ISMS Compliance
CyFun BasicProtect

PR.MA-1: Maintenance and patching

Maintenance and repair of organisational assets are performed and logged

PROTECTPR.MA-1Key Measure

Requirement

Patches and security updates for Operating Systems and critical system components shall be installed.

Our Implementation

Infrastructure maintenance and patching is primarily managed by cloud providers. All 11 cloud platforms (Vercel, Cloudflare, Supabase, Turso, Qdrant, Upstash, Modal, Azure, AWS, GCP, GitHub) handle OS-level and infrastructure patching under their managed service responsibilities.

For application-level security, Aikido provides continuous vulnerability scanning covering both static application security testing (SAST) and software composition analysis (SCA). Application dependencies are monitored for known CVEs, and updates are applied through the standard development workflow (pull requests, code review, automated deployment).

Gaps / Planned improvements:

  • No formal patch management policy with defined SLAs for applying security updates (NEX-356)
  • Dependency updates triggered by Aikido vulnerability alerts. Formal patch SLAs to be defined (NEX-356)

Evidence

Partially ImplementedL2 — Repeatable

PR.IP-11: HR cybersecurity practices

Cybersecurity is included in human resources practices

PR.PT-1: Audit log management

Audit/log records are determined, documented, implemented, and reviewed in accordance with policy

On this page

RequirementOur ImplementationEvidence