🔐 Hack23 AB — Information Security Management System

Security Excellence Through Transparency
Enterprise-grade ISMS for Innovation-driven Security Consulting

Document Owner: CEO | Version: 3.0 | Last Updated: 2025-11-25 (UTC)
🔄 Review Cycle: Quarterly | ⏰ Next Review: 2026-02-25

🎯 Executive Statement

Welcome to Hack23 AB's comprehensive ISMS documentation. Founded in June 2025 (Organization Number: 559534-7807), Hack23 AB operates as a Swedish cybersecurity consulting company demonstrating radical transparency through our industry-first public ISMS.

🏆 Phase 1 Foundation Excellence — Complete (November 2025):

• ✅ 100% ISMS documentation published (70% public, 30% sensitive values redacted)
• ✅ OpenSSF Scorecard 8.7 average (CIA, CIA Compliance Manager, Black Trigram)
• ✅ CII Best Practices Gold/Passing level achieved across all repositories
• ✅ Zero critical vulnerabilities outstanding (Dependabot monitoring)
• ✅ 95% compliance control coverage (ISO 27001, NIST CSF 2.0, CIS Controls v8.1)

🏢 Single-Person Company: Hack23 AB is operated by CEO/Founder James Pether Sörling. Our ISMS demonstrates that enterprise-grade security is achievable through innovative compensating controls: temporal separation, automation, external validation, and audit trail preservation.

🌐 Radical Transparency: We publish 70% of our ISMS openly to demonstrate security through robust processes rather than obscurity. Only specific sensitive values (credentials, account numbers, contract pricing) are redacted.

Note: The hack23.com website was registered in 2008 by the CEO, operating as an independent professional before formally establishing Hack23 AB in June 2025.

As CEO with CISM/CISSP certifications and three decades of experience, I've structured Hack23 AB around a fundamental principle: our Information Security Management System (ISMS) is not separate from our business - it IS our business model. This integration allows us to deliver security consulting services while simultaneously developing products that demonstrate these principles in action.

Our commitment to transparency extends beyond our open-source projects. This ISMS documentation itself serves as a testament to our belief that security through obscurity is a failed strategy. True security comes from robust processes, continuous improvement, and a culture where every decision considers security implications.

— James Pether Sörling, CEO/Founder

🚀 Quick Start

New to our ISMS? Start with these foundational documents:

🔐 Core Security Policies

• Information Security Policy — Overarching security governance
• Information Security Strategy — Strategic security roadmap
• Classification Framework — CIA impact analysis methodology

📊 Risk & Compliance

• Risk Register — Identified risks and treatments
• Compliance Checklist — Framework alignment validation
• Security Metrics — Performance measurement

🛡️ Operational Security

• Incident Response Plan — Security incident procedures
• Business Continuity Plan — Operational resilience
• Disaster Recovery Plan — Recovery procedures

🏗️ Product Security

• CIA Security Architecture — Enterprise authentication
• CIA Compliance Manager Security Architecture — Frontend-only rationale
• Black Trigram Security Architecture — Gaming platform security

📖 Documentation Standards

• Style Guide — Formatting and consistency standards
• ISMS Transparency Plan — Radical transparency methodology

🎖️ Security & Compliance Posture

Security Certifications:

Compliance Frameworks (100% Coverage):

🚀 CI/CD Status

All ISMS documentation is continuously validated against:

• ✅ Markdown linting standards
• 🔗 Link integrity checks
• 📋 Document structure requirements
• 🔒 Security and sensitive data scanning
• 🎨 STYLE_GUIDE.md v2.1 compliance (with documented exemptions for 12 legacy files)

🏢 About Hack23 AB

Hack23 AB is a Swedish innovation hub founded in 2025, specializing in creating immersive and precise game experiences alongside expert cybersecurity consulting. With a commitment to realism and authenticity, our flagship project, Black Trigram, combines traditional Korean martial arts with educational gameplay, while our information security services leverage advanced open-source tools and methodologies to protect digital integrity, confidentiality, and availability. At Hack23 AB, we're driven by a passion for precision, creativity, and uncompromising security.

📊 Visual Guides & Diagrams

Hack23 ISMS includes comprehensive Mermaid diagrams for improved understanding and navigation:

• 📊 ISMS Document Hierarchy: See below — Policy organization and navigation structure
• 🎖️ ISO 27001 Compliance Mapping: Compliance_Checklist.md — Annex A control coverage
• 🏗️ Product Security Architecture: Information_Security_Strategy.md — Security control comparison across products
• 📉 Risk Management Workflow: Risk_Register.md — Risk lifecycle process
• 🚨 Incident Response Flowchart: Incident_Response_Plan.md — Incident handling process with escalation paths
• 🔐 Segregation of Duties Workflow: Segregation_of_Duties_Policy.md — Single-person compensating controls
• 🎯 Security Control Selection Framework: Information_Security_Strategy.md — Classification-driven control decisions

📊 ISMS Document Hierarchy

Hack23 AB's ISMS follows a structured hierarchy from strategic vision to operational templates, demonstrating enterprise-grade governance and systematic security management.

flowchart TD
    subgraph STRATEGIC["🎯 Strategic Level"]
        STRATEGY[Information Security Strategy<br/>3-year roadmap and vision]
        POLICY_ROOT[Information Security Policy<br/>Governance framework]
        CLASSIFICATION[Classification Framework<br/>CIA impact methodology]
    end
    
    subgraph GOVERNANCE["📋 Governance Policies"]
        RISK[Risk Register<br/>Risk identification & treatment]
        COMPLIANCE[Compliance Checklist<br/>Multi-framework alignment]
        METRICS[Security Metrics<br/>KPI measurement & reporting]
        TRANSPARENCY[ISMS Transparency Plan<br/>Public disclosure strategy]
    end
    
    subgraph OPERATIONAL["⚙️ Operational Policies"]
        ACCESS[Access Control Policy<br/>IAM & authentication]
        CHANGE[Change Management<br/>Change control procedures]
        INCIDENT[Incident Response Plan<br/>Security incident handling]
        BCP[Business Continuity Plan<br/>Operational resilience]
        DRP[Disaster Recovery Plan<br/>Technical recovery]
        THIRD_PARTY[Third Party Management<br/>Vendor risk management]
    end
    
    subgraph TECHNICAL["🛠️ Technical Policies"]
        SECURE_DEV[Secure Development Policy<br/>SDLC security requirements]
        CRYPTO[Cryptography Policy<br/>Encryption standards]
        NETWORK[Network Security Policy<br/>Network controls & segmentation]
        VULN[Vulnerability Management<br/>Security testing & patching]
        BACKUP[Backup & Recovery Policy<br/>Data protection procedures]
        DATA[Data Classification Policy<br/>Information handling]
    end
    
    subgraph SUPPORT["📖 Supporting Documents"]
        STYLE[Style Guide<br/>Documentation standards]
        QA[ISMS QA Checklist<br/>Quality assurance]
        TEMPLATES[Templates<br/>Policy & procedure templates]
        ASSET[Asset Register<br/>IT asset inventory]
    end
    
    STRATEGY --> POLICY_ROOT
    POLICY_ROOT --> GOVERNANCE
    POLICY_ROOT --> OPERATIONAL
    POLICY_ROOT --> TECHNICAL
    GOVERNANCE --> SUPPORT
    
    style STRATEGIC fill:#1565C0,color:#fff
    style GOVERNANCE fill:#4CAF50,color:#fff
    style OPERATIONAL fill:#FF9800,color:#fff
    style TECHNICAL fill:#D32F2F,color:#fff
    style SUPPORT fill:#7B1FA2,color:#fff

Key Takeaways:

• 🎯 Strategic Level: Defines overarching security vision, governance framework, and impact classification methodology
• 📋 Governance: Establishes risk management, compliance tracking, metrics, and transparency commitments
• ⚙️ Operational: Implements day-to-day security operations including access control, incident response, and business continuity
• 🛠️ Technical: Specifies technical security controls for development, cryptography, network, vulnerability, and data protection
• 📖 Support: Provides quality assurance, documentation standards, templates, and asset tracking

Related Documents:

• 🔐 Information Security Policy — Master governance policy
• 🏷️ Classification Framework — Business impact definitions
• 📐 Style Guide — Documentation and diagram standards

📊 ISMS Health Dashboard

📈 View Live ISMS Metrics Dashboard - Real-time policy health monitoring with automated review tracking

Our ISMS Metrics Dashboard provides instant visibility into:

• 🚦 Review Status: Overdue, due soon, and current policy reviews
• 📅 Upcoming Reviews: Next 90 days calendar view
• 📋 Document Health Matrix: Complete status of all 40 ISMS documents
• 📊 Compliance Coverage: ISO 27001, NIST CSF, CIS Controls alignment
• 🔄 Automated Updates: Weekly refresh via GitHub Actions

📋 ISMS Documentation Status

Last Updated: 2025-11-25 | Completion: 100% (40/40 policies)

📊 Completion Status

• ✅ Complete: 40 documents (100%)
• ⏳ In Progress: 0 documents
• 📅 Planned: 0 documents
• Total: 40 core documents
• Completion Rate: 100%

🏢 Single-Person Adaptations

• ✅ Adapted Policies: 15 policies include single-person company compensating controls
• 🔐 Temporal Separation: Time-based role separation for conflicting duties
• 🤖 Automation Controls: Tool-based enforcement and validation
• 📜 Audit Trail Preservation: Immutable logging and external validation
• 🤝 External Validation: Partnership framework for capacity overflow

🎉 ISMS Implementation Complete

Hack23 AB's Information Security Management System is now fully documented and operational. This comprehensive ISMS demonstrates enterprise-grade security practices while supporting our dual mission of cybersecurity consulting excellence and innovative product development.

Key Achievements

• 40 complete policy documents covering all aspects of information security
• Strategic Partnership Framework addressing single-person dependency risk (R-FOUNDER-001) with capacity overflow procedures
• NIS2 Compliance Service Package with €2.6M 3-year revenue projection
• 7 NIS2 client templates (scoping, gap analysis, incident reporting, risk register, supply chain, checklist, management reporting)
• Security Architecture Documentation demonstrating ISMS repository security controls and GitHub-based security
• Acceptable Use Policy establishing clear behavioral expectations and professional standards
• Physical Security Policy demonstrating home office security for remote operations
• Mobile Device Management Policy demonstrating pragmatic endpoint security for single-person operations
• OWASP LLM Top 10 2025 alignment with comprehensive AI security controls
• GDPR-compliant privacy framework with comprehensive Privacy Policy for user-facing applications
• 6-level privacy classification system from Special Category data to Anonymized/NA
• Comprehensive risk assessment with 23 identified and managed risks
• Full supplier security posture analysis across 18 active services
• Enterprise-grade AWS security with 27 active services and 8 dedicated security tools
• Complete business continuity planning with defined RTO/RPO objectives
• Transparent documentation approach showcasing security expertise to potential clients

Business Value Delivered

• Client Demonstration Platform: Live ISMS serves as proof of our cybersecurity consulting capabilities
• Operational Excellence: Systematic approach to security enables business growth and innovation
• Compliance Readiness: Framework supports ISO 27001, GDPR, NIS2, and other regulatory requirements
• Risk Management: Proactive identification and treatment of business and security risks
• Stakeholder Confidence: Transparent security posture builds trust with clients, partners, and investors

This ISMS implementation validates our core principle: enterprise-grade security expertise directly enables innovation rather than constraining it.

🔐 Security Services Overview

🎖️ Security Badge Health Status

Our ISMS documentation maintains transparent security posture through public evidence badges. The badge monitoring system validates badge accessibility and security scores across all documentation.

Badge Health Metrics

Badge Categories

🔐 Security Badges (Critical)

• OpenSSF Scorecard: Supply chain security assessment for all repositories (8.7 average)
• SLSA Provenance: Build provenance and integrity verification (Level 3)
• FOSSA License: Open source license compliance and vulnerability detection

📊 Quality Badges (High Priority)

• SonarCloud Quality Gate: Code quality and security scanning (Target: Passed)
• Security Rating: Vulnerability detection and analysis (Target: A rating)
• Code Coverage: Test coverage metrics (Target: 80%+)

✅ Compliance Badges (Documentation)

• ISO 27001 Aligned: Information security management framework
• NIST CSF 2.0 Aligned: Cybersecurity framework compliance
• CIS Controls v8.1 Aligned: Security control implementation
• AWS Well-Architected: Cloud security best practices

🔨 Build Status Badges (Operational)

• GitHub Actions CI: Continuous integration pipeline status
• Release Workflows: Automated release and deployment status

Reference Implementations

Our badge standards are demonstrated across Hack23 projects:

For detailed badge requirements and standards, see the 🎨 Style Guide - Security Badge Standards.

🤝 Community & Transparency

Hack23 AB's ISMS is open for community review and feedback. We believe security through transparency creates stronger security than security through obscurity.

How to Contribute:

• 📝 Feedback: Contact us with suggestions, questions, or corrections
• 🔍 Security Research: Review our documentation for security insights you can apply to your organization
• 🎓 Educational Use: Our ISMS is freely available for educational and research purposes
• 🏆 Best Practices: Learn from our single-person company adaptations and compensating controls

Community Guidelines:

• Be respectful and professional in all interactions
• Protect sensitive information (even though we publish 70%, some values remain confidential)
• Report security issues responsibly via our Incident Response Plan

Recognition: Thank you to the open-source security community, OpenSSF Scorecard, CII Best Practices, and all contributors to the frameworks we align with.

📅 Recent Updates

• 2025-11-25: README.md updated with Phase 1 achievements and accurate policy status table
• 2025-11-24: Phase 1 Foundation Excellence complete — 100% ISMS documentation
• 2025-11-24: Segregation of Duties Policy v2.0 published with comprehensive compensating controls
• 2025-11-19: Partnership Framework published addressing founder dependency risk
• 2025-11-18: NIS2 Compliance Service package complete with revenue projections
• 2025-11-17: Multiple policy updates with single-person adaptations
• 2025-11-10: Information Security Strategy v3.0 updated with Phase 1 achievements
• 2025-06-17: Hack23 AB founded (Organization Number: 559534-7807)

🔗 Key Resources

• Company Website: hack23.com
• GitHub Organization: github.com/Hack23
• CEO/Founder LinkedIn: James Pether Sörling
• OpenSSF Scorecard Dashboard: All Hack23 Repositories
• CII Best Practices:
  • CIA Project (Gold)
  • Black Trigram (Passing)
  • CIA Compliance Manager (Passing)

📜 License & Usage

ISMS Documentation License: Creative Commons Attribution 4.0 International (CC BY 4.0)
You are free to share and adapt this ISMS documentation for any purpose, even commercially, under the following terms:

• Attribution: You must give appropriate credit to Hack23 AB and link to this repository
• No Endorsement: You may not imply Hack23 AB endorses your use of this material

Disclaimer: This ISMS is tailored for Hack23 AB's specific risk profile and operational model. Organizations adopting these policies should perform their own risk assessments and customize policies to their context.

📋 Document Control:
✅ Approved by: James Pether Sörling, CEO
📤 Distribution: Public
🏷️ Classification:
📅 Effective Date: 2025-11-25
⏰ Next Review: 2026-02-25
🎯 Framework Compliance:

© 2025 Hack23 AB (559534-7807) — Stockholm, Sweden
Transparency in Security. Security through Transparency.