Skip to main content

ISO 27001:2022 & ISO 27002:2022 Overview

ISO 27001:2022 is the internationally recognised standard for Information Security Management Systems (ISMS). For a SaaS platform handling Irish pension scheme data, alignment with ISO 27001 is not a marketing badge — it is a foundational obligation that maps directly to the operational risk management requirements of IORP II (EU Directive 2016/2341, transposed as S.I. 128/2021). This page explains how PensionPortal.ai implements an ISO 27001-aligned security posture, how the 93 controls of ISO 27002:2022 apply to each domain of our platform, and how this alignment supports your scheme’s obligations under Article 21 of IORP II.
ISO 27001 is the management system standard (certifiable). ISO 27002 is the companion controls catalogue — 93 controls across 4 domains — that gives implementation guidance for each Annex A control in ISO 27001. You cannot certify to ISO 27002; you certify to ISO 27001 and implement ISO 27002 controls as the reference.

Why ISO 27001 Matters for a Pension Compliance SaaS

Irish pension trustees have two intersecting obligations that make ISO 27001 alignment materially relevant:
  1. IORP II Article 21 — System of governance requires trustees to maintain an effective system of governance including adequate internal controls and risk management. Operational risk — which includes ICT and information security risk — is explicitly within scope (S.I. 128/2021, Reg. 21).
  2. IORP II data strategy requirement (Reg. 29, written policies) requires that trustees document how member data is protected, processed, and managed — a requirement that maps directly to ISO 27001’s policy and control framework.
Beyond regulatory compliance, ISO 27001 alignment gives trustees and scheme advisers a structured, internationally recognised basis for assessing PensionPortal.ai’s security posture during due diligence. Rather than answering ad hoc security questionnaires, we point to a systematic ISMS with documented controls, evidence artifacts, and continuous improvement processes.

ISO 27001:2022 Structure: The ISMS

ISO 27001:2022 follows the High Level Structure (HLS, formerly Annex SL) common to all ISO management system standards. The ISMS has seven operational clauses:

Context & Scope (Clause 4)

Define the organisation, its context, interested parties, and the scope of the ISMS. For PensionPortal.ai: Irish pension compliance SaaS, GCP-hosted, serving Irish scheme trustees and their professional advisers.

Leadership (Clause 5)

Management commitment, information security policy, and organisational roles. Board-level information security policy; designated CISO responsibility.

Planning (Clause 6)

Risk assessment and risk treatment. Threat modelling against pension data assets; Statement of Applicability (SoA) mapping all 93 controls.

Support (Clause 7)

Resources, competence, awareness, communication, documented information. Staff training programme; security documentation in version control.

Operation (Clause 8)

Operational planning and control; risk assessment and treatment. Day-to-day security operations, vulnerability management, change management.

Performance Evaluation (Clause 9)

Monitoring, measurement, internal audit, management review. Quarterly internal reviews; external penetration testing programme.

Improvement (Clause 10)

Nonconformity, corrective action, continual improvement. Incident-driven improvements; post-mortem process; control gap remediation.

ISO 27001 Annex A → ISO 27002:2022 Controls

ISO 27001:2022 Annex A references 93 controls drawn from ISO 27002:2022, organised into four domains. The 2022 revision consolidated the previous 114 controls (2013 version) and introduced 11 new controls relevant to cloud and AI environments.
DomainControlsFocus Area
Organisational (5.x)37 controlsPolicies, roles, supplier management, incident management, information classification, legal compliance
People (6.x)8 controlsPre-employment screening, terms of employment, training, disciplinary process, offboarding
Physical (7.x)14 controlsPhysical security perimeters, equipment protection, clear desk, physical media
Technological (8.x)34 controlsAccess control, cryptography, logging, vulnerability management, secure development, network security
The formal mapping of each control to PensionPortal.ai capabilities and evidence artifacts is maintained in the ISO 27001/27002 Control Matrix.

PensionPortal.ai Implementation by Domain

Organisational Controls (ISO 27002 Clause 5)

Organisational controls establish the policy framework and management structures that underpin all other security activity.
A.5.1 — Information security policies: PensionPortal.ai maintains a board-approved Information Security Policy, reviewed at least annually. Supporting policies cover acceptable use, data classification, access management, incident response, business continuity, and supplier security.A.5.2 — Information security roles and responsibilities: Roles are defined and documented. The platform enforces Role-Based Access Control (RBAC) with the principle of least privilege. Security responsibilities are incorporated into job descriptions for all roles with system access.A.5.7 — Threat intelligence: We operate a continuous vulnerability monitoring programme including CVE feeds, dependency scanning (integrated into CI/CD pipelines), and periodic threat landscape reviews aligned to the Irish financial services sector.A.5.10 — Acceptable use of information and other associated assets: Documented acceptable use policy; enforced through platform access controls and staff acknowledgement process.A.5.19–5.22 — Supplier relationships: All third-party providers are subject to security assessment. Written agreements include confidentiality, security obligations, and right-to-audit clauses. The supplier register is reviewed annually.A.5.24–5.28 — Information security incident management: A formal incident management process covers detection, classification, response, notification (including GDPR 72-hour DPC notification where applicable), and post-incident review.

People Controls (ISO 27002 Clause 6)

People controls govern the security obligations of individuals who access PensionPortal.ai systems.
A.6.1 — Screening: Background checks are conducted for all employees and contractors with access to production systems, proportionate to the sensitivity of the role.A.6.2 — Terms and conditions of employment: All staff with system access sign confidentiality agreements and accept information security policies as a condition of employment or engagement.A.6.3 — Information security awareness, education, and training: Annual mandatory security training for all staff. Role-specific training for engineers (secure development), operations (incident response), and management (governance). Phishing simulation exercises conducted quarterly.A.6.5 — Responsibilities after termination: Offboarding procedure ensures immediate revocation of all access upon departure. Exit interviews include security reminders. Confidentiality obligations survive termination.

Physical Controls (ISO 27002 Clause 7)

PensionPortal.ai is a cloud-native platform hosted on Google Cloud Platform (GCP). Physical security of data centre infrastructure is therefore managed by GCP under their shared responsibility model.
GCP holds ISO 27001 certification and SOC 2 Type II attestation covering physical security of data centre facilities. These third-party attestations are available to enterprise customers under NDA as part of our supplier assurance documentation.Physical controls directly managed by PensionPortal.ai cover:
  • A.7.7 — Clear desk and clear screen: Policy enforced for staff accessing sensitive systems remotely.
  • A.7.8 — Equipment siting and protection: Staff-operated equipment (laptops, workstations) is subject to endpoint protection, full-disk encryption, and MDM management.
  • A.7.10 — Storage media: Formal policy for handling, use, and secure disposal of any removable media; in practice, production data never leaves the cloud environment.

Technological Controls (ISO 27002 Clause 8)

Technological controls are the largest domain and the most directly verifiable through platform architecture.
A.8.2 — Privileged access rights: Just-in-time (JIT) access for production environments. MFA enforced for all privileged access. Access logs retained immutably for 12 months minimum. No standing privileged access to production data.A.8.5 — Secure authentication: MFA required for all user accounts. Passwords subject to complexity and rotation requirements. Session tokens expire after inactivity. OAuth 2.0 / SAML 2.0 for enterprise SSO integration.A.8.7 — Protection against malware: Web Application Firewall (WAF) via Cloudflare. Dependency scanning integrated into CI/CD (SAST). Container image scanning. Runtime application self-protection (RASP) monitoring.A.8.12 — Data leakage prevention: Data classification enforced at platform level. Export controls restrict bulk data extraction. Audit logs capture all data access and export events.A.8.15 — Logging: Immutable audit logs for all user actions, administrative operations, and data access. Log integrity protected. Retention: 12 months online, 7 years archive (aligned with IORP II record-keeping requirements).A.8.24 — Use of cryptography: AES-256 encryption at rest for all member data. TLS 1.3 enforced for all data in transit. Cryptographic key management via GCP Cloud KMS with HSM-backed keys. Key rotation policy enforced.A.8.25 — Secure development lifecycle: All code changes require peer review and pass automated SAST gates before merge. Penetration testing conducted at least annually by an independent third party. Security requirements incorporated into feature design from inception.A.8.28 — Secure coding: OWASP Top 10 addressed in developer training and automated scanning. Dependency vulnerability scanning on every build. Supply chain security controls for third-party packages.

Relationship to IORP II

The connection between ISO 27001 controls and IORP II obligations is direct and material:
ISO 27001 Clause / ISO 27002 ControlIORP II ObligationIrish Reference
Clause 6 — Risk assessmentOperational risk managementS.I. 128/2021, Reg. 22
A.5.1 — Information security policiesWritten policies requirementS.I. 128/2021, Reg. 29
A.5.24 — Incident managementOperational risk managementS.I. 128/2021, Reg. 21
A.8.15 — LoggingAccountability, audit trailS.I. 128/2021, Reg. 26
A.8.24 — CryptographyData protection (GDPR/IORP II)S.I. 128/2021, Reg. 29
A.8.25 — Secure developmentICT operational riskS.I. 128/2021, Reg. 21
Clause 8 — OperationBusiness continuityS.I. 128/2021, Reg. 30
Trustees can reference PensionPortal.ai’s ISO 27001 alignment as part of their own outsourcing due diligence documentation (IORP II Article 31 / S.I. 128/2021, Reg. 31), demonstrating that ICT risk arising from the platform has been assessed and managed.

Certification Status

PensionPortal.ai is currently aligned with ISO 27001:2022 principles and implementing controls consistent with the standard across all four domains. We are working toward formal ISO 27001:2022 certification by an accredited certification body. Certification is a structured process that requires the ISMS to be operational for a minimum period before a certification audit can be conducted.We do not claim current ISO 27001 certification. Trustees requiring third-party certified assurance today can reference our GCP infrastructure’s ISO 27001 certification for physical and cloud infrastructure controls, and request our security documentation pack under NDA.
Our target for initial ISO 27001 certification is communicated to enterprise customers as part of our security roadmap. We will update this page upon certification.

The Control Matrix

The formal, control-by-control mapping of ISO 27002:2022 to PensionPortal.ai capabilities, evidence artifacts, implementation status, and IORP II relevance is maintained in the ISO 27001/27002 Control Matrix. The control matrix is a living document, updated with each material change to platform architecture or security controls. Enterprise customers can request the full control matrix as part of the supplier security documentation pack.