Skip to content

Information Security Management System (ISMS) — Scope

Document ID: BD-ISMS-SCOPE-001 Version: 1.0 Effective Date: 2026-03-17 Classification: Internal Use Only

Executive Summary

This document defines the scope of BeDefended's Information Security Management System (ISMS) in accordance with ISO/IEC 27001:2022. The scope encompasses all people, processes, systems, and locations involved in the delivery of automated penetration testing and security advisory services.

Organizational Context

Organization Overview

BeDefended is an automated penetration testing SaaS platform providing: - Automated security assessments (web applications, APIs, infrastructure) - Compliance reporting (GDPR, HIPAA, ISO 27001, NIST 800-53, FedRAMP, SOC 2) - Report generation and evidence management - Multi-user engagement coordination

Organizational Location: - Headquarters: [Location to be specified] - Cloud Infrastructure: AWS (us-east-1, eu-west-1 regions) - Data Centers: Third-party managed (Stripe, SendGrid, GitHub)

Organizational Roles in ISMS

  • CISO / Security Lead: Overall ISMS oversight, risk assessment, policy approval
  • System Administrators: Technical controls implementation, access management
  • Compliance Officer: Regulatory alignment, audit coordination, breach response
  • Pentester Team: Secure testing, non-destructive methodology enforcement
  • Quality Assurance: Testing verification, vulnerability scanning

ISMS Scope Definition

In-Scope Assets

1. Information Systems

  • Dashboard Backend (Python FastAPI, SQLite database)
  • Dashboard Frontend (React TypeScript, localhost:8880)
  • Report Engine (Node.js, DOCX generation)
  • Desktop Application (Flutter, multi-platform)
  • API Infrastructure (REST/JSON endpoints, authentication via JWT)

2. Information

  • Client Data: Engagement scope, findings, vulnerability details, remediation status
  • User Credentials: Passwords, MFA secrets (TOTP), API keys, session tokens
  • Audit Logs: Access records, API call history, compliance events (IP, user-agent, timestamp)
  • Compliance Evidence: Reports, attestations, assessment results
  • Personal Data: User profiles, email addresses (subject to GDPR)

3. Locations & Personnel

  • BeDefended staff (pentester, admin, support roles)
  • Licensed clients (account owners, authorized testers)
  • Cloud infrastructure providers (AWS, Stripe, SendGrid, GitHub)

4. Key Processes

  • Penetration testing execution (automated + manual)
  • Report generation and compliance injection
  • User authentication and authorization
  • Data backup and disaster recovery
  • Incident response and breach notification
  • Change management and patch deployment
  • Vendor management (third-party assessments)
  • Audit and compliance monitoring

Out-of-Scope

The following are explicitly excluded from ISMS scope:

  • Client Systems Under Test: BeDefended does not control or own client infrastructure being assessed
  • Third-Party Vendor Infrastructure: Stripe, SendGrid, GitHub, AWS internal operations (vendors are responsible for their own ISMS)
  • Client Data After Delivery: Once reports are delivered and findings remediated, client responsibility for data handling begins
  • Desktop/Mobile Devices of End-Users: Personal devices used by BeDefended staff are covered only for access to BeDefended systems
  • Archived Data (>3 years): Historical engagement data beyond retention policy is outside ISMS (handled via data retention purge)

Boundary & Interconnections

┌─────────────────────────────────────────────────────────────────────┐
│                    BeDefended ISMS Boundary                         │
├─────────────────────────────────────────────────────────────────────┤
│                                                                     │
│  ┌──────────────────────────────────────────────────────────────┐  │
│  │  Core Systems (IN SCOPE)                                   │  │
│  │  • Dashboard (backend + frontend)                           │  │
│  │  • Report Engine (DOCX generation + compliance injection)   │  │
│  │  • Desktop App (Flutter, certificate pinning)              │  │
│  │  • Database (SQLite, encrypted backups)                     │  │
│  │  • API (FastAPI, JWT auth, rate limiting)                  │  │
│  └──────────────────────────────────────────────────────────────┘  │
│                                                                     │
│  External Dependencies (MONITORED but OUT OF SCOPE)                │
│  • AWS (IaaS provider) — vendor responsible for AWS ISMS            │
│  • Stripe (payment processor) — vendor responsible for PCI-DSS      │
│  • SendGrid (email service) — vendor responsible for own controls   │
│  • GitHub (code repository) — vendor responsible for supply chain   │
│                                                                     │
│  Client Systems (OUT OF SCOPE)                                     │
│  • Target applications under test                                   │
│  • Client infrastructure (tested but not controlled by BeDefended)  │
│                                                                     │
└─────────────────────────────────────────────────────────────────────┘

Key Interconnections

Interface Direction Control
AWS API Outbound BeDefended applies least privilege IAM policies
Stripe API Outbound Encryption in transit, API key rotation
SendGrid API Outbound Email authentication, SPF/DKIM, rate limiting
GitHub API Outbound Personal access tokens, Dependabot security scanning
Client Networks Inbound (Testing) Non-destructive testing rules, rate limiting

Justification of Scope

Why This Scope?

  1. Risk Coverage: All systems handling client data, credentials, and findings are included
  2. Regulatory Compliance: Scope aligns with GDPR, HIPAA, NIST 800-53 applicability (we are data processor + controller for some operations)
  3. Operational Control: We have direct technical/operational control over all in-scope systems
  4. Business Criticality: Systems in scope are essential to BeDefended's service delivery and client trust

Risk Assessment Basis

  • High-Risk Assets: Database (client data, credentials) → in scope
  • Medium-Risk Assets: API (attack surface) → in scope
  • Low-Risk Assets: Public documentation, marketing website → likely out of scope (handled separately)

Scope Review & Change Control

Review Schedule

  • Annual Review: 2026-Q1 (every January)
  • Ad-hoc Review: On significant organizational changes (M&A, new business lines, regulatory changes)

Change Control

Any proposed changes to ISMS scope must follow the Change Management Process (see docs/operations/change-management.md): 1. Identify proposed scope change 2. Risk assessment of proposed change 3. Approval from CISO + Compliance Officer 4. Update this document + communicate to stakeholders 5. Implement supporting controls if scope expands

Stakeholder Sign-Off

Role Name Signature Date
CISO / Security Lead [Name] _____ 2026-03-17
Compliance Officer [Name] _____ 2026-03-17
CEO / Leadership [Name] _____ 2026-03-17

Document Control - Owner: CISO - Last Updated: 2026-03-17 - Next Review: 2027-01-15 - Status: Approved