Proof of ISO / Security Certifications

Corona Management System (CMS) does not currently hold ISO 27001 certification. Nevertheless, CMS has implemented information security controls that align with the intent and requirements of the ISO 27001 standard. The attached control mapping provides a detailed cross-reference between CMS's existing controls and the relevant ISO/IEC 27001 control requirements.

ISO 27001 Domain	Control Reference	CMS Practice / Evidence
A.5 Organisational	A.5.1 Policies for information security	CMS maintains internal information security policies covering acceptable use, access control, incident response, and data handling, reviewed annually.
A.5 Organisational	A.5.2 Roles and responsibilities	Defined project roles assigned: Project Manager, Lead Systems Engineer, Security Lead, and Network Engineer; each with documented security responsibilities.
A.5 Organisational	A.5.10 Acceptable use of assets	All personnel operate under an Acceptable Use Policy (AUP) for systems, data, and GBB-hosted assets. Acknowledgement required before any site access is granted.
A.5 Organisational	A.5.15 Access control	Access is granted on a least-privilege, need-to-know basis. Role-based access controls applied to all project resources and configuration tools.
A.5 Organisational	A.5.24 Incident management planning	Documented incident response procedure in place. Any security event during project delivery will be escalated within 2 hours to GBB Security Operations and the NAISH project lead.
A.6 People	A.6.1 Screening	All CMS personnel deployed to the GBB data centre will have undergone background verification. CVs and certifications are on file and available for review by NAISH/NCAIR on request.
A.6 People	A.6.3 Security awareness and training	Team members hold recognised certifications (CCNA, CompTIA Security+, NVIDIA DGX training). Annual security awareness training is mandatory for all staff.
A.6 People	A.6.5 Responsibilities after termination	Offboarding procedures ensure all credentials are revoked and physical assets returned immediately upon project completion or any personnel change.
A.7 Physical	A.7.1 Physical security perimeters	CMS personnel will operate strictly within GBB-authorised physical boundaries. No access will be sought or used beyond the designated rack/cage area.
A.7 Physical	A.7.2 Physical entry controls	Access to the GBB Tier III data centre will comply with all GBB visitor and contractor protocols: ID verification, escorted entry, and access logging.
A.7 Physical	A.7.8 Equipment siting and protection	The node will be installed in the rack space confirmed during site assessment, ensuring optimal airflow, cable management, and physical security.
A.8 Technological	A.8.2 Privileged access rights	Privileged access (root/admin) controlled via individual named accounts only. Shared credentials are prohibited. All privileged sessions are logged.
A.8 Technological	A.8.5 Secure authentication	Multi-factor authentication (MFA) implemented for remote access. SSH key-based authentication enforced; password-only access disabled on all deployed systems.
A.8 Technological	A.8.7 Protection against malware	Endpoint protection deployed on management interfaces. Systems are patched and hardened per CIS Benchmarks for the relevant OS before handover.
A.8 Technological	A.8.8 Technical vulnerability management	Pre-delivery vulnerability assessment conducted on OS, drivers, and AI frameworks. Critical CVEs remediated before acceptance testing commences.
A.8 Technological	A.8.12 Data leakage prevention	Only synthetic benchmark data will be processed during installation and commissioning. No personal, government, or production data will be loaded by the CMS.
A.8 Technological	A.8.20 Network security	System integration into the GBB network will follow GBB network standards. Segmentation and firewall rules configured per GBB Ops requirements.
A.8 Technological	A.8.24 Use of cryptography	All remote connections use TLS 1.2+ or SSH. Cryptographic standards align with NIST guidelines and GBB policy requirements.
A.8 Technological	A.8.32 Change management	All configuration changes are documented, approved, and logged throughout implementation. Full change log included in handover documentation.

ISO 27001 Domain	Control Reference	CMS Practice / Evidence
A.5 Organisational	A.5.1 Policies for information security	CMS maintains internal information security policies covering acceptable use, access control, incident response, and data handling, reviewed annually.
A.5 Organisational	A.5.2 Roles and responsibilities	Defined project roles assigned: Project Manager, Lead Systems Engineer, Security Lead, and Network Engineer; each with documented security responsibilities.
A.5 Organisational	A.5.10 Acceptable use of assets	All personnel operate under an Acceptable Use Policy (AUP) for systems, data, and GBB-hosted assets. Acknowledgement required before any site access is granted.
A.5 Organisational	A.5.15 Access control	Access is granted on a least-privilege, need-to-know basis. Role-based access controls applied to all project resources and configuration tools.
A.5 Organisational	A.5.24 Incident management planning	Documented incident response procedure in place. Any security event during project delivery will be escalated within 2 hours to GBB Security Operations and the NAISH project lead.
A.6 People	A.6.1 Screening	All CMS personnel deployed to the GBB data centre will have undergone background verification. CVs and certifications are on file and available for review by NAISH/NCAIR on request.
A.6 People	A.6.3 Security awareness and training	Team members hold recognised certifications (CCNA, CompTIA Security+, NVIDIA DGX training). Annual security awareness training is mandatory for all staff.
A.6 People	A.6.5 Responsibilities after termination	Offboarding procedures ensure all credentials are revoked and physical assets returned immediately upon project completion or any personnel change.
A.7 Physical	A.7.1 Physical security perimeters	CMS personnel will operate strictly within GBB-authorised physical boundaries. No access will be sought or used beyond the designated rack/cage area.
A.7 Physical	A.7.2 Physical entry controls	Access to the GBB Tier III data centre will comply with all GBB visitor and contractor protocols: ID verification, escorted entry, and access logging.
A.7 Physical	A.7.8 Equipment siting and protection	The node will be installed in the rack space confirmed during site assessment, ensuring optimal airflow, cable management, and physical security.
A.8 Technological	A.8.2 Privileged access rights	Privileged access (root/admin) controlled via individual named accounts only. Shared credentials are prohibited. All privileged sessions are logged.
A.8 Technological	A.8.5 Secure authentication	Multi-factor authentication (MFA) implemented for remote access. SSH key-based authentication enforced; password-only access disabled on all deployed systems.
A.8 Technological	A.8.7 Protection against malware	Endpoint protection deployed on management interfaces. Systems are patched and hardened per CIS Benchmarks for the relevant OS before handover.
A.8 Technological	A.8.8 Technical vulnerability management	Pre-delivery vulnerability assessment conducted on OS, drivers, and AI frameworks. Critical CVEs remediated before acceptance testing commences.
A.8 Technological	A.8.12 Data leakage prevention	Only synthetic benchmark data will be processed during installation and commissioning. No personal, government, or production data will be loaded by the CMS.
A.8 Technological	A.8.20 Network security	System integration into the GBB network will follow GBB network standards. Segmentation and firewall rules configured per GBB Ops requirements.
A.8 Technological	A.8.24 Use of cryptography	All remote connections use TLS 1.2+ or SSH. Cryptographic standards align with NIST guidelines and GBB policy requirements.
A.8 Technological	A.8.32 Change management	All configuration changes are documented, approved, and logged throughout implementation. Full change log included in handover documentation.

Proof of ISO / Security Certifications

Get Insights

Proof of ISO / Security Certifications