Thesmios

ISO 27001 and 27701

Security and privacy evidence that procurement can inspect.

The ISMS and PIMS evidence room maps information-security and privacy controls to working product evidence. It is readiness evidence, not a self-issued certificate.

Open ISO evidence JSONView trust page

Operating

3

Audit-ready

4

In progress

2

External

1

Control evidence

ready for audit

ISO/IEC 27001:2022

ISMS scope and context

The security programme scope covers the passport platform, API surfaces, credential signing, audit logging and customer data handling.

ready for audit

ISO/IEC 27001:2022

Risk assessment and treatment

Issuer failures, stale evidence, access scopes, AI score limits and subprocessor risks are tracked with treatment owners.

operating

ISO/IEC 27001:2022

Access control and identity

SCIM, SAML and OIDC surfaces support enterprise identity, while Supabase RLS policies enforce subject and verifier boundaries.

operating

ISO/IEC 27001:2022

Cryptography and key management

Credentials are signed with DID-resolvable Ed25519 issuer keys and carry status-list references for revocation checking.

ready for audit

ISO/IEC 27001:2022

Incident and vulnerability management

Responsible disclosure, private bug bounty scope, incident status and reporting channels are public.

ready for audit

ISO/IEC 27701:2025

PIMS scope and privacy roles

The passport model separates employee owner, employer verifier, reviewer and issuer roles with purpose-bound access grants.

operating

ISO/IEC 27701:2025

Data minimisation and selective disclosure

Recipient-bound presentations disclose claim, status and source by default while redacting underlying values unless the holder chooses otherwise.

in progress

ISO/IEC 27701:2025

Subprocessor and transfer register

Subprocessor disclosure exists publicly; production data-transfer mechanisms and DPA attachments still need customer-specific execution.

in progress

ISO/IEC 27701:2025

DSAR, retention and erasure

Owner-controlled export and sharing are live; production DSAR and retention automation require tenant policies before certification audit.

external auditor required

ISO/IEC 27001:2022

External certification

ISO certificates are issued only by accredited certification bodies after audit. Thesmios publishes readiness evidence but does not self-certify.

No fake certificate claim

ISO certificates require an accredited external audit. Thesmios exposes readiness evidence and labels the external audit requirement clearly.

Evidence-driven procurement

Buyers can inspect live endpoints, policies, logs, registers and system surfaces rather than reading a static security PDF.