ISMS Compliance
CyFun BasicProtect

PR.AC-2: Physical access management

Physical access to assets is managed and protected

PROTECTPR.AC-2

Requirement

Physical access to the facility, servers and network components shall be managed.

Our Implementation

NextSDS operates a fully cloud-native infrastructure with no on-premise servers, data centres, or physical network equipment. All infrastructure runs on SOC 2 and/or ISO 27001 certified cloud provider data centres (AWS, GCP, Vercel, Cloudflare). Physical access to these data centres is managed by the cloud providers under their own security certifications.

Team members work remotely using personal devices (BYOD). Physical security of endpoint devices (laptops, phones) is the responsibility of each device owner. Full-disk encryption is required on all devices used for work (see RSK-001 in risk register for ongoing remediation).

Gaps / Planned improvements:

  • No formal BYOD policy documented yet (NEX-355)
  • Full-disk encryption not yet verified on all devices (NEX-345)

Evidence

Partially ImplementedL1 — Initial

PR.AC-1: Identity and credential management

Identities and credentials are issued, managed, verified, revoked, and audited for authorised devices, users, and processes

PR.AC-3: Remote access management

Remote access is managed

On this page

RequirementOur ImplementationEvidence