ISO 27001/27002 Control Matrix
The ISO 27001/27002 Control Matrix is PensionPortal.ai’s formal mapping of ISO 27002:2022 controls to platform capabilities, implementation evidence, and regulatory obligations under IORP II (EU Directive 2016/2341, transposed as S.I. 128/2021). It is the primary artefact for demonstrating information security assurance to trustees, auditors, scheme advisers, and regulators. This page provides a representative subset of the control matrix. The complete matrix — covering all 93 ISO 27002:2022 controls — is available to enterprise customers under our security documentation programme.What the Control Matrix Is
The control matrix is a structured, living document that answers a single question for each ISO 27002:2022 control: how does PensionPortal.ai implement this control, and how can it be evidenced? Each row contains:- Control ID: ISO 27002:2022 reference (e.g., A.5.1)
- Control Name: The ISO 27002 control title
- Implementation: How PensionPortal.ai has implemented the control in platform design, operations, or policy
- Evidence Artifact: The specific artifact that demonstrates the control is operating effectively
- Status: Implemented / Partially Implemented / Planned / Not Applicable
- IORP II Relevance: The specific IORP II obligation or S.I. 128/2021 regulation that this control supports
ISO 27002:2022 uses a flat numbering scheme (e.g., 5.1, 8.24) rather than the A.x.x format used in ISO 27001:2013. We use both formats interchangeably in this documentation. All control references are to the 2022 edition of ISO 27002.
How the Control Matrix Is Used
Audit Support
Provide to external auditors as the primary evidence index during ISO 27001 surveillance audits, SOC 2 readiness assessments, or regulator-requested security reviews.
Customer Due Diligence
Trustees and their legal/technical advisers can assess PensionPortal.ai’s security posture against ISO 27002 controls as part of outsourcing due diligence under IORP II Article 31.
Trustee Governance Evidence
Reference the control matrix in scheme governance documentation to demonstrate that ICT risk from the PensionPortal.ai platform has been identified, assessed, and managed.
Regulator Conversations
Provide to the Pensions Authority in response to ICT risk or operational risk queries. Demonstrates a systematic, standards-based approach to information security.
Representative Control Matrix
The following table covers the most material controls for a pension compliance SaaS platform. Controls are drawn from across all four ISO 27002:2022 domains.| Control ID | Control Name | Implementation | Evidence Artifact | Status | IORP II Relevance |
|---|---|---|---|---|---|
| 5.1 | Policies for information security | Board-approved Information Security Policy; supporting policies for data classification, access management, incident response, acceptable use, and business continuity | Policy register with version history and approval records | Implemented | Written policies requirement — S.I. 128/2021, Reg. 29 / Section 64AA Pensions Act |
| 5.2 | Information security roles and responsibilities | RBAC system enforces role-based access across the platform; security roles documented in org chart and job descriptions; principle of least privilege enforced | Platform access control configuration; role matrix documentation | Implemented | Governance structure, KFH separation — S.I. 128/2021, Reg. 21 / Section 64T |
| 5.7 | Threat intelligence | Continuous CVE monitoring via dependency scanning (Dependabot, Snyk); subscription to NCSC-IE and ENISA threat feeds; quarterly threat landscape review | Scan reports, patch logs, threat intelligence review records | Implemented | Operational risk management — S.I. 128/2021, Reg. 22 / Section 64U |
| 5.24 | Information security incident management planning and preparation | Documented incident response playbook; severity classification matrix; defined escalation paths; GDPR 72-hour DPC notification procedure | Incident response plan; tabletop exercise records; post-incident review reports | Implemented | Operational risk management — S.I. 128/2021, Reg. 21; GDPR Article 33 |
| 5.30 | ICT readiness for business continuity | BCM programme aligned to ISO 22301 principles; RTO 4 hours / RPO 1 hour for primary compliance functions; documented failover procedures | Business continuity plan; DR test records; RTO/RPO validation reports | Implemented | Continuity planning — S.I. 128/2021, Reg. 30 / Section 64AB |
| 5.31 | Legal, statutory, regulatory and contractual requirements | Compliance register mapping IORP II, GDPR, DORA, and Irish pensions legislation obligations; legal review of platform changes affecting compliance posture | Compliance register; legal review records; regulatory change log | Implemented | General governance — S.I. 128/2021, Reg. 21 |
| 6.3 | Information security awareness, education and training | Annual mandatory security training for all staff; role-specific training for engineers, operations, and management; quarterly phishing simulation | Training completion records; phishing simulation results; training materials | Implemented | Fit and proper / competence — S.I. 128/2021, Reg. 23 / Section 64V |
| 8.2 | Privileged access rights | Just-in-time (JIT) access for production environments; MFA required for all privileged sessions; no standing privileged access to production data; quarterly access reviews | Access logs; JIT access request and approval records; MFA enforcement configuration; access review reports | Implemented | Access control for operational risk — S.I. 128/2021, Reg. 21 |
| 8.5 | Secure authentication | MFA enforced for all accounts; password complexity policy; session timeout on inactivity; OAuth 2.0 / SAML 2.0 for enterprise SSO integration | Authentication configuration; MFA enforcement logs; SSO integration documentation | Implemented | ICT security controls — S.I. 128/2021, Reg. 21 |
| 8.7 | Protection against malware | WAF via Cloudflare (OWASP rule sets active); dependency vulnerability scanning integrated into CI/CD pipeline; container image scanning; runtime monitoring | Cloudflare WAF logs; Snyk/Dependabot scan reports; container scan reports; runtime alert logs | Implemented | Operational risk — S.I. 128/2021, Reg. 22 |
| 8.10 | Information deletion | Data retention policy implemented at platform level; automated deletion workflows for expired data; legal hold mechanism for data subject to regulatory retention obligations | Data retention configuration; deletion logs; legal hold register | Implemented | Data strategy / GDPR Article 5(1)(e) storage limitation |
| 8.11 | Data masking | Member PPS numbers and sensitive financial data masked in non-production environments; display masking in UI for restricted data fields | Data masking configuration; non-production data policy | Implemented | Data protection by design — GDPR Article 25 |
| 8.12 | Data leakage prevention | Export controls restrict bulk data extraction; all exports logged; anomaly detection alerts on unusual export volumes | Export audit logs; DLP alert configuration; anomaly detection reports | Implemented | Data protection — GDPR Article 32; IORP II data strategy |
| 8.15 | Logging | Immutable audit logs for all user actions, administrative operations, API calls, and data access events; log integrity protected via cryptographic chaining; Sentry for application error tracking | Audit log exports; log integrity verification records; Sentry dashboards | Implemented | Accountability and audit — S.I. 128/2021, Reg. 26 / Section 64Y |
| 8.24 | Use of cryptography | AES-256 encryption at rest for all member and scheme data; TLS 1.3 enforced for all data in transit; GCP Cloud KMS with HSM-backed keys; key rotation policy (annual minimum) | Architecture documentation; encryption configuration; KMS key rotation logs; TLS configuration scan results | Implemented | Data protection — GDPR Article 32; IORP II operational risk |
| 8.25 | Secure development lifecycle | Security requirements incorporated at design phase; mandatory peer code review for all changes; SAST gates in CI/CD pipeline block insecure code from merging; independent penetration testing at least annually | CI/CD pipeline configuration; SAST scan results; code review records; penetration test reports and remediation evidence | Implemented | ICT operational risk — S.I. 128/2021, Reg. 21 |
| 8.28 | Secure coding | OWASP Top 10 addressed in developer training and automated scanning; third-party dependency scanning on every build; software composition analysis (SCA) for supply chain risk | Developer training records; SAST reports; SCA scan results | Implemented | ICT operational risk — S.I. 128/2021, Reg. 21 |
| 8.32 | Change management | Formal change management process; changes classified by risk; emergency change procedure; all production changes logged with approval records | Change log; change approval records; emergency change records | Implemented | Operational risk management — S.I. 128/2021, Reg. 21 |
Control Status Definitions
| Status | Meaning |
|---|---|
| Implemented | Control is fully in place. Evidence exists and is current. |
| Partially Implemented | Control is in place for core scenarios; gaps exist for edge cases or specific environments. Remediation in progress. |
| Planned | Control has been designed; implementation scheduled in the roadmap. Target date documented. |
| Not Applicable | Control has been assessed and formally excluded from scope in the Statement of Applicability (SoA), with documented justification. |
Requesting the Full Control Matrix
The complete 93-control matrix, including the Statement of Applicability (SoA) and detailed evidence references, is available to enterprise customers and scheme auditors under our security documentation programme.To request the full control matrix, contact PensionPortal.ai via your account manager or through the security documentation request process. We require a signed NDA before releasing the detailed SoA and evidence pack.
- All 93 ISO 27002:2022 controls (including those assessed as not applicable, with justification)
- Detailed evidence references with document identifiers
- Control owner assignments
- Last review date and next review date for each control
- Links to the GCP and third-party provider controls that underpin PensionPortal.ai’s cloud infrastructure security