/2024
Description The entity selects and develops control activities that mitigate risks. Justification Controls selected based on risk assessment; documented in SoA Linked Policies POL-001 Linked SOPs SOP-021 Evidence Types Statement of Applicability Risk Treatment Plan Control Documentation
	CC5.2	Technology General Controls	Implemented	Founding Engineer	8	10/15/2024
Description The entity selects and develops general control activities over technology. Justification IT controls implemented across infrastructure, applications, and operations Linked Policies POL-002 POL-005 POL-010 POL-015 Linked SOPs SOP-001 SOP-003 SOP-024 SOP-031 Evidence Types System Configurations Access Controls Change Records
	CC5.3	Policy-Based Control Activities	Implemented	ISO	5	10/15/2024
Description The entity deploys control activities through policies and procedures. Justification 16 policies and 41 SOPs documented and communicated Linked Policies POL-001 Linked SOPs SOP-040 Evidence Types Policy Library Procedure Documentation Acknowledgments
	CC6.1	Logical Access Security Software	Implemented	Founding Engineer	6	10/15/2024
Description The entity implements logical access security software, infrastructure, and architectures. Justification Microsoft 365 with Entra ID, AWS IAM, VPN, and endpoint protection deployed Linked Policies POL-002 POL-010 Linked SOPs SOP-001 SOP-010 SOP-031 Evidence Types Architecture Diagrams Access Control Configurations Security Tool Inventory
	CC6.2	User Registration and Authorization	Implemented	ISO	4	12/20/2024
Description Prior to issuing credentials, the entity registers and authorizes new users. Justification User provisioning procedure requires manager approval and HR verification Linked Policies POL-002 Linked SOPs SOP-001 Evidence Types Access Request Forms Approval Records User Provisioning Logs
	CC6.3	Access Removal	Implemented	ISO	5	10/15/2024
Description The entity removes access to protected resources when access is no longer required. Justification Offboarding checklist includes immediate access revocation; quarterly reviews Linked Policies POL-002 Linked SOPs SOP-001 SOP-002 Evidence Types Termination Checklists Access Revocation Logs Access Review Reports
	CC6.4	Access Review	Partial	ISO	3	10/15/2024
Description The entity restricts and reviews privileged access rights. Justification Quarterly access reviews implemented; privileged access review being formalized Linked Policies POL-002 Linked SOPs SOP-002 SOP-010 Evidence Types Access Review Reports Privileged Access Inventory Review Sign-offs
	CC6.5	Physical Access Restrictions	Partial	COO	2	10/15/2024
Description The entity restricts physical access to facilities and protected information assets. Justification Remote-first company; AWS physical security inherited; home office guidelines exist Linked Policies POL-006 POL-009 Linked SOPs None linked Evidence Types AWS SOC 2 Report Remote Work Guidelines Asset Register
	CC6.6	Threat Protection	Implemented	Founding Engineer	6	12/20/2024
Description The entity implements controls to prevent or detect and act upon malicious activities. Justification Bitdefender endpoint protection, AWS GuardDuty, and security monitoring active Linked Policies POL-015 Linked SOPs SOP-023 SOP-024 SOP-025 Evidence Types EDR Reports Security Alerts Vulnerability Scans
	CC6.7	Data Transmission Protection	Implemented	Founding Engineer	3	10/15/2024
Description The entity restricts transmission, movement, and removal of information. Justification TLS encryption for data in transit; DLP controls on email and endpoints Linked Policies POL-014 POL-015 Linked SOPs None linked Evidence Types Encryption Configurations Network Security Settings DLP Reports
	CC6.8	Malicious Software Prevention	Implemented	Founding Engineer	4	12/20/2024
Description The entity implements controls to prevent or detect and remediate malicious software. Justification Bitdefender GravityZone deployed on all endpoints with automatic updates Linked Policies POL-015 Linked SOPs SOP-029 Evidence Types Antivirus Reports Malware Detection Logs Update Records
	CC7.1	Vulnerability Management	Implemented	Founding Engineer	5	12/15/2024
Description The entity identifies and evaluates system vulnerabilities. Justification Regular vulnerability scanning and penetration testing program established Linked Policies POL-015 Linked SOPs SOP-023 Evidence Types Vulnerability Scan Reports Penetration Test Results Remediation Records
	CC7.2	Security Event Monitoring	Implemented	Founding Engineer	4	12/20/2024
Description The entity monitors system components for anomalies and security events. Justification CloudWatch, CloudTrail, and security monitoring with alerting configured Linked Policies POL-015 Linked SOPs SOP-025 Evidence Types Monitoring Dashboards Alert Configurations Log Samples
	CC7.3	Security Incident Evaluation	Implemented	ISO	3	12/20/2024
Description The entity evaluates security events to determine whether they constitute security incidents. Justification Incident classification guide and triage procedure documented Linked Policies POL-004 Linked SOPs SOP-006 SOP-026 Evidence Types Incident Classification Guide Triage Records Incident Logs
	CC7.4	Incident Response	Implemented	ISO	4	10/15/2024
Description The entity responds to identified security incidents according to procedures. Justification Incident response plan with defined roles, escalation, and communication templates Linked Policies POL-004 Linked SOPs SOP-006 SOP-014 SOP-015 Evidence Types Incident Response Plan Incident Reports Communication Records
	CC7.5	Incident Recovery	Partial	Founding Engineer	2	10/15/2024
Description The entity identifies, develops, and implements recovery activities. Justification Recovery procedures documented; full DR test scheduled for Q1 2025 Linked Policies POL-007 Linked SOPs SOP-027 SOP-028 Evidence Types Recovery Procedures DR Test Results RTO/RPO Documentation
	CC8.1	Change Authorization	Implemented	Founding Engineer	8	12/20/2024
Description The entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes. Justification Change management process with RFC workflow, testing, and approval gates Linked Policies POL-005 Linked SOPs SOP-003 SOP-004 SOP-016 Evidence Types RFC Forms Change Logs Test Evidence Approval Records
	CC9.1	Business Disruption Risk Mitigation	Partial	COO	3	10/15/2024
Description The entity identifies, selects, and develops risk mitigation activities for risks from business disruption. Justification BCP and DR plans documented; BIA completed; testing frequency being increased Linked Policies POL-007 Linked SOPs SOP-027 SOP-028 Evidence Types Business Impact Analysis BCP Documentation DR Test Results
	CC9.2	Vendor Risk Management	Partial	COO	3	10/15/2024
Description The entity assesses and manages risks associated with vendors and business partners. Justification Vendor assessment process established; completing assessments for all critical vendors Linked Policies POL-011 Linked SOPs SOP-032 Evidence Types Vendor Register Assessment Reports SOC 2 Reports
	A1.1	Capacity Management	Implemented	Founding Engineer	3	12/20/2024
Description The entity maintains, monitors, and evaluates current processing capacity and use. Justification AWS CloudWatch monitoring with auto-scaling and capacity alerts Linked Policies POL-010 Linked SOPs SOP-031 Evidence Types Capacity Reports Auto-scaling Configurations Performance Metrics
	A1.2	Environmental Protections	Implemented	COO	2	10/15/2024
Description The entity authorizes, designs, develops or acquires, implements, operates, maintains, and monitors environmental protections. Justification AWS manages physical environmental controls; remote workers have surge protection guidance Linked Policies POL-006 POL-010 Linked SOPs None linked Evidence Types AWS SOC 2 Report Remote Work Guidelines
	A1.3	Recovery and Continuity	Partial	Founding Engineer	3	10/15/2024
Description The entity tests recovery plan procedures supporting system recovery. Justification Backup restoration tests quarterly; full DR test scheduled Q1 2025 Linked Policies POL-007 Linked SOPs SOP-013 SOP-027 SOP-028 Evidence Types Backup Test Results Recovery Time Logs DR Test Plans
	PI1.1	Processing Completeness and Accuracy	Implemented	Chief Product Officer	4	12/15/2024
Description The entity obtains or generates, uses, and communicates relevant, quality information regarding processing. Justification Data validation controls and AI model validation procedures implemented Linked Policies POL-008 Linked SOPs SOP-018 SOP-019 Evidence Types Validation Reports Data Quality Metrics Model Performance Logs
	PI1.2	Processing Policies	Implemented	Chief Product Officer	3	10/15/2024
Description The entity implements policies and procedures over processing. Justification AI/ML policies and procedures govern model development and deployment Linked Policies POL-008 Linked SOPs SOP-005 SOP-017 SOP-018 Evidence Types AI/ML Policy Deployment Procedures Code Review Records
	PI1.3	Input Processing Accuracy	Implemented	Founding Engineer	3	12/20/2024
Description The entity implements policies and procedures for inputs to be processed completely and accurately. Justification Input validation and data integrity checks built into processing pipelines Linked Policies POL-008 Linked SOPs SOP-019 Evidence Types Input Validation Logs Error Reports Data Quality Checks
	PI1.4	Output Accuracy	Partial	Chief Product Officer	3	12/15/2024
Description The entity implements policies and procedures for outputs to be complete and accurate. Justification Model output validation implemented; comprehensive output monitoring being enhanced Linked Policies POL-008 Linked SOPs SOP-018 Evidence Types Output Validation Reports Model Drift Monitoring Accuracy Metrics
	PI1.5	Processing Error Handling	Implemented	Chief Product Officer	2	10/15/2024
Description The entity implements policies and procedures for addressing errors in processing. Justification Error handling and kill switch procedures documented for AI models Linked Policies POL-008 Linked SOPs SOP-017 Evidence Types Error Handling Procedures Kill Switch Documentation Incident Records
	C1.1	Confidential Information Identification	Implemented	ISO	3	10/15/2024
Description The entity identifies and maintains confidential information to meet objectives. Justification Data classification policy and procedure implemented with labeling Linked Policies POL-003 Linked SOPs SOP-009 Evidence Types Classification Register Data Inventory Labeling Standards
	C1.2	Confidential Information Disposal	Implemented	ISO	2	12/20/2024
Description The entity disposes of confidential information to meet objectives. Justification Secure data disposal procedures implemented for all media types Linked Policies POL-003 Linked SOPs SOP-012 Evidence Types Disposal Certificates Destruction Logs Sanitization Records
	P1.1	Privacy Notice	Planned	COO	0	Not tested
Description The entity provides notice to data subjects about its privacy practices. Justification Privacy notice in development for customer-facing platform launch Linked Policies None linked Linked SOPs None linked Evidence Types Privacy Notice Cookie Policy Consent Records
	P2.1	Consent and Choice	Planned	COO	0	Not tested
Description The entity communicates choices available regarding data collection, use, retention, and disclosure. Justification Consent management planned for platform launch Linked Policies None linked Linked SOPs None linked Evidence Types Consent Forms Preference Center Opt-out Records
	P3.1	Collection Limitation	Partial	ISO	1	10/15/2024
Description The entity collects personal information consistent with objectives. Justification Data minimization principles applied; formal data mapping in progress Linked Policies POL-003 Linked SOPs None linked Evidence Types Data Inventory Collection Justifications Privacy Impact Assessments
	P4.1	Use and Retention	Partial	ISO	2	10/15/2024
Description The entity limits use and retains personal information consistent with objectives. Justification Retention schedules documented; automated purging being implemented Linked Policies POL-003 Linked SOPs SOP-012 Evidence Types Retention Schedule Purge Logs Use Limitations
	P5.1	Access	Planned	ISO	0	Not tested
Description The entity provides data subjects with access to their personal information. Justification Data subject access request process planned for platform launch Linked Policies None linked Linked SOPs None linked Evidence Types DSAR Process Access Request Logs Response Records
	P6.1	Disclosure and Notification	Partial	COO	2	10/15/2024
Description The entity discloses personal information to third parties with consent or authorized. Justification Vendor data processing agreements in place for key vendors Linked Policies POL-011 Linked SOPs SOP-032 Evidence Types DPAs Third-party Agreements Disclosure Logs
	P7.1	Quality	Partial	Founding Engineer	1	10/15/2024
Description The entity collects and maintains accurate, up-to-date, complete, and relevant personal information. Justification Data quality controls implemented; user correction mechanisms in development Linked Policies POL-003 Linked SOPs None linked Evidence Types Data Quality Reports Correction Logs Validation Rules
	P8.1	Complaint Management	Planned	COO	0	Not tested
Description The entity implements a process for receiving, addressing, and resolving complaints. Justification Privacy complaint process planned for platform launch Linked Policies None linked Linked SOPs None linked Evidence Types Complaint Process Resolution Records Escalation Procedures