Skip to content
Fundament Docs

ADR-0018: Information security management

Proposed
Status

proposed

Date

2026-03-11

Group

cross-cutting

Depends-on

ADR-0016

Context

The platform needs a recognized information security management system (ISMS) as the organizational foundation for all security certifications. The ISMS provides the risk management framework, audit cycle, and control baseline that cloud-specific certifications build upon.

Options

Option 1: ISO 27001:2022

  • Pros: globally recognized ISMS standard; required or expected by most EU government procurement; foundation that BSI C5, ISO 27017/27018, and national frameworks build upon; large ecosystem of auditors and tooling; NIS2 directive references it as a suitable framework

  • Cons: generic — cloud-specific controls require an additional framework on top; certification scope must be carefully defined

Option 2: NIST Cybersecurity Framework (CSF)

  • Pros: comprehensive; well-structured (identify, protect, detect, respond, recover); widely adopted in US government and critical infrastructure

  • Cons: US-origin; not certification-based (no formal audit/certificate); less recognized in EU government procurement; does not serve as foundation for European cloud certifications (C5, EUCS)

Option 3: SOC 2 as primary framework

  • Pros: covers security, availability, confidentiality; continuous assurance model (Type II); well-known commercially

  • Cons: US-origin (AICPA); not an ISMS — it evaluates controls but does not require a management system; not recognized as ISMS equivalent in EU procurement; European cloud certifications do not build on it

Decision

ISO 27001:2022. It is the universally recognized ISMS that EU government procurement expects and that all relevant European cloud certifications assume as foundation. The detailed cloud security controls layer on top of ISO 27001:2022 is a separate decision (ADR-0021). National frameworks map directly to ISO 27001:2022.

Consequences

  • ISMS must be established covering the platform’s operational scope

  • Risk assessments must be performed and maintained

  • Internal audit cycle must be operational before certification

  • Cloud-specific security controls are addressed by a separate ADR on top of this foundation

  • National ISMS frameworks can be layered on top (separate ADRs per country)