ISMS Compliance
CyFun BasicIdentify

ID.RA-1: Vulnerability identification

Asset vulnerabilities are identified and documented

IDENTIFYID.RA-1

Requirement

Threats and vulnerabilities shall be identified.

Our Implementation

Vulnerability identification is addressed through automated and manual processes:

  • Continuous scanning: Aikido provides automated vulnerability scanning covering static application security testing (SAST) and software composition analysis (SCA) across application code and dependencies
  • Dependency monitoring: Application dependencies are monitored for known CVEs through Aikido and GitHub Dependabot alerts
  • Infrastructure vulnerabilities: Cloud provider infrastructure vulnerabilities are managed by the respective providers (AWS, GCP, Vercel, Cloudflare) under their shared responsibility models
  • Risk documentation: Identified vulnerabilities and risks are documented in the risk register with scoring and treatment plans

Gaps / Planned improvements:

  • No dynamic application security testing (DAST) conducted (NEX-350)
  • No penetration testing performed to date — planned before enterprise customer onboarding (NEX-350)
  • No formal vulnerability disclosure programme (NEX-364)

Evidence

ImplementedL2 — Repeatable

ID.GV-4: Risk management processes

Governance and risk management processes address cybersecurity risks

ID.RA-5: Risk determination

Threats, vulnerabilities, likelihoods, and impacts are used to determine risk

On this page

RequirementOur ImplementationEvidence