Information Security Management System (ISMS) Plan
Effective: March 17, 2026
1. Purpose
This document defines the principles, requirements, and rules that govern H33.ai, Inc.’s (“H33”) Information Security Management System (ISMS). The ISMS establishes a systematic approach to managing sensitive company information, customer data, and electronic protected health information (ePHI) so that it remains secure. The ISMS encompasses people, processes, and technology by applying a comprehensive risk management process aligned with internationally recognized standards.
The ISMS Plan ensures that H33 maintains the confidentiality, integrity, and availability (CIA) of all information assets through a structured framework of policies, procedures, controls, and continuous improvement mechanisms. This plan serves as the foundational governance document for all information security activities within the organization.
2. Background
The H33 ISMS is based on the following international standards and frameworks:
- ISO/IEC 27001:2022 — Information security management systems — Requirements. This is the primary standard governing the establishment, implementation, maintenance, and continual improvement of the ISMS.
- ISO/IEC 27017:2015 — Code of practice for information security controls based on ISO/IEC 27002 for cloud services. This standard provides additional guidance for cloud service providers and cloud service customers.
- ISO/IEC 27018:2019 — Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors. This standard addresses privacy requirements specific to cloud computing environments.
In addition to these ISO standards, the ISMS incorporates requirements from HIPAA (45 CFR Parts 160 and 164), SOC 2 Type II Trust Services Criteria, and applicable data protection regulations across all jurisdictions in which H33 operates.
3. Scope
The ISMS applies to all organizational units, information systems, personnel, and processes within H33. The scope encompasses:
3.1 Organizational Units
- Product: Product management, roadmap, and feature development for H33-Vault, H33-Share, H33-FHE-IQ, and all platform services
- Engineering: Software development, cryptographic research, FHE engine development, ZKP verification systems, and post-quantum cryptography implementation
- Security: Information security operations, vulnerability management, penetration testing, incident response, and security architecture
- IT: Infrastructure management, cloud operations, network administration, and system administration
- People: Human resources, talent acquisition, workforce management, and training
3.2 Information Systems
| System | Purpose |
|---|---|
| AWS | Primary cloud infrastructure (EC2, RDS, ElastiCache, S3, CloudFront, Elastic Beanstalk, Secrets Manager) |
| GitLab | Source code management, CI/CD pipelines, code review |
| DataDog | Infrastructure monitoring, application performance monitoring, log management |
| Google Workspace | Email, document collaboration, calendar, identity management |
| Netlify | Static site hosting, CDN, serverless functions |
| Stripe | Payment processing, subscription management |
| Twilio / AWS SNS | SMS-based authentication and OTP delivery |
3.3 Workforce
The ISMS applies to all H33 workforce members, including full-time employees, part-time employees, contractors, consultants, temporary personnel, and any individual with access to H33 information systems or data. H33 operates as a fully remote organization, and the ISMS addresses the unique security considerations of distributed work environments, including endpoint security, secure remote access, and physical security of home offices.
4. Context of the Organization
4.1 Internal Issues
H33 has identified the following internal issues relevant to the ISMS:
- Fully remote workforce requiring robust endpoint and access management controls
- Highly specialized cryptographic engineering talent pool with access to proprietary algorithms and trade secrets
- Complex multi-cloud infrastructure spanning AWS, Netlify, and third-party SaaS providers
- Rapid product development cycles requiring security to be integrated into the SDLC
- Post-quantum cryptographic implementations (Kyber, Dilithium) requiring specialized security review processes
- FHE processing pipelines handling encrypted biometric data and ePHI
4.2 External Issues
H33 has identified the following external issues relevant to the ISMS:
- Evolving threat landscape, including nation-state actors targeting cryptographic infrastructure
- Quantum computing advancements that may impact the security of classical cryptographic primitives
- Regulatory changes across multiple jurisdictions affecting data protection and privacy requirements
- Customer expectations for SOC 2 Type II and HIPAA compliance attestations
- Industry standards evolution (NIST post-quantum standardization, FIPS 203/204/205)
4.3 Applicable Laws and Regulations
The ISMS addresses compliance with the following laws and regulations across all applicable jurisdictions:
| Jurisdiction | Applicable Laws |
|---|---|
| European Union | General Data Protection Regulation (GDPR), ePrivacy Directive |
| United States | HIPAA, HITECH Act, CCPA/CPRA, state breach notification laws, ECPA, CFAA |
| Australia | Privacy Act 1988, Australian Privacy Principles (APPs), Notifiable Data Breaches scheme |
| Brazil | Lei Geral de Proteção de Dados (LGPD) |
| Canada | Personal Information Protection and Electronic Documents Act (PIPEDA), provincial privacy legislation |
| India | Digital Personal Data Protection Act, 2023 (DPDPA), Information Technology Act |
| Israel | Protection of Privacy Law, Privacy Protection Regulations |
| Japan | Act on the Protection of Personal Information (APPI) |
| New Zealand | Privacy Act 2020 |
| United Kingdom | UK GDPR, Data Protection Act 2018 |
4.4 Climate Change
H33 has assessed the potential impact of climate change on the ISMS. Given that H33 operates on cloud infrastructure (primarily AWS) and maintains a fully remote workforce, direct climate impacts on physical facilities are limited. However, H33 recognizes potential indirect impacts on computational resources, including increased energy costs, data center availability disruptions due to extreme weather events, and supply chain impacts on hardware availability. These considerations are addressed through cloud provider diversification planning and business continuity procedures.
5. Leadership
5.1 Top Management Commitment
H33’s top management demonstrates leadership and commitment with respect to the ISMS by:
- Ensuring the information security policy and security objectives are established and compatible with the strategic direction of the organization
- Ensuring the integration of ISMS requirements into H33’s business processes
- Ensuring that the resources needed for the ISMS are available
- Communicating the importance of effective information security management and conforming to ISMS requirements
- Ensuring the ISMS achieves its intended outcomes
- Directing and supporting persons to contribute to the effectiveness of the ISMS
- Promoting continual improvement
- Supporting other relevant management roles to demonstrate their leadership as it applies to their areas of responsibility
5.2 Information Security Policy
H33 maintains an Information Security Policy that is appropriate to the purpose of the organization, includes information security objectives (or provides a framework for setting them), includes a commitment to satisfy applicable requirements related to information security, and includes a commitment to continual improvement of the ISMS. The policy is available as documented information, communicated within the organization, and available to interested parties as appropriate.
5.3 Organizational Roles, Responsibilities, and Authorities
Top management ensures that the responsibilities and authorities for roles relevant to information security are assigned and communicated. Key roles include:
| Role | Responsibilities |
|---|---|
| CEO / CISO | Overall ISMS accountability, HIPAA Security Officer, risk appetite definition, resource allocation |
| Privacy Officer | HIPAA Privacy Rule compliance, PHI handling policies, privacy incident management |
| Engineering Lead | Secure development lifecycle, cryptographic implementation review, vulnerability remediation |
| Security Operations | Monitoring, incident detection and response, penetration testing, access reviews |
| All Workforce Members | Compliance with policies, reporting security events, protecting credentials and data |
6. Risk Assessment
6.1 Methodology
H33 maintains a documented risk assessment methodology for identifying, analyzing, and evaluating information security risks. The methodology:
- Defines criteria for performing risk assessments, including risk acceptance criteria and criteria for when to perform risk assessments
- Ensures that repeated risk assessments produce consistent, valid, and comparable results
- Identifies risks associated with the loss of confidentiality, integrity, and availability (CIA) of information within the scope of the ISMS
- Identifies risk owners for each identified risk
- Analyzes each risk by assessing the realistic likelihood of occurrence and the potential consequences
- Evaluates risks against the established risk criteria to determine which risks require treatment
6.2 Risk Treatment
For risks requiring treatment, H33 develops risk treatment plans that specify:
- The selected risk treatment option (mitigate, transfer, accept, or avoid)
- The controls necessary to implement each risk treatment option, cross-referenced with the ISO 27001 Annex A controls
- The risk owner’s approval of the residual risk after treatment
- Implementation timelines and responsible parties
6.3 Statement of Applicability (SOA)
H33 maintains a Statement of Applicability that documents which ISO 27001 Annex A controls are applicable and which are excluded, with justification for any exclusions. The SOA is reviewed and updated at least annually and whenever significant changes to the ISMS scope or risk landscape occur. See Section 13 for a summary of applicable control domains.
7. Security Objectives
H33 establishes measurable information security objectives that are consistent with the information security policy, take into account applicable requirements and risk assessment/treatment results, and are monitored, communicated, and updated as appropriate.
| Objective | Target |
|---|---|
| ISO 27001 Certification | Achieve initial certification within 12 months of ISMS implementation |
| Security Culture | 100% workforce completion of security awareness training within 30 days of onboarding |
| Technology Change Impact | Zero security incidents resulting from unreviewed changes to production systems |
| Incident Response | Mean time to detect (MTTD) < 24 hours; mean time to respond (MTTR) < 4 hours |
| Vulnerability Management | Critical vulnerabilities remediated within 48 hours; high within 7 days |
| Post-Quantum Readiness | All production cryptographic operations use NIST-approved PQ algorithms (ML-KEM, ML-DSA) |
8. Support
8.1 Resources
H33 determines and provides the resources needed for the establishment, implementation, maintenance, and continual improvement of the ISMS. This includes personnel, technology, training budgets, external consulting and audit services, and tooling for security monitoring, vulnerability scanning, and incident response.
8.2 Competence
H33 ensures that all persons doing work under its control that affects information security performance are competent on the basis of appropriate education, training, or experience. The organization:
- Determines the necessary competence of persons doing work that affects information security performance
- Ensures these persons are competent on the basis of appropriate education, training, or experience
- Where applicable, takes actions to acquire the necessary competence and evaluates the effectiveness of those actions
- Retains appropriate documented information as evidence of competence
8.3 Awareness
All persons doing work under H33’s control are made aware of the information security policy, their contribution to the effectiveness of the ISMS (including the benefits of improved information security performance), and the implications of not conforming with ISMS requirements.
8.4 Communication
H33 determines the need for internal and external communications relevant to the ISMS, including:
- What to communicate: Security policies, incidents, risk assessments, audit findings, compliance updates
- When to communicate: As changes occur, on scheduled review cycles, and upon discovery of incidents
- With whom to communicate: Workforce members, customers, regulators, business associates, auditors
- How to communicate: Secure email, encrypted channels, formal reports, training sessions, policy portals
8.5 Documented Information
The ISMS includes documented information required by ISO 27001:2022 and any additional documented information determined by H33 as necessary for the effectiveness of the ISMS. All documented information is controlled to ensure it is available and suitable for use where and when it is needed, and adequately protected against loss of confidentiality, improper use, or loss of integrity. Documentation is retained for a minimum of six (6) years in accordance with HIPAA requirements under 45 CFR §164.316(b)(2).
9. Performance Evaluation
9.1 Key Performance Indicators (KPIs)
H33 monitors, measures, analyzes, and evaluates the ISMS through the following KPIs:
| KPI | Target | Frequency |
|---|---|---|
| ISMS Plan Review | Completed on schedule | Annual |
| Security Awareness Training Completion | > 95% | Annual |
| Phishing Simulation Failure Rate | < 5% | Quarterly |
| Penetration Test | All critical/high findings remediated within SLA | Annual |
| Platform Availability | ≥ 99.5% | Monthly |
| Confirmed Security Incidents | Zero | Continuous |
| Access Review Completion | 100% of privileged accounts reviewed | Quarterly |
| Vulnerability Scan Coverage | 100% of production assets scanned | Weekly |
9.2 Internal Audit
H33 conducts internal audits at planned intervals to provide information on whether the ISMS conforms to its own requirements and the requirements of ISO 27001:2022. Internal audits are conducted at least annually and cover all clauses of ISO 27001 and all applicable Annex A controls. The audit program takes into consideration the importance of the processes concerned, previous audit results, and changes affecting the organization.
Internal audit procedures ensure that:
- Audit criteria, scope, frequency, and methods are defined and documented
- Auditors are selected to ensure objectivity and impartiality (auditors do not audit their own work)
- Audit results are reported to relevant management
- Corrective actions are implemented without undue delay for any nonconformities identified
- Audit records are retained as documented information
9.3 Management Review
Top management reviews the ISMS at planned intervals, at least annually, to ensure its continuing suitability, adequacy, and effectiveness. The management review considers:
- Status of actions from previous management reviews
- Changes in external and internal issues relevant to the ISMS
- Changes in needs and expectations of interested parties
- Feedback on the information security performance, including trends in nonconformities and corrective actions, monitoring and measurement results, audit results, and fulfillment of information security objectives
- Feedback from interested parties
- Results of risk assessment and status of risk treatment plan
- Opportunities for continual improvement
Management review outputs include decisions related to continual improvement opportunities and any need for changes to the ISMS. Documented information is retained as evidence of management review results, including corrective action plans with assigned owners and target completion dates.
10. Improvement
10.1 Nonconformity and Corrective Action
When a nonconformity occurs, H33 takes action to control and correct it, evaluates the need for corrective action to eliminate the root cause so that it does not recur or occur elsewhere, implements any action needed, reviews the effectiveness of corrective action taken, and makes changes to the ISMS if necessary. Corrective actions are proportionate to the effects of the nonconformities encountered.
10.2 Continual Improvement
H33 continually improves the suitability, adequacy, and effectiveness of the ISMS through the use of the information security policy, security objectives, audit results, analysis of monitored events, corrective actions, and management review outputs.
11. Statement of Applicability — ISO 27001 Annex A Controls
The following table summarizes the ISO 27001:2022 Annex A control domains applicable to H33’s ISMS. Detailed control applicability and implementation status are maintained in the full Statement of Applicability document.
11.1 ISO 27001:2022 Annex A Controls
| Control Domain | Description |
|---|---|
| A.5 | Organizational Controls — Information security policies, roles and responsibilities, segregation of duties, management responsibilities, contact with authorities and special interest groups, threat intelligence, information security in project management, inventory of information and associated assets, acceptable use, return of assets, classification and labeling, information transfer, access control, identity management, authentication, and access rights |
| A.6 | People Controls — Screening, terms and conditions of employment, information security awareness/education/training, disciplinary process, responsibilities after termination or change of employment, confidentiality/non-disclosure agreements, remote working, and information security event reporting |
| A.7 | Physical Controls — Physical security perimeters, physical entry, securing offices/rooms/facilities, physical security monitoring, protecting against physical and environmental threats, working in secure areas, clear desk and clear screen, equipment siting and protection, security of assets off-premises, storage media, supporting utilities, cabling security, and equipment maintenance and secure disposal |
| A.8 | Technological Controls — User endpoint devices, privileged access rights, information access restriction, access to source code, secure authentication, capacity management, protection against malware, management of technical vulnerabilities, configuration management, information deletion, data masking, data leakage prevention, information backup, redundancy of information processing facilities, logging, monitoring activities, clock synchronization, use of privileged utility programs, installation of software on operational systems, network security, security of network services, segregation of networks, web filtering, use of cryptography, secure development lifecycle, application security requirements, secure system architecture and engineering principles, secure coding, security testing in development and acceptance, outsourced development, separation of development/test/production environments, and change management |
11.2 ISO 27017 Cloud Service Controls
In addition to the base Annex A controls, H33 implements cloud-specific controls from ISO/IEC 27017:2015, including:
- Shared roles and responsibilities between H33 and cloud service providers (AWS, Netlify)
- Removal and return of cloud service customer assets upon contract termination
- Protection and separation of virtual computing environments
- Virtual machine hardening and cloud service administration operations security
- Monitoring of cloud services and alignment of security management for virtual and physical networks
11.3 ISO 27018 PII Protection Controls
H33 implements PII-specific controls from ISO/IEC 27018:2019 for personally identifiable information processed in cloud services, including:
- Consent and choice mechanisms for PII principals
- Purpose legitimacy and specification for PII processing
- Collection limitation and data minimization
- Use, retention, and disclosure limitation
- PII accuracy and quality assurance
- Openness, transparency, and notice requirements
- Individual participation and access rights
- Accountability for PII processing activities
- Information security controls specific to PII in cloud computing
12. Records Retention
All ISMS documentation, including policies, procedures, risk assessments, audit reports, training records, incident reports, and management review minutes, shall be retained for a minimum of six (6) years from the date of creation or last effective date, whichever is later. This retention period satisfies both ISO 27001 documented information requirements and HIPAA documentation requirements under 45 CFR §164.316(b)(2).
13. Review Schedule
This ISMS Plan shall be reviewed and updated at least annually. The next scheduled review is March 2027. Interim reviews shall be triggered by:
- Significant changes to the organization’s structure, operations, or strategic direction
- Changes in the regulatory or legal landscape affecting information security
- Results from internal or external audits indicating the need for ISMS modifications
- Major security incidents or near-misses
- Introduction of new products, services, or technology platforms
- Changes in the threat landscape or risk profile
Questions about this plan?
Contact the Security team at security@h33.ai or the Compliance team at compliance@h33.ai.