ISO 27001:2022 — ANNEX A CONTROLS¶

OWNER: julian
UPDATED: 2026-03-24
SCOPE: all 93 Annex A controls mapped to GE agent ownership and implementation
STANDARD: ISO/IEC 27001:2022 Annex A (derived from ISO/IEC 27002:2022)

STRUCTURE¶

VERSION: 2022 (replaces 2013 structure of 14 domains / 114 controls)
THEMES: 4
TOTAL_CONTROLS: 93
NEW_CONTROLS: 11 (marked with NEW below)

THEME_A5: Organizational controls (37 controls)
THEME_A6: People controls (8 controls)
THEME_A7: Physical controls (14 controls)
THEME_A8: Technological controls (34 controls)

ATTRIBUTES (new in 2022, used for filtering):
- Control type: Preventive, Detective, Corrective
- Information security properties: Confidentiality, Integrity, Availability
- Cybersecurity concepts: Identify, Protect, Detect, Respond, Recover
- Operational capabilities: Governance, Asset_management, Information_protection, HR_security, Physical_security, System_security, Network_security, Application_security, Secure_configuration, Identity_access, Threat_vulnerability, Continuity, Supplier, Legal_compliance, Event_management, Assurance

A.5 — ORGANIZATIONAL CONTROLS (37)¶

A.5.1 — Policies for information security¶

REQUIRES: information security policy and topic-specific policies, approved by management, communicated
GE_OWNER: julian (policy authoring), amber (policy review)
GE_IMPLEMENTATION: constitution.md = overarching policy. Wiki domain pages = topic-specific policies. Git-versioned.
EVIDENCE: dated policy documents, approval records, communication logs

A.5.2 — Information security roles and responsibilities¶

REQUIRES: define and allocate information security roles and responsibilities
GE_OWNER: julian
GE_IMPLEMENTATION: AGENT-REGISTRY.json defines roles. RACI matrix in wiki. Each agent has defined security responsibilities in profile.
EVIDENCE: AGENT-REGISTRY.json, agent profiles, RACI matrix

A.5.3 — Segregation of duties¶

REQUIRES: conflicting duties and responsibilities shall be segregated
GE_OWNER: julian, amber (audit)
GE_IMPLEMENTATION: anti-LLM pipeline enforces separation — developer cannot approve own code (koen reviews), tester is independent (marije/judith), SSOT enforcer (jaap) is separate from developers. Swimming lanes in DAG enforcement.
EVIDENCE: pipeline configuration, DAG definitions, work package assignments

A.5.4 — Management responsibilities¶

REQUIRES: management shall require all personnel to apply information security per policies
GE_OWNER: dirk-jan (human management)
GE_IMPLEMENTATION: constitution injected at agent boot. All agents bound by 10 principles.
EVIDENCE: constitution.md, agent boot logs showing injection

A.5.5 — Contact with authorities¶

REQUIRES: establish and maintain contact with relevant authorities
GE_OWNER: julian
GE_IMPLEMENTATION: documented contact list — Autoriteit Persoonsgegevens (GDPR), NCSC-NL (incidents), certification body
EVIDENCE: authority contact register, incident notification procedures

A.5.6 — Contact with special interest groups¶

REQUIRES: maintain contact with security interest groups and forums
GE_OWNER: julian
GE_IMPLEMENTATION: ISACA, IAPP, CSA, Dutch cybersecurity community
EVIDENCE: membership records, participation evidence

A.5.7 — Threat intelligence (NEW)¶

REQUIRES: collect, analyze, and use information about threats
GE_OWNER: victoria (Security Operations)
GE_IMPLEMENTATION: CVE monitoring via trivy DB updates, security advisory feeds, LLM provider security bulletins
EVIDENCE: threat intelligence reports, advisory review logs, vulnerability feed subscriptions

A.5.8 — Information security in project management¶

REQUIRES: integrate information security into project management
GE_OWNER: faye (Project Manager), julian (security requirements)
GE_IMPLEMENTATION: every work package includes security requirements from anna (Formal Specification). antje writes security tests. Security review gate before deployment.
EVIDENCE: work package specifications with security requirements, test results

A.5.9 — Inventory of information and other associated assets¶

REQUIRES: identify and maintain inventory of information assets
GE_OWNER: julian (process), arjan (infrastructure assets)
GE_IMPLEMENTATION: AGENT-REGISTRY.json (agent assets), k8s resource inventory (infrastructure), PostgreSQL schema (data assets)
EVIDENCE: asset inventory with owners, classification, and criticality

A.5.10 — Acceptable use of information and other associated assets¶

REQUIRES: rules for acceptable use identified, documented, and implemented
GE_OWNER: julian
GE_IMPLEMENTATION: constitution.md defines acceptable use. Agent profiles define permitted actions. Executor capability restrictions enforce boundaries.
EVIDENCE: acceptable use policy, capability restriction configs

A.5.11 — Return of assets¶

REQUIRES: personnel return assets when employment/agreement changes
GE_OWNER: hilrieke (Head of HR)
GE_IMPLEMENTATION: agent decommissioning procedure — revoke credentials, remove from registry, archive data
EVIDENCE: decommissioning checklist, credential revocation logs

A.5.12 — Classification of information¶

REQUIRES: classify information according to confidentiality needs
GE_OWNER: julian
GE_CLASSIFICATION_SCHEME:
- PUBLIC: wiki public pages, marketing
- INTERNAL: wiki development pages, agent configs
- CONFIDENTIAL: client data, credentials, business strategy
- RESTRICTED: encryption keys, master secrets, production database contents
EVIDENCE: classification policy, labeled assets

A.5.13 — Labelling of information¶

REQUIRES: label information according to classification scheme
GE_OWNER: julian
GE_IMPLEMENTATION: file headers indicate classification. Database columns tagged. Wiki page metadata.
EVIDENCE: labeling procedure, sample labeled assets

A.5.14 — Information transfer¶

REQUIRES: rules, procedures, and agreements for information transfer
GE_OWNER: julian, stef (Network Engineer)
GE_IMPLEMENTATION: all transfers TLS 1.3. Redis encrypted. API authentication required. No unencrypted channels.
EVIDENCE: transfer policy, TLS configuration, network architecture diagrams

A.5.15 — Access control¶

REQUIRES: rules to control physical and logical access based on business and security requirements
GE_OWNER: julian (policy), piotr (Secrets Manager)
GE_IMPLEMENTATION: RBAC via k8s, Vault for secrets, WebAuthn for admin-ui, per-agent capability restrictions
EVIDENCE: access control policy, RBAC configuration, Vault policies

A.5.16 — Identity management¶

REQUIRES: manage full lifecycle of identities
GE_OWNER: hugo (Identity Guardian)
GE_IMPLEMENTATION: AGENT-REGISTRY.json manages agent identities. k8s ServiceAccounts for workloads. Vault identities for secret access.
EVIDENCE: identity lifecycle procedures, registry snapshots

A.5.17 — Authentication information¶

REQUIRES: control allocation and management of authentication information
GE_OWNER: piotr (Secrets Manager)
GE_IMPLEMENTATION: Vault manages all secrets. API keys rotated per policy. WebAuthn (passwordless) for human access. No shared credentials.
EVIDENCE: secret rotation logs, Vault audit trail

A.5.18 — Access rights¶

REQUIRES: provision, review, modify, and remove access rights per policy
GE_OWNER: piotr, amber (review)
GE_IMPLEMENTATION: access provisioned per AGENT-REGISTRY.json roles. Quarterly access reviews by amber.
EVIDENCE: access provisioning records, quarterly review reports

A.5.19 — Information security in supplier relationships¶

REQUIRES: manage security risks associated with suppliers
GE_OWNER: julian
GE_SUPPLIERS: Anthropic (Claude API), OpenAI (GPT API), Google (Gemini API), Hetzner (infrastructure)
GE_IMPLEMENTATION: supplier security assessment, contract security clauses, DPA where applicable
EVIDENCE: supplier register, security assessments, contracts with security clauses

A.5.20 — Addressing information security within supplier agreements¶

REQUIRES: establish and agree security requirements with each supplier
GE_OWNER: julian
GE_IMPLEMENTATION: DPAs with LLM providers, security SLAs with infrastructure provider
EVIDENCE: signed agreements, DPAs

A.5.21 — Managing information security in the ICT supply chain¶

REQUIRES: manage ICT product/service supply chain security risks
GE_OWNER: julian, alex/tjitte (CI/CD — supply chain scanning)
GE_IMPLEMENTATION: SBOM generation, dependency scanning (trivy), lock files, container image scanning
EVIDENCE: SBOM reports, scan results, dependency update logs

A.5.22 — Monitoring, review, and change management of supplier services¶

REQUIRES: monitor, review, and manage changes to supplier services
GE_OWNER: julian
GE_IMPLEMENTATION: monitor LLM provider status pages, review API changelog, assess impact of model updates
EVIDENCE: supplier review logs, change impact assessments

A.5.23 — Information security for use of cloud services (NEW)¶

REQUIRES: manage security for cloud services acquisition, use, management, and exit
GE_OWNER: julian (policy), arjan (Infrastructure Provisioner)
GE_IMPLEMENTATION: k3s on dedicated Hetzner server. Pod Security Standards enforced. Network policies. No public cloud managed services.
EVIDENCE: cloud security policy, PSS configuration, network policy manifests

A.5.24 — Information security incident management planning and preparation¶

REQUIRES: plan and prepare for incidents
GE_OWNER: mira (Incident Commander)
GE_IMPLEMENTATION: incident response plan documented, escalation matrix, communication templates
EVIDENCE: incident response plan, tabletop exercise results
SEE_ALSO: domains/incident-response/index.md

A.5.25 — Assessment and decision on information security events¶

REQUIRES: assess events and decide if they are incidents
GE_OWNER: mira, victoria
GE_IMPLEMENTATION: monitoring alerts triaged by severity. Classification criteria documented.
EVIDENCE: event classification procedure, triage logs

A.5.26 — Response to information security incidents¶

REQUIRES: respond to incidents according to documented procedures
GE_OWNER: mira
GE_IMPLEMENTATION: incident playbooks, automated containment for known patterns, escalation to human for unknowns
EVIDENCE: incident response records, post-incident reviews

A.5.27 — Learning from information security incidents¶

REQUIRES: use knowledge from incidents to strengthen controls
GE_OWNER: mira, eltjo (Cross-Session Learning Analyst)
GE_IMPLEMENTATION: post-incident review → wiki learnings → JIT injection to agents. Knowledge synthesizer detects patterns.
EVIDENCE: post-incident review reports, updated learnings, wiki entries

A.5.28 — Collection of evidence¶

REQUIRES: establish procedures for evidence identification, collection, acquisition, and preservation
GE_OWNER: mira, julian
GE_IMPLEMENTATION: immutable logging, git history preservation, database audit trails, Redis stream retention
EVIDENCE: evidence handling procedure, chain of custody documentation

A.5.29 — Information security during disruption¶

REQUIRES: plan how to maintain security during disruptions
GE_OWNER: julian, otto (Backup Guardian)
GE_IMPLEMENTATION: backup procedures maintain security controls. Recovery procedures include security validation.
EVIDENCE: BCP with security provisions, recovery test results

A.5.30 — ICT readiness for business continuity (NEW)¶

REQUIRES: plan, implement, maintain, and test ICT readiness
GE_OWNER: otto (Backup Guardian), arjan
GE_IMPLEMENTATION: k3s recovery procedures, database backup/restore, agent recovery from registry
EVIDENCE: ICT continuity plan, backup test results, RTO/RPO documentation

A.5.31 — Legal, statutory, regulatory, and contractual requirements¶

REQUIRES: identify and document all applicable requirements
GE_OWNER: julian
GE_IMPLEMENTATION: regulatory register maintained in wiki (eu-regulation domain). Client contracts reviewed for security clauses.
EVIDENCE: regulatory register, compliance matrix
SEE_ALSO: domains/eu-regulation/index.md

A.5.32 — Intellectual property rights¶

REQUIRES: protect intellectual property rights
GE_OWNER: julian
GE_IMPLEMENTATION: license compliance scanning, open source policy, client IP ownership defined in contracts
EVIDENCE: license inventory, open source policy, contract IP clauses

A.5.33 — Protection of records¶

REQUIRES: protect records from loss, destruction, falsification, unauthorized access
GE_OWNER: julian, boris (Database Administrator)
GE_IMPLEMENTATION: database backups, access controls on records, retention policies, audit trails
EVIDENCE: records management policy, backup verification, access logs

A.5.34 — Privacy and protection of PII¶

REQUIRES: identify and meet privacy requirements for PII
GE_OWNER: julian
GE_IMPLEMENTATION: GDPR compliance framework, DPAs, DPIA process, ROPA
EVIDENCE: privacy policy, DPAs, DPIA reports, ROPA
SEE_ALSO: gdpr-implementation.md, gdpr-technical-measures.md

A.5.35 — Independent review of information security¶

REQUIRES: independently review ISMS at planned intervals or when significant changes occur
GE_OWNER: amber (internal), external auditor (certification)
GE_IMPLEMENTATION: annual internal audit programme, triennial certification audit
EVIDENCE: internal audit reports, external audit reports, management review of findings

A.5.36 — Compliance with policies, rules, and standards for information security¶

REQUIRES: regularly review compliance with security policies and standards
GE_OWNER: amber
GE_IMPLEMENTATION: amber audits agent compliance. Constitution adherence checked. Automated policy checks where possible.
EVIDENCE: compliance review reports, automated check results

A.5.37 — Documented operating procedures¶

REQUIRES: document operating procedures and make available to personnel who need them
GE_OWNER: julian (oversight), each domain owner (authoring)
GE_IMPLEMENTATION: wiki contains all operating procedures. JIT injection ensures relevant procedures available at point of use.
EVIDENCE: wiki procedure pages, JIT injection logs

A.6 — PEOPLE CONTROLS (8)¶

A.6.1 — Screening¶

REQUIRES: background verification checks on all candidates
GE_OWNER: hilrieke (Head of HR)
GE_CONTEXT: AI agents do not require traditional screening. Human employees/contractors do.
GE_IMPLEMENTATION: human screening per local law. Agent "screening" = profile validation, capability verification.
EVIDENCE: screening records (humans), agent validation logs

A.6.2 — Terms and conditions of employment¶

REQUIRES: employment agreements state information security responsibilities
GE_OWNER: hilrieke
GE_IMPLEMENTATION: human contracts include NDA + security clauses. Agent "terms" = constitution binding + capability restrictions.
EVIDENCE: employment contracts, constitution acknowledgment

A.6.3 — Information security awareness, education, and training¶

REQUIRES: all personnel receive appropriate awareness and training
GE_OWNER: julian (programme), hilrieke (delivery)
GE_IMPLEMENTATION: agent boot includes constitution + JIT learnings (continuous training). Wiki updates = ongoing education.
EVIDENCE: training programme, JIT injection logs, wiki update history

A.6.4 — Disciplinary process¶

REQUIRES: formal disciplinary process for information security violations
GE_OWNER: hilrieke
GE_IMPLEMENTATION: agent violations → discussion model → escalation. amber detects non-compliance. Agents can be suspended (set unavailable in registry).
EVIDENCE: disciplinary policy, violation records, corrective actions

A.6.5 — Responsibilities after termination or change of employment¶

REQUIRES: define and enforce security responsibilities that remain valid after termination/change
GE_OWNER: hilrieke
GE_IMPLEMENTATION: NDA survives termination. Agent decommissioning revokes all access.
EVIDENCE: post-termination policy, decommissioning records

A.6.6 — Confidentiality or non-disclosure agreements¶

REQUIRES: identify and regularly review NDA requirements
GE_OWNER: julian
GE_IMPLEMENTATION: all human contractors under NDA. Client NDAs standard. Agent confidentiality enforced by constitution principle.
EVIDENCE: NDA register, signed agreements

A.6.7 — Remote working¶

REQUIRES: implement security measures when personnel work remotely
GE_OWNER: julian
GE_CONTEXT: GE is fully remote. Agents run in k3s cluster.
GE_IMPLEMENTATION: VPN/SSH for human access, k3s network policies for agents, no local data storage on endpoints
EVIDENCE: remote working policy, network security configuration

A.6.8 — Information security event reporting¶

REQUIRES: provide mechanism for personnel to report security events
GE_OWNER: mira (Incident Commander)
GE_IMPLEMENTATION: admin-ui incident reporting, Redis stream alerts, agent anomaly detection by monitoring agents (annegreet, ron)
EVIDENCE: event reporting procedure, reported events log

A.7 — PHYSICAL CONTROLS (14)¶

GE_CONTEXT: GE operates primarily on Hetzner dedicated servers with k3s. Physical controls apply to the datacenter (Hetzner responsibility) and any human work locations.

A.7.1 — Physical security perimeters¶

GE_APPLICABILITY: PARTIAL — Hetzner datacenter responsibility. Human home offices per remote working policy.
GE_OWNER: arjan (infrastructure), gerco (Sysadmin)
EVIDENCE: Hetzner security certifications, remote working security checklist

A.7.2 — Physical entry¶

GE_APPLICABILITY: PARTIAL — Hetzner datacenter access controls.
EVIDENCE: Hetzner access control documentation

A.7.3 — Securing offices, rooms, and facilities¶

GE_APPLICABILITY: LIMITED — no corporate office. Home office guidance in remote working policy.
EVIDENCE: remote working policy

A.7.4 — Physical security monitoring¶

GE_APPLICABILITY: PARTIAL — Hetzner provides datacenter monitoring.
EVIDENCE: Hetzner monitoring documentation

A.7.5 — Protecting against physical and environmental threats¶

GE_APPLICABILITY: PARTIAL — Hetzner datacenter protection (fire, flood, power).
EVIDENCE: Hetzner environmental protection documentation

A.7.6 — Working in secure areas¶

GE_APPLICABILITY: PARTIAL — Hetzner secure areas.
EVIDENCE: Hetzner secure area procedures

A.7.7 — Clear desk and clear screen¶

GE_OWNER: julian
GE_IMPLEMENTATION: human policy — lock screen, no sensitive data visible. Agents have no physical workspace.
EVIDENCE: clear desk/screen policy

A.7.8 — Equipment siting and protection¶

GE_APPLICABILITY: PARTIAL — server hardware at Hetzner.
EVIDENCE: Hetzner equipment protection documentation

A.7.9 — Security of assets off-premises¶

GE_OWNER: julian
GE_IMPLEMENTATION: encrypted devices for human workers. No data on removable media.
EVIDENCE: off-premises asset policy, device encryption verification

A.7.10 — Storage media¶

GE_OWNER: piotr, otto
GE_IMPLEMENTATION: encrypted storage, secure deletion, backup media encryption
EVIDENCE: storage media handling procedure

A.7.11 — Supporting utilities¶

GE_APPLICABILITY: Hetzner datacenter — UPS, redundant power, cooling
EVIDENCE: Hetzner utility documentation

A.7.12 — Cabling security¶

GE_APPLICABILITY: Hetzner datacenter
EVIDENCE: Hetzner cabling documentation

A.7.13 — Equipment maintenance¶

GE_APPLICABILITY: Hetzner maintains hardware. GE maintains software (k3s, OS updates).
GE_OWNER: gerco (OS), arjan (k3s)
EVIDENCE: maintenance records, update logs

A.7.14 — Secure disposal or re-use of equipment¶

GE_APPLICABILITY: Hetzner handles hardware disposal.
RULE: IF decommissioning a server THEN ensure data wiped before return to Hetzner
EVIDENCE: Hetzner disposal procedure, data wiping confirmation

A.8 — TECHNOLOGICAL CONTROLS (34)¶

A.8.1 — User endpoint devices¶

REQUIRES: protect information on endpoint devices
GE_OWNER: gerco (Sysadmin)
GE_IMPLEMENTATION: human devices: full disk encryption, OS updates, antivirus. Agent endpoints: k3s pod security.
EVIDENCE: endpoint policy, device compliance checks

A.8.2 — Privileged access rights¶

REQUIRES: restrict and manage privileged access
GE_OWNER: piotr
GE_IMPLEMENTATION: k8s RBAC, Vault policies, sudo access controlled, admin-ui WebAuthn
EVIDENCE: privileged access inventory, RBAC configuration, access review logs

A.8.3 — Information access restriction¶

REQUIRES: restrict access to information per access control policy
GE_OWNER: piotr
GE_IMPLEMENTATION: k8s namespaces, network policies, database role-based access, Vault path-based secrets
EVIDENCE: access restriction configuration, network policies

A.8.4 — Access to source code¶

REQUIRES: manage access to source code and related items
GE_OWNER: marta (GitHub Goalkeeper)
GE_IMPLEMENTATION: git branch protection, PR review required, no direct pushes to main. Agent push access scoped by role.
EVIDENCE: git configuration, branch protection rules, PR logs

A.8.5 — Secure authentication¶

REQUIRES: implement secure authentication mechanisms
GE_OWNER: piotr, hugo (Identity Guardian)
GE_IMPLEMENTATION: WebAuthn (passwordless) for admin-ui, API tokens for agents, mTLS where applicable
EVIDENCE: authentication configuration, WebAuthn setup, token management procedure

A.8.6 — Capacity management¶

REQUIRES: monitor and adjust resource capacity
GE_OWNER: nessa (Performance Engineer)
GE_IMPLEMENTATION: k8s resource limits, HPA (capped at 5), monitoring dashboards, cost gates
EVIDENCE: resource configuration, HPA settings, capacity reports

A.8.7 — Protection against malware¶

REQUIRES: implement malware protection
GE_OWNER: victoria
GE_IMPLEMENTATION: container image scanning (trivy), minimal base images, no arbitrary code execution, pod security standards
EVIDENCE: scan results, image policies, PSS configuration

A.8.8 — Management of technical vulnerabilities¶

REQUIRES: obtain, assess, and take action on technical vulnerabilities
GE_OWNER: victoria
GE_IMPLEMENTATION: trivy scanning (containers + dependencies), semgrep (code), CVE monitoring, patch SLAs
PATCH_SLA: critical=24h, high=72h, medium=2w, low=next release
EVIDENCE: vulnerability scan reports, patch records, SLA compliance reports

A.8.9 — Configuration management (NEW)¶

REQUIRES: establish, document, implement, monitor, and review security configurations
GE_OWNER: arjan (infrastructure), alex/tjitte (CI/CD)
GE_IMPLEMENTATION: GitOps — all configuration in git. kube-bench for CIS benchmarks. No manual configuration changes.
EVIDENCE: git configuration history, kube-bench reports, configuration baseline documents

A.8.10 — Information deletion (NEW)¶

REQUIRES: delete information when no longer required
GE_OWNER: boris (Database Administrator)
GE_IMPLEMENTATION: retention policies per data classification, automated deletion jobs, secure delete for classified data
EVIDENCE: retention policy, deletion job logs, verification records

A.8.11 — Data masking (NEW)¶

REQUIRES: mask data per policies, considering legislation
GE_OWNER: boris
GE_IMPLEMENTATION: PII masking in logs, test data anonymization, production data never in non-production environments
EVIDENCE: masking rules, implementation evidence, log samples showing masking

A.8.12 — Data leakage prevention (NEW)¶

REQUIRES: apply DLP measures to systems, networks, devices
GE_OWNER: victoria
GE_IMPLEMENTATION: secrets scanning in CI/CD (prevent credential leaks), network policies restrict egress, agent capability restrictions prevent data exfiltration
EVIDENCE: DLP policy, scanning configuration, blocked leak attempts

A.8.13 — Information backup¶

REQUIRES: maintain and regularly test backup copies
GE_OWNER: otto (Backup Guardian)
GE_IMPLEMENTATION: PostgreSQL automated backups, git repository backups, Vault backup, ETCD backup for k3s
SCHEDULE: DB daily, git continuous, Vault daily, ETCD daily
TEST: monthly restore test
EVIDENCE: backup job logs, restore test results

A.8.14 — Redundancy of information processing facilities¶

REQUIRES: implement redundancy for availability requirements
GE_OWNER: arjan
GE_IMPLEMENTATION: k3s single-node (current limitation). Database replication planned. Multi-replica deployments for critical workloads.
NOTE: single-node is a known risk — documented in risk register with acceptance by management
EVIDENCE: architecture documentation, redundancy configuration, risk acceptance

A.8.15 — Logging¶

REQUIRES: produce, store, protect, and analyze logs
GE_OWNER: victoria, gerco
GE_IMPLEMENTATION: k8s audit logging, application logs, Redis stream logs, database audit trail. Centralized logging.
RETENTION: minimum 90 days online, 1 year archived
EVIDENCE: logging configuration, log samples, retention verification

A.8.16 — Monitoring activities (NEW)¶

REQUIRES: monitor networks, systems, and applications for anomalous behavior
GE_OWNER: victoria, annegreet, ron, mira
GE_IMPLEMENTATION: Falco for runtime security, monitoring agents for pattern detection, cost gates for anomalous spend
EVIDENCE: monitoring configuration, alert rules, incident correlation reports

A.8.17 — Clock synchronization¶

REQUIRES: synchronize clocks of information processing systems
GE_OWNER: gerco
GE_IMPLEMENTATION: NTP configured on all nodes, k3s uses host clock
EVIDENCE: NTP configuration, time sync verification

A.8.18 — Use of privileged utility programs¶

REQUIRES: restrict and control use of privileged utilities
GE_OWNER: gerco
GE_IMPLEMENTATION: sudo access restricted, k8s exec limited by RBAC, no kubectl cp allowed
EVIDENCE: privilege restriction configuration

A.8.19 — Installation of software on operational systems¶

REQUIRES: control software installation
GE_OWNER: arjan, gerco
GE_IMPLEMENTATION: immutable container images, no runtime installs, all software via Dockerfile + CI/CD pipeline
EVIDENCE: container image build logs, Dockerfile history

A.8.20 — Networks security¶

REQUIRES: secure, manage, and control networks
GE_OWNER: stef (Network Engineer)
GE_IMPLEMENTATION: k8s network policies, firewall rules, no unnecessary open ports, TLS everywhere
EVIDENCE: network policy manifests, firewall configuration, port scan results

A.8.21 — Security of network services¶

REQUIRES: identify, implement, and monitor security of network services
GE_OWNER: stef
GE_IMPLEMENTATION: TLS for all services, certificate management (jette), ingress controller security, API gateway
EVIDENCE: TLS configuration, certificate inventory, service security assessment

A.8.22 — Segregation of networks¶

REQUIRES: segregate networks by group of information services, users, or systems
GE_OWNER: stef
GE_IMPLEMENTATION: k8s namespaces (ge-system, ge-agents, ge-wiki), network policies between namespaces
EVIDENCE: namespace configuration, network policy manifests

A.8.23 — Web filtering (NEW)¶

REQUIRES: manage access to external websites to reduce exposure
GE_OWNER: stef
GE_IMPLEMENTATION: egress network policies restrict outbound access. Agents cannot access arbitrary URLs.
EVIDENCE: egress policy configuration, allowed/blocked lists

A.8.24 — Use of cryptography¶

REQUIRES: define and implement rules for effective use of cryptography
GE_OWNER: piotr, jette (Certificate Manager)
GE_IMPLEMENTATION: TLS 1.3, AES-256 at rest, RSA-2048+ / ECDSA for certificates, Vault for key management
RULE: minimum key lengths documented in crypto policy
EVIDENCE: crypto policy, certificate inventory, encryption configuration

A.8.25 — Secure development life cycle¶

REQUIRES: establish and apply rules for secure development
GE_OWNER: julian (policy), koen/eric (Code Review)
GE_IMPLEMENTATION: secure coding standards (CODEBASE-STANDARDS.md), mandatory code review, security testing (ashley = adversarial), semgrep in CI
EVIDENCE: secure SDLC policy, code review logs, security test results

A.8.26 — Application security requirements¶

REQUIRES: identify, specify, and approve information security requirements for applications
GE_OWNER: anna (Formal Specification Agent)
GE_IMPLEMENTATION: anna produces formal specifications with security requirements for every work package
EVIDENCE: specification documents with security requirements section

A.8.27 — Secure system architecture and engineering principles¶

REQUIRES: establish, document, maintain, and apply secure engineering principles
GE_OWNER: julian
GE_IMPLEMENTATION: defense in depth, least privilege, zero trust networking, immutable infrastructure. Documented in wiki security domain.
EVIDENCE: architecture documents, security principles document
SEE_ALSO: domains/security/secure-design-patterns.md

A.8.28 — Secure coding (NEW)¶

REQUIRES: apply secure coding principles to software development
GE_OWNER: koen/eric (Code Review), julian (standards)
GE_IMPLEMENTATION: semgrep rules mapped to OWASP, code review checklist includes security, CODEBASE-STANDARDS.md, antje writes security tests
EVIDENCE: secure coding standard, semgrep configuration, code review checklists, test results

A.8.29 — Security testing in development and acceptance¶

REQUIRES: define and implement security testing processes
GE_OWNER: ashley (Adversarial Agent), marije/judith (Testing Lead)
GE_IMPLEMENTATION: ashley runs adversarial testing pre-deployment, jasper reconciles test results, SAST (semgrep), dependency scanning (trivy)
EVIDENCE: security test plans, test results, vulnerability findings

A.8.30 — Outsourced development¶

REQUIRES: direct, monitor, and review outsourced development
GE_OWNER: julian
GE_CONTEXT: GE does not outsource development (agents do it). BUT GE uses third-party LLM APIs.
GE_IMPLEMENTATION: LLM provider security assessment, API usage monitoring, output validation
EVIDENCE: provider assessments, monitoring reports

A.8.31 — Separation of development, test, and production environments¶

REQUIRES: separate and secure development, testing, and production environments
GE_OWNER: arjan, alex/tjitte
GE_IMPLEMENTATION: k8s namespaces, separate configurations, production data never in dev/test, environment-specific secrets
EVIDENCE: environment architecture, namespace configuration, data separation verification

A.8.32 — Change management¶

REQUIRES: manage changes to information processing facilities and systems
GE_OWNER: marta (GitHub Goalkeeper), leon (Deployment Coordinator)
GE_IMPLEMENTATION: all changes via git PR, code review required, CI/CD pipeline, deployment approval, rollback capability
EVIDENCE: change management procedure, PR history, deployment logs

A.8.33 — Test information¶

REQUIRES: select, protect, and manage test information
GE_OWNER: marije/judith, antje
GE_IMPLEMENTATION: test data generated, not copied from production. If production data needed, anonymized first (A.8.11).
EVIDENCE: test data management procedure, anonymization evidence

A.8.34 — Protection of information systems during audit testing¶

REQUIRES: plan and agree audit tests to minimize impact
GE_OWNER: amber (audit), julian
GE_IMPLEMENTATION: audit testing in non-production or with read-only access. Penetration testing (pol) scheduled and scoped.
EVIDENCE: audit test plans, penetration test scope agreements

CONTROL_SUMMARY_BY_AGENT¶

JULIAN (Compliance Officer): A.5.1, A.5.2, A.5.5, A.5.6, A.5.10, A.5.12, A.5.13, A.5.14, A.5.15, A.5.19, A.5.20, A.5.22, A.5.31, A.5.32, A.5.34, A.5.37, A.6.6, A.6.7, A.7.7, A.7.9, A.8.25, A.8.27, A.8.30, A.8.34
AMBER (Internal Auditor): A.5.3, A.5.18, A.5.35, A.5.36, A.8.34
VICTORIA (Security Operations): A.5.7, A.8.7, A.8.8, A.8.12, A.8.15, A.8.16
MIRA (Incident Commander): A.5.24, A.5.25, A.5.26, A.5.27, A.5.28
PIOTR (Secrets Manager): A.5.15, A.5.17, A.5.18, A.8.2, A.8.3, A.8.24
BORIS (Database Administrator): A.5.33, A.8.10, A.8.11
MARTA (GitHub Goalkeeper): A.8.4, A.8.32
ARJAN (Infrastructure): A.5.9, A.5.23, A.8.14, A.8.19, A.8.31
OTTO (Backup Guardian): A.5.29, A.5.30, A.8.13
STEF (Network Engineer): A.8.20, A.8.21, A.8.22, A.8.23
GERCO (Sysadmin): A.7.13, A.8.1, A.8.15, A.8.17, A.8.18, A.8.19
KOEN/ERIC (Code Review): A.8.25, A.8.28
ASHLEY (Adversarial Agent): A.8.29
ANNA (Formal Specification): A.8.26
HILRIEKE (Head of HR): A.5.11, A.6.1, A.6.2, A.6.3, A.6.4, A.6.5
HUGO (Identity Guardian): A.5.16, A.8.5
FAYE (Project Manager): A.5.8
NESSA (Performance Engineer): A.8.6
JETTE (Certificate Manager): A.8.21, A.8.24

SEE_ALSO: iso27001-overview.md, iso27001-evidence-map.md, compliance-automation.md
READ_ALSO: domains/security/index.md, CODEBASE-STANDARDS.md