🔐 Hack23 AB — Information Security Management System

Security Excellence Through Transparency
Enterprise-grade ISMS for Innovation-driven Security Consulting

Document Owner: CEO | Version: 3.0 | Last Updated: 2025-11-25 (UTC)
🔄 Review Cycle: Quarterly | ⏰ Next Review: 2026-02-25

🎯 Executive Statement

Welcome to Hack23 AB's comprehensive ISMS documentation. Founded in June 2025 (Organization Number: 559534-7807), Hack23 AB operates as a Swedish cybersecurity consulting company demonstrating radical transparency through our industry-first public ISMS.

🏆 Phase 1 Foundation Excellence — Complete (November 2025):

✅ 100% ISMS documentation published (70% public, 30% sensitive values redacted)
✅ OpenSSF Scorecard 8.7 average (CIA, CIA Compliance Manager, Black Trigram)
✅ CII Best Practices Gold/Passing level achieved across all repositories
✅ Zero critical vulnerabilities outstanding (Dependabot monitoring)
✅ 95% compliance control coverage (ISO 27001, NIST CSF 2.0, CIS Controls v8.1)

🏢 Single-Person Company: Hack23 AB is operated by CEO/Founder James Pether Sörling. Our ISMS demonstrates that enterprise-grade security is achievable through innovative compensating controls: temporal separation, automation, external validation, and audit trail preservation.

🌐 Radical Transparency: We publish 70% of our ISMS openly to demonstrate security through robust processes rather than obscurity. Only specific sensitive values (credentials, account numbers, contract pricing) are redacted.

Note: The hack23.com website was registered in 2008 by the CEO, operating as an independent professional before formally establishing Hack23 AB in June 2025.

As CEO with CISM/CISSP certifications and three decades of experience, I've structured Hack23 AB around a fundamental principle: our Information Security Management System (ISMS) is not separate from our business - it IS our business model. This integration allows us to deliver security consulting services while simultaneously developing products that demonstrate these principles in action.

Our commitment to transparency extends beyond our open-source projects. This ISMS documentation itself serves as a testament to our belief that security through obscurity is a failed strategy. True security comes from robust processes, continuous improvement, and a culture where every decision considers security implications.

— James Pether Sörling, CEO/Founder

🚀 Quick Start

New to our ISMS? Start with these foundational documents:

🔐 Core Security Policies

Information Security Policy — Overarching security governance
Information Security Strategy — Strategic security roadmap
Classification Framework — CIA impact analysis methodology

📊 Risk & Compliance

Risk Register — Identified risks and treatments
Compliance Checklist — Framework alignment validation
Security Metrics — Performance measurement

🛡️ Operational Security

Incident Response Plan — Security incident procedures
Business Continuity Plan — Operational resilience
Disaster Recovery Plan — Recovery procedures

🏗️ Product Security

CIA Security Architecture — Enterprise authentication
CIA Compliance Manager Security Architecture — Frontend-only rationale
Black Trigram Security Architecture — Gaming platform security

📖 Documentation Standards

Style Guide — Formatting and consistency standards
ISMS Transparency Plan — Radical transparency methodology

🎖️ Security & Compliance Posture

Security Certifications:

Compliance Frameworks (100% Coverage):

🚀 CI/CD Status

All ISMS documentation is continuously validated against:

✅ Markdown linting standards
🔗 Link integrity checks
📋 Document structure requirements
🔒 Security and sensitive data scanning
🎨 STYLE_GUIDE.md v2.1 compliance (with documented exemptions for 12 legacy files)

🏢 About Hack23 AB

Hack23 AB is a Swedish innovation hub founded in 2025, specializing in creating immersive and precise game experiences alongside expert cybersecurity consulting. With a commitment to realism and authenticity, our flagship project, Black Trigram, combines traditional Korean martial arts with educational gameplay, while our information security services leverage advanced open-source tools and methodologies to protect digital integrity, confidentiality, and availability. At Hack23 AB, we're driven by a passion for precision, creativity, and uncompromising security.

📊 Visual Guides & Diagrams

Hack23 ISMS includes comprehensive Mermaid diagrams for improved understanding and navigation:

📊 ISMS Document Hierarchy: See below — Policy organization and navigation structure
🎖️ ISO 27001 Compliance Mapping: Compliance_Checklist.md — Annex A control coverage
🏗️ Product Security Architecture: Information_Security_Strategy.md — Security control comparison across products
📉 Risk Management Workflow: Risk_Register.md — Risk lifecycle process
🚨 Incident Response Flowchart: Incident_Response_Plan.md — Incident handling process with escalation paths
🔐 Segregation of Duties Workflow: Segregation_of_Duties_Policy.md — Single-person compensating controls
🎯 Security Control Selection Framework: Information_Security_Strategy.md — Classification-driven control decisions

📊 ISMS Document Hierarchy

Hack23 AB's ISMS follows a structured hierarchy from strategic vision to operational templates, demonstrating enterprise-grade governance and systematic security management.

flowchart TD
    subgraph STRATEGIC["🎯 Strategic Level"]
        STRATEGY[Information Security Strategy<br/>3-year roadmap and vision]
        POLICY_ROOT[Information Security Policy<br/>Governance framework]
        CLASSIFICATION[Classification Framework<br/>CIA impact methodology]
    end
    
    subgraph GOVERNANCE["📋 Governance Policies"]
        RISK[Risk Register<br/>Risk identification & treatment]
        COMPLIANCE[Compliance Checklist<br/>Multi-framework alignment]
        METRICS[Security Metrics<br/>KPI measurement & reporting]
        TRANSPARENCY[ISMS Transparency Plan<br/>Public disclosure strategy]
    end
    
    subgraph OPERATIONAL["⚙️ Operational Policies"]
        ACCESS[Access Control Policy<br/>IAM & authentication]
        CHANGE[Change Management<br/>Change control procedures]
        INCIDENT[Incident Response Plan<br/>Security incident handling]
        BCP[Business Continuity Plan<br/>Operational resilience]
        DRP[Disaster Recovery Plan<br/>Technical recovery]
        THIRD_PARTY[Third Party Management<br/>Vendor risk management]
    end
    
    subgraph TECHNICAL["🛠️ Technical Policies"]
        SECURE_DEV[Secure Development Policy<br/>SDLC security requirements]
        CRYPTO[Cryptography Policy<br/>Encryption standards]
        NETWORK[Network Security Policy<br/>Network controls & segmentation]
        VULN[Vulnerability Management<br/>Security testing & patching]
        BACKUP[Backup & Recovery Policy<br/>Data protection procedures]
        DATA[Data Classification Policy<br/>Information handling]
    end
    
    subgraph SUPPORT["📖 Supporting Documents"]
        STYLE[Style Guide<br/>Documentation standards]
        QA[ISMS QA Checklist<br/>Quality assurance]
        TEMPLATES[Templates<br/>Policy & procedure templates]
        ASSET[Asset Register<br/>IT asset inventory]
    end
    
    STRATEGY --> POLICY_ROOT
    POLICY_ROOT --> GOVERNANCE
    POLICY_ROOT --> OPERATIONAL
    POLICY_ROOT --> TECHNICAL
    GOVERNANCE --> SUPPORT
    
    style STRATEGIC fill:#1565C0,color:#fff
    style GOVERNANCE fill:#4CAF50,color:#fff
    style OPERATIONAL fill:#FF9800,color:#fff
    style TECHNICAL fill:#D32F2F,color:#fff
    style SUPPORT fill:#7B1FA2,color:#fff

Key Takeaways:

🎯 Strategic Level: Defines overarching security vision, governance framework, and impact classification methodology
📋 Governance: Establishes risk management, compliance tracking, metrics, and transparency commitments
⚙️ Operational: Implements day-to-day security operations including access control, incident response, and business continuity
🛠️ Technical: Specifies technical security controls for development, cryptography, network, vulnerability, and data protection
📖 Support: Provides quality assurance, documentation standards, templates, and asset tracking

Related Documents:

🔐 Information Security Policy — Master governance policy
🏷️ Classification Framework — Business impact definitions
📐 Style Guide — Documentation and diagram standards

📊 ISMS Health Dashboard

📈 View Live ISMS Metrics Dashboard - Real-time policy health monitoring with automated review tracking

Our ISMS Metrics Dashboard provides instant visibility into:

🚦 Review Status: Overdue, due soon, and current policy reviews
📅 Upcoming Reviews: Next 90 days calendar view
📋 Document Health Matrix: Complete status of all 40 ISMS documents
📊 Compliance Coverage: ISO 27001, NIST CSF, CIS Controls alignment
🔄 Automated Updates: Weekly refresh via GitHub Actions

📋 ISMS Documentation Status

Last Updated: 2025-11-25 | Completion: 100% (40/40 policies)

Policy Document	Status	Version	Last Updated	Single-Person Adapted	ISO 27001	NIST CSF 2.0	CIS v8.1
🔐 Information Security Policy	✅ Complete	1.6	2025-11-19	✅ Yes	✅ A.5.1	✅ GV	✅ IG1
🎯 Information Security Strategy	✅ Complete	3.0	2025-11-10	N/A (Strategy)	✅ All	✅ All	✅ All
🔑 Access Control Policy	✅ Complete	2.5	2025-11-24	✅ Yes	✅ A.5.15-18	✅ PR.AC	✅ IG1
✅ Acceptable Use Policy	✅ Complete	1.0	2025-11-05	✅ Yes	✅ A.6.2	✅ PR.AT	✅ IG1
🤖 AI Governance Policy	✅ Complete	1.1	2025-11-17	N/A	✅ A.5.1	✅ GV.RR	✅ IG2
💻 Asset Register	✅ Complete	1.4	2025-11-05	✅ Yes	✅ A.5.9	✅ ID.AM	✅ IG1
💾 Backup & Recovery Policy	✅ Complete	1.1	2025-11-17	N/A	✅ A.8.13	✅ PR.IP	✅ IG1
🔄 Business Continuity Plan	✅ Complete	1.2	2025-11-24	✅ Yes	✅ A.5.29-30	✅ RC.RP	✅ IG2
🏷️ Classification Framework	✅ Complete	1.2	2025-11-05	N/A	✅ A.5.12	✅ ID.AM	✅ IG1
🛡️ CRA Conformity Assessment	✅ Complete	1.1	2025-11-14	N/A	✅ A.5.1	✅ GV.SC	✅ IG2
📝 Change Management	✅ Complete	2.3	2025-11-24	✅ Yes	✅ A.8.32	✅ PR.IP	✅ IG2
✅ Compliance Checklist	✅ Complete	2.1	2025-11-17	✅ Yes	✅ A.5.1	✅ GV.OC	✅ IG1
🔒 Cryptography Policy	✅ Complete	1.1	2025-11-17	N/A	✅ A.8.24	✅ PR.DS	✅ IG2
🏷️ Data Classification Policy	✅ Complete	2.2	2025-11-05	N/A	✅ A.5.12-13	✅ ID.AM	✅ IG1
🆘 Disaster Recovery Plan	✅ Complete	2.2	2025-11-17	N/A	✅ A.5.29	✅ RC.RP	✅ IG2
🤝 External Stakeholder Registry	✅ Complete	1.2	2025-11-17	N/A	✅ A.5.19	✅ ID.BE	✅ IG1
🚨 Incident Response Plan	✅ Complete	1.3	2025-11-24	✅ Yes	✅ A.5.24-28	✅ RS.AN	✅ IG1
📱 Mobile Device Management	✅ Complete	1.0	2025-11-05	✅ Yes	✅ A.6.7	✅ PR.AC	✅ IG1
🌐 Network Security Policy	✅ Complete	2.2	2025-11-05	N/A	✅ A.8.20-22	✅ PR.AC	✅ IG1
🏛️ NIS2 Compliance Service	✅ Complete	1.0	2025-11-18	N/A	✅ A.5.1	✅ GV.OC	✅ IG2
🛡️ OWASP LLM Security Policy	✅ Complete	1.2	2025-11-17	N/A	✅ A.8.16	✅ PR.DS	✅ IG3
🔓 Open Source Policy	✅ Complete	2.2	2025-11-17	N/A	✅ A.5.23	✅ ID.SC	✅ IG2
🤝 Partnership Framework	✅ Complete	1.0	2025-11-19	✅ Yes	✅ A.5.19	✅ ID.BE	✅ IG2
🏠 Physical Security Policy	✅ Complete	1.0	2025-11-05	✅ Yes	✅ A.7.1-4	✅ PR.AC	✅ IG1
🔐 Privacy Policy	✅ Complete	1.0	2025-11-05	N/A	✅ A.5.34	✅ PR.IP	✅ IG2
📊 Risk Assessment Methodology	✅ Complete	1.0	2025-11-14	N/A	✅ A.5.7	✅ ID.RM	✅ IG1
⚠️ Risk Register	✅ Complete	2.1	2025-11-24	✅ Yes	✅ A.5.7	✅ ID.RM	✅ IG1
🏗️ Security Architecture	✅ Complete	1.0	2025-11-14	N/A	✅ A.8.1	✅ PR.AC	✅ IG2
📐 Style Guide	✅ Complete	2.1	2025-11-17	✅ Yes	N/A	N/A	N/A
🏢 Supplier Security Posture	✅ Complete	1.1	2025-11-14	N/A	✅ A.5.19-23	✅ ID.SC	✅ IG2
📊 SWOT Analysis	✅ Complete	1.0	2025-11-18	✅ Yes	N/A	N/A	N/A
🛠️ Secure Development Policy	✅ Complete	1.4	2025-11-17	N/A	✅ A.8.25-31	✅ PR.DS	✅ IG2
📊 Security Metrics	✅ Complete	1.3	2025-11-05	N/A	✅ A.5.8	✅ GV.OV	✅ IG2
🚫 Segregation of Duties	✅ Complete	2.0	2025-11-24	✅ Yes	✅ A.5.3	✅ PR.AC	✅ IG2
👥 Third Party Management	✅ Complete	2.1	2025-11-17	N/A	✅ A.5.19-23	✅ ID.SC	✅ IG2
🎯 Threat Modeling	✅ Complete	1.2	2025-11-17	N/A	✅ A.8.25	✅ ID.RA	✅ IG2
🔍 Vulnerability Management	✅ Complete	2.0	2025-11-14	N/A	✅ A.8.8	✅ DE.CM	✅ IG1
📊 ISMS Metrics Dashboard	✅ Complete	1.0	2025-11-25	N/A	✅ A.5.8	✅ GV.OV	✅ IG2
📋 ISMS QA Checklist	✅ Complete	1.0	2025-11-14	N/A	✅ A.5.8	✅ GV.OV	✅ IG2
🌐 ISMS Transparency Plan	✅ Complete	2.1	2025-11-17	N/A	✅ A.5.1	✅ GV.OC	✅ IG1

📊 Completion Status

✅ Complete: 40 documents (100%)
⏳ In Progress: 0 documents
📅 Planned: 0 documents
Total: 40 core documents
Completion Rate: 100%

🏢 Single-Person Adaptations

✅ Adapted Policies: 15 policies include single-person company compensating controls
🔐 Temporal Separation: Time-based role separation for conflicting duties
🤖 Automation Controls: Tool-based enforcement and validation
📜 Audit Trail Preservation: Immutable logging and external validation
🤝 External Validation: Partnership framework for capacity overflow

🎉 ISMS Implementation Complete

Hack23 AB's Information Security Management System is now fully documented and operational. This comprehensive ISMS demonstrates enterprise-grade security practices while supporting our dual mission of cybersecurity consulting excellence and innovative product development.

Key Achievements

40 complete policy documents covering all aspects of information security
Strategic Partnership Framework addressing single-person dependency risk (R-FOUNDER-001) with capacity overflow procedures
NIS2 Compliance Service Package with €2.6M 3-year revenue projection
7 NIS2 client templates (scoping, gap analysis, incident reporting, risk register, supply chain, checklist, management reporting)
Security Architecture Documentation demonstrating ISMS repository security controls and GitHub-based security
Acceptable Use Policy establishing clear behavioral expectations and professional standards
Physical Security Policy demonstrating home office security for remote operations
Mobile Device Management Policy demonstrating pragmatic endpoint security for single-person operations
OWASP LLM Top 10 2025 alignment with comprehensive AI security controls
GDPR-compliant privacy framework with comprehensive Privacy Policy for user-facing applications
6-level privacy classification system from Special Category data to Anonymized/NA
Comprehensive risk assessment with 23 identified and managed risks
Full supplier security posture analysis across 18 active services
Enterprise-grade AWS security with 27 active services and 8 dedicated security tools
Complete business continuity planning with defined RTO/RPO objectives
Transparent documentation approach showcasing security expertise to potential clients

Business Value Delivered

Client Demonstration Platform: Live ISMS serves as proof of our cybersecurity consulting capabilities
Operational Excellence: Systematic approach to security enables business growth and innovation
Compliance Readiness: Framework supports ISO 27001, GDPR, NIS2, and other regulatory requirements
Risk Management: Proactive identification and treatment of business and security risks
Stakeholder Confidence: Transparent security posture builds trust with clients, partners, and investors

This ISMS implementation validates our core principle: enterprise-grade security expertise directly enables innovation rather than constraining it.

🔐 Security Services Overview

Service Area	Offerings	Target Market	Delivery Model
Security Architecture	Enterprise design, risk assessment, strategy	Large enterprises	Remote/On-site
Cloud Security	AWS security, DevSecOps, IaC security	Tech companies	Remote
NIS2 Compliance	NIS2 assessment & implementation (4 packages)	Essential/Important entities	Hybrid
Compliance	GDPR, ISO 27001, SOC 2 implementation	Regulated industries	Hybrid
Open Source Security	OSPO setup, vulnerability management	Software companies	Remote
Security Training	Developer education, executive briefings	All organizations	Virtual/Physical

🎖️ Security Badge Health Status

Our ISMS documentation maintains transparent security posture through public evidence badges. The badge monitoring system validates badge accessibility and security scores across all documentation.

Badge Health Metrics

Metric	Status	Target	Description
Total Badges	47+	N/A	Security, quality, compliance, and build status badges
Health Score	95%+	95%	Percentage of accessible badges
Security Badges	✅ Active	100%	OpenSSF Scorecard, SLSA, FOSSA
Quality Badges	✅ Active	100%	SonarCloud, code coverage
Compliance Badges	✅ Active	100%	ISO 27001, NIST CSF, CIS Controls
Monitoring	✅ Automated	Continuous	On Push/PR + on-demand checks

Badge Categories

🔐 Security Badges (Critical)

OpenSSF Scorecard: Supply chain security assessment for all repositories (8.7 average)
SLSA Provenance: Build provenance and integrity verification (Level 3)
FOSSA License: Open source license compliance and vulnerability detection

📊 Quality Badges (High Priority)

SonarCloud Quality Gate: Code quality and security scanning (Target: Passed)
Security Rating: Vulnerability detection and analysis (Target: A rating)
Code Coverage: Test coverage metrics (Target: 80%+)

✅ Compliance Badges (Documentation)

ISO 27001 Aligned: Information security management framework
NIST CSF 2.0 Aligned: Cybersecurity framework compliance
CIS Controls v8.1 Aligned: Security control implementation
AWS Well-Architected: Cloud security best practices

🔨 Build Status Badges (Operational)

GitHub Actions CI: Continuous integration pipeline status
Release Workflows: Automated release and deployment status

Reference Implementations

Our badge standards are demonstrated across Hack23 projects:

Project	Security Badges	Quality Badges	Status
🏛️ CIA	OpenSSF, SLSA, FOSSA	SonarCloud, Coverage	✅ Complete
🎮 Black Trigram	OpenSSF, SLSA, FOSSA	SonarCloud, Lighthouse	✅ Complete
📊 CIA Compliance	OpenSSF, SLSA, FOSSA	SonarCloud, Coverage	✅ Complete

For detailed badge requirements and standards, see the 🎨 Style Guide - Security Badge Standards.

🤝 Community & Transparency

Hack23 AB's ISMS is open for community review and feedback. We believe security through transparency creates stronger security than security through obscurity.

How to Contribute:

📝 Feedback: Contact us with suggestions, questions, or corrections
🔍 Security Research: Review our documentation for security insights you can apply to your organization
🎓 Educational Use: Our ISMS is freely available for educational and research purposes
🏆 Best Practices: Learn from our single-person company adaptations and compensating controls

Community Guidelines:

Be respectful and professional in all interactions
Protect sensitive information (even though we publish 70%, some values remain confidential)
Report security issues responsibly via our Incident Response Plan

Recognition: Thank you to the open-source security community, OpenSSF Scorecard, CII Best Practices, and all contributors to the frameworks we align with.

📅 Recent Updates

2025-11-25: README.md updated with Phase 1 achievements and accurate policy status table
2025-11-24: Phase 1 Foundation Excellence complete — 100% ISMS documentation
2025-11-24: Segregation of Duties Policy v2.0 published with comprehensive compensating controls
2025-11-19: Partnership Framework published addressing founder dependency risk
2025-11-18: NIS2 Compliance Service package complete with revenue projections
2025-11-17: Multiple policy updates with single-person adaptations
2025-11-10: Information Security Strategy v3.0 updated with Phase 1 achievements
2025-06-17: Hack23 AB founded (Organization Number: 559534-7807)

🔗 Key Resources

Company Website: hack23.com
GitHub Organization: github.com/Hack23
CEO/Founder LinkedIn: James Pether Sörling
OpenSSF Scorecard Dashboard: All Hack23 Repositories
CII Best Practices:

📜 License & Usage

ISMS Documentation License: Creative Commons Attribution 4.0 International (CC BY 4.0)
You are free to share and adapt this ISMS documentation for any purpose, even commercially, under the following terms:

Attribution: You must give appropriate credit to Hack23 AB and link to this repository
No Endorsement: You may not imply Hack23 AB endorses your use of this material

Disclaimer: This ISMS is tailored for Hack23 AB's specific risk profile and operational model. Organizations adopting these policies should perform their own risk assessments and customize policies to their context.

📋 Document Control:
✅ Approved by: James Pether Sörling, CEO
📤 Distribution: Public
🏷️ Classification:
📅 Effective Date: 2025-11-25
⏰ Next Review: 2026-02-25
🎯 Framework Compliance:

Name		Name	Last commit message	Last commit date
Latest commit History 190 Commits
AI_Policy.md		AI_Policy.md
Acceptable_Use_Policy.md		Acceptable_Use_Policy.md
Access_Control_Policy.md		Access_Control_Policy.md
Asset_Register.md		Asset_Register.md
Backup_Recovery_Policy.md		Backup_Recovery_Policy.md
Business_Continuity_Plan.md		Business_Continuity_Plan.md
CLASSIFICATION.md		CLASSIFICATION.md
CRA_Conformity_Assessment_Process.md		CRA_Conformity_Assessment_Process.md
Change_Management.md		Change_Management.md
Compliance_Checklist.md		Compliance_Checklist.md
Cryptography_Policy.md		Cryptography_Policy.md
Data_Classification_Policy.md		Data_Classification_Policy.md
Disaster_Recovery_Plan.md		Disaster_Recovery_Plan.md
External_Stakeholder_Registry.md		External_Stakeholder_Registry.md
ISMS_METRICS_DASHBOARD.md		ISMS_METRICS_DASHBOARD.md
ISMS_Transparency_Plan.md		ISMS_Transparency_Plan.md
Incident_Response_Plan.md		Incident_Response_Plan.md
Information_Security_Policy.md		Information_Security_Policy.md
Information_Security_Strategy.md		Information_Security_Strategy.md
LICENSE.txt		LICENSE.txt
Mobile_Device_Management_Policy.md		Mobile_Device_Management_Policy.md
Network_Security_Policy.md		Network_Security_Policy.md
OWASP_LLM_Security_Policy.md		OWASP_LLM_Security_Policy.md
Open_Source_Policy.md		Open_Source_Policy.md
Physical_Security_Policy.md		Physical_Security_Policy.md
Privacy_Policy.md		Privacy_Policy.md
README.md		README.md
Risk_Assessment_Methodology.md		Risk_Assessment_Methodology.md
Risk_Register.md		Risk_Register.md
STYLE_GUIDE.md		STYLE_GUIDE.md
SUPPLIER.md		SUPPLIER.md
Secure_Development_Policy.md		Secure_Development_Policy.md
Security_Metrics.md		Security_Metrics.md
Segregation_of_Duties_Policy.md		Segregation_of_Duties_Policy.md
Third_Party_Management.md		Third_Party_Management.md
Threat_Modeling.md		Threat_Modeling.md
Vulnerability_Management.md		Vulnerability_Management.md

License

Hack23/ISMS-PUBLIC

Folders and files

Latest commit

History

Repository files navigation