Standards & Assurance

The standards we align to.
The certifications we hold.
The work that’s still in front of us.

This page is the honest version. Where we're certified, we say so and link the certificate. Where we're aligned but not yet certified, we say that too. Where we use a framework as a reference rather than a target, we name it. Procurement and security teams can take this page at face value.

Last updated: April 2026
Section 1

Frameworks at a glance

ABiAN's information security management is structured around the frameworks below. Posture is stated as one of: Certified, Aligned, Operationally aligned, Reference, or Contractual delivery. Definitions follow the table.

FrameworkPostureNotes
ISO/IEC 27001:2022AlignedISMS structured around Annex A (93 controls). External certification roadmap on file; engagement with certification body planned for FY2026–2027. Statement of Applicability available under NDA.
ISO/IEC 27701:2019ReferencePrivacy extension to ISO 27001. Used as reference for privacy management controls. Will be considered for certification once ISO 27001 is in place.
NIS2 (Directive (EU) 2022/2555)Operationally alignedInternal controls cover the technical and organisational measures listed in Article 21. ABiAN supports clients classified as essential or important entities.
DORA (Regulation (EU) 2022/2554)Contractual deliveryFor financial-entity clients, ABiAN executes a DORA addendum covering ICT risk management, incident reporting, exit strategies, and concentration risk disclosures, in line with Articles 28–30.
GDPR (Regulation (EU) 2016/679)CompliantABiAN acts as data processor for client tenant data and as data controller for personnel and prospect data. DPA template available; sub-processor list published.
Microsoft Cloud Security BenchmarkReferenceDefault baseline for Azure landing zones we design and operate.
CIS Critical Security Controls v8ReferenceOperational checklist for client endpoint, identity, and network configurations.
Posture definitions
Certified
A current certificate is held from an accredited certification body. Scope and validity period stated. Certificate available on request.
Aligned
Internal management system is structured around the framework. Controls implemented; documentation maintained. No external certification yet.
Operationally aligned
Specific operational obligations under the framework are met by ABiAN's controls and processes. Used for regulatory frameworks where formal certification does not apply to ABiAN's role.
Contractual delivery
ABiAN delivers framework-specific obligations to clients through contractual instruments (DPAs, addenda, MSAs).
Reference
Used internally as a benchmark or operational guide. Not a target for certification.
Compliant
Legal obligations are met. Applies to laws and regulations rather than voluntary standards.
Section 2

ISO/IEC 27001 status

ABiAN’s information security management system (ISMS) is structured around ISO/IEC 27001:2022. We have not yet completed external certification. This section describes the current posture honestly, including what’s in place, what’s documented, and what’s still outstanding.

What’s in place

  • Information Security Policy approved by management, reviewed annually.
  • Topical policies covering acceptable use, access control, cryptography, supplier security, secure development, incident response, business continuity, and data protection.
  • Risk register reviewed quarterly; risks scored on likelihood and impact and tied to treatment plans.
  • Statement of Applicability (SoA) mapping all 93 Annex A controls to ABiAN’s implementation.
  • Internal review cycles, with management review at least annually.
  • Defined ISMS scope covering all ABiAN personnel, internal systems used to deliver client services, and ABiAN-managed infrastructure used to operate client environments.

Certification roadmap

External certification is on our roadmap. We are engaging with an accredited certification body during FY2026–2027. We will not claim certification before a certificate has been issued.

Available evidence

The following are available to clients and prospects under NDA:

  • Statement of Applicability (excerpt or full, depending on engagement)
  • ISMS scope statement
  • Information Security Policy
  • Risk register summary
  • Internal review and management review records

Request via [email protected] with the subject line “27001 evidence request.”

Why we’re not yet certified

Honest answer: certification is a 12–18 month process, and we have not yet started the formal external audit cycle. The ISMS itself has been in operation for the period required to support an audit. The decision to defer certification has been driven by sequencing — we wanted the controls to be operationally mature before paying for an audit that would otherwise produce findings we already know about.

Section 3

NIS2 readiness

ABiAN supports clients that are essential or important entities under the Network and Information Systems Directive (NIS2). Our own controls cover the technical and organisational measures required by Article 21.

Article 21 measures we maintain

  • Risk analysis and information system security policies (21(2)(a))
  • Incident handling (21(2)(b))
  • Business continuity and crisis management (21(2)(c))
  • Supply chain security, including security-related aspects of relationships with direct suppliers (21(2)(d))
  • Security in network and information system acquisition, development, and maintenance (21(2)(e))
  • Policies and procedures to assess effectiveness of cybersecurity risk-management measures (21(2)(f))
  • Basic cyber hygiene practices and cybersecurity training (21(2)(g))
  • Policies and procedures regarding cryptography and encryption (21(2)(h))
  • Human resources security, access control, asset management (21(2)(i))
  • Multi-factor or continuous authentication, secured voice/video/text communications, secured emergency communications (21(2)(j))

Incident reporting support

For clients in scope of NIS2, ABiAN supports the reporting timelines under Article 23: 24-hour early warning, 72-hour incident notification, one-month final report. Specific reporting workflows are documented in the engagement runbook.

Section 4

DORA delivery

For financial-entity clients regulated under the Digital Operational Resilience Act (DORA), ABiAN delivers obligations as an ICT third-party service provider through a contractual DORA addendum executed alongside the master service agreement.

What the DORA addendum covers

  • Description and quality of ICT services
  • Locations of service performance and data processing
  • Service level descriptions, including performance objectives
  • Provisions on accessibility, availability, integrity, security, and protection of personal data
  • Termination rights and minimum notice periods
  • Exit strategies, including a structured transition period
  • Audit, inspection, and access rights for the financial entity, competent authorities, and the resolution authority
  • Cooperation with competent authorities
  • Insurance coverage
  • Incident reporting timelines aligned to DORA Article 19

Concentration risk

ABiAN’s primary cloud platform (Microsoft) is concentrated. For financial-entity clients, this is reflected in the DORA addendum’s concentration risk disclosure and the documented exit strategy.

Section 5

GDPR posture

ABiAN is established in Latvia and acts as a data processor for personal data within client tenants we operate, and as a data controller for personnel, prospect, and operational data we collect for our own purposes.

Documents available publicly

  • Privacy Policy — at /privacy
  • Data Processing Addendum (DPA) — at /legal/dpa
  • Sub-processor list — at /legal/sub-processors

Supervisory authority

Our lead supervisory authority is the Latvian Data State Inspectorate (Datu valsts inspekcija, DVI). Data subjects may also lodge complaints with their local supervisory authority.

Privacy contact

[email protected]

Section 6

What we don’t claim

A short list of certifications we have seen requested but do not currently hold. If your procurement requires any of these, contact us before issuing a questionnaire — we can discuss whether the underlying control objectives can be met through alternative evidence.

SOC 2 Type 1 / Type 2
Not held. SOC 2 is a US-anchored audit standard; our client base is primarily EU and Baltic. We have prioritised ISO 27001 as the equivalent EU-recognised framework.
ISO 22301 (Business Continuity)
Not held. BCP is in place and documented, but not externally certified.
PCI DSS
Not applicable. ABiAN does not process, store, or transmit cardholder data.
HIPAA
Not applicable. ABiAN does not serve US healthcare entities or process Protected Health Information.
Section 7

Requesting evidence

Most assurance documentation can be shared under a mutual NDA. The list below covers what’s typically requested.

Available under NDA

  • Security whitepaper (also available as a public download — link to /security)
  • Statement of Applicability (ISO 27001:2022)
  • ISMS scope statement
  • Information Security Policy
  • Risk register summary
  • Penetration test executive summaries (annual)
  • Sub-processor list specific to a proposed engagement
  • DPIA support documentation
  • Insurance certificates (professional indemnity, cyber)

Typical questionnaire formats accepted

  • CAIQ (Cloud Security Alliance)
  • SIG (Shared Assessments)
  • VSA (Vendor Security Alliance)
  • Client-specific questionnaires

How to request

Send an email to [email protected] with:

  1. The name of your organisation and the engagement context
  2. The specific evidence you need
  3. Whether an NDA is already in place, or whether one needs to be executed

Standard turnaround: 3 business days to acknowledge, 10 business days for the evidence pack.

This page is reviewed at least quarterly and updated whenever a posture changes. Last reviewed: April 2026. Next scheduled review: July 2026.

Compliance & Frameworks