ISO Evidence of Competence
Effective: March 17, 2026 · DCF-179
1. Purpose
This document provides evidence of competence for personnel performing work that affects the performance and effectiveness of the H33.ai Information Security Management System (ISMS), as required by ISO 27001:2022 Clause 7.2. It demonstrates that persons doing work under H33.ai's control are competent on the basis of appropriate education, training, or experience.
Competence records are maintained as documented information and retained in the Drata compliance platform as evidence for internal and external audits.
2. Competence Framework
H33.ai determines the necessary competence for each role that affects information security performance, ensures that personnel are competent based on appropriate education, training, or experience, and takes actions to acquire the necessary competence where gaps are identified.
| Competence Basis | Education, professional experience, training, certifications |
| Evaluation Frequency | Annual competence review (aligned with management review cycle) |
| Gap Remediation | Training, mentoring, external education, or role reassignment |
| Records Location | Drata compliance platform (evidence library) |
| Retention Period | Duration of employment plus 3 years |
3. Personnel Register
| Name | Eric Beans |
| Title | Chief Executive Officer / Chief Information Security Officer |
| ISMS Roles | ISMS Owner, Risk Owner, HIPAA Security Officer, HIPAA Privacy Officer, Incident Commander, Internal Audit Oversight |
| Employment Date | Founder (company inception) |
| Background Check | Completed |
| NDA Executed | Yes (as part of corporate formation) |
4. Skills Matrix
| Competence Area | Required Skills | Proficiency | Evidence |
|---|---|---|---|
| ISMS Management | ISO 27001 framework knowledge, policy development, ISMS planning and operation | Expert | Designed and implemented H33.ai ISMS. Authored all ISMS policies and procedures. Completed ISO 27001 Lead Implementer training. |
| Risk Assessment | Risk identification, analysis, evaluation, treatment planning, risk register management | Expert | Performed comprehensive risk assessment for H33.ai. Maintains risk register with 12 identified risks. Risk treatment plans developed and monitored. |
| Cryptography & Post-Quantum Security | FHE (BFV/CKKS), lattice-based cryptography, ZK-STARKs, ML-DSA/Dilithium, ML-KEM/Kyber, NTT optimization | Expert | Architect and sole developer of H33 post-quantum cryptographic stack. Published white paper. Production system achieves 2.17M auth/sec on Graviton4. Deep expertise in NIST PQC standards (FIPS 203/204/205). |
| Secure Software Development | Rust programming (memory safety), secure SDLC, code review, static analysis, dependency management | Expert | Developed entire H33 codebase in Rust. Implements secure coding practices including cargo-audit, SAST, and mandatory code review via GitLab merge requests. |
| Cloud Security (AWS) | AWS IAM, VPC security, encryption at rest/transit, GuardDuty, CloudTrail, security groups, KMS | Expert | Designed and deployed H33 production infrastructure on AWS. Manages Graviton4 compute, RDS PostgreSQL, ElastiCache Redis, Elastic Beanstalk, CloudFront CDN. Implements AWS security best practices. |
| HIPAA Compliance | HIPAA Privacy Rule, Security Rule, Breach Notification Rule, BAA management, PHI handling | Expert | Serves as HIPAA Security Officer and Privacy Officer. HIPAA training completed annually. BAAs executed with all relevant vendors. HIPAA-compliant infrastructure deployed. |
| Incident Response | Incident detection, containment, eradication, recovery, forensics, post-incident review | Expert | Authored Incident Response Plan. Serves as Incident Commander. DataDog and AWS GuardDuty monitoring configured. Breach notification procedures documented per HIPAA and state law. |
| Vendor Management | Vendor security assessment, contract review, BAA negotiation, ongoing monitoring | Expert | Manages all vendor relationships. Security assessments performed for AWS, Microsoft 365, GitLab, Drata, DataDog. SOC 2 reports reviewed annually. BAAs in place for HIPAA-relevant vendors. |
| Business Continuity | BCP/DRP development, RTO/RPO planning, backup management, failover testing | Expert | Authored Business Continuity Plan. Manages RDS automated backups (35-day retention), multi-AZ deployment, and disaster recovery procedures. RTO: 4 hours, RPO: 1 hour. |
| Compliance Monitoring | Drata administration, control monitoring, evidence collection, audit preparation | Expert | Manages Drata compliance platform. Configured automated evidence collection. Maintains 100% compliance score for all active controls. Prepares evidence for SOC 2 and ISO 27001 audits. |
5. Training Records
5.1 Security Awareness Training
| Training Provider | Drata Security Awareness |
| Frequency | Annual (with quarterly refreshers) |
| Last Completed | January 15, 2026 |
| Next Due | January 15, 2027 |
| Topics Covered | Phishing awareness, social engineering, password security, data classification, incident reporting, physical security, remote work security, acceptable use |
| Completion Status | Complete (certificate on file in Drata) |
5.2 HIPAA Training
| Training Provider | Drata HIPAA Training Module |
| Frequency | Annual |
| Last Completed | January 15, 2026 |
| Next Due | January 15, 2027 |
| Topics Covered | HIPAA Privacy Rule, Security Rule, Breach Notification Rule, PHI handling, minimum necessary standard, patient rights, BAA requirements, sanctions for violations |
| Completion Status | Complete (certificate on file in Drata) |
5.3 Incident Response Training
| Training Type | Tabletop exercise and procedure review |
| Frequency | Annual |
| Last Completed | February 20, 2026 |
| Next Due | February 2027 |
| Scenario Covered | Simulated data breach scenario: unauthorized access to encrypted biometric database. Exercised containment, assessment, notification, and recovery procedures. |
| Lessons Learned | Refined communication templates for external notification. Updated contact list for relevant authorities (see DCF-744). |
5.4 ISO 27001 Lead Implementer Training
| Training Provider | Self-directed study (ISO 27001:2022 standard, ISO 27002:2022 guidance) |
| Completed | Q1 2026 |
| Topics Covered | ISMS planning and implementation, Annex A control selection, risk assessment methodology, Statement of Applicability, internal audit, management review, continual improvement |
| Evidence | Successful design and implementation of H33.ai ISMS with all required documented information |
5.5 Post-Quantum Cryptography (Ongoing Professional Development)
| Training Type | Continuous professional development |
| Activities | NIST PQC standardization participation, IACR publications review, FHE.org community engagement, independent cryptographic research and implementation |
| Evidence | H33 production platform implementing FIPS 203 (ML-KEM), FIPS 204 (ML-DSA), BFV FHE, ZK-STARKs. Published white paper on post-quantum authentication architecture. System benchmarked at 2.17M auth/sec. |
6. Competence Evaluation Methodology
H33.ai evaluates competence through the following methods:
- Education and qualifications review — Verification of formal education, professional certifications, and specialized training relevant to ISMS roles.
- Experience assessment — Evaluation of professional experience in information security, cryptography, software development, cloud infrastructure, and compliance management.
- Training completion verification — Documented completion of required training programs (security awareness, HIPAA, incident response) tracked in Drata.
- Practical demonstration — Evidence of competence through work product: policy development, risk assessments, system architecture, code quality, incident response exercises.
- Continuous monitoring — Ongoing evaluation through Drata compliance metrics, code review quality, incident handling, and management review participation.
7. Competence Gap Analysis and Development Plan
| Area | Current State | Target | Action | Timeline |
|---|---|---|---|---|
| ISO 27001 Lead Auditor | Lead Implementer knowledge | Internal audit competence | Complete ISO 27001 Lead Auditor training course | Q2 2026 |
| SOC 2 Audit Preparation | Practical experience with Drata | Full SOC 2 audit readiness | Work with external auditor on readiness assessment; incorporate feedback | Q2 2026 |
| NIST CSF 2.0 | Familiar with CSF 1.1 | CSF 2.0 alignment | Review NIST CSF 2.0 (released Feb 2024); map H33 controls to CSF 2.0 functions | Q3 2026 |
8. Record Retention
All competence evidence, including training certificates, skills assessments, and gap analysis records, is maintained in the Drata compliance platform. Records are retained for the duration of employment plus a minimum of three (3) years following separation, in accordance with ISO 27001 documented information requirements and HIPAA record retention requirements (6 years for HIPAA-related training).
9. Approval
| Prepared By | Eric Beans, CEO/CISO |
| Approved By | Eric Beans, CEO/CISO |
| Approval Date | March 17, 2026 |
| Next Review | March 17, 2027 (or upon personnel changes) |
| Signature | /s/ Eric Beans |
Questions?
Contact the Security Officer at security@h33.ai or the Compliance team at compliance@h33.ai.
H33.ai, Inc. · 11533 Brighton Knoll Loop, Riverview, FL 33579 · 813-464-0945