ISO 27001 — Information Security (audit planned)

ISO 27001:2022 is the information security standard (audit planned for QEHS). The certified entity maintains an Information Security Management System (ISMS) and applies controls from Annex A.

• QEHS publishes 14 ISMS security policies aligned to ISO 27001:2022 Annex A (audit planned). Full ISO 27001 certification is on the roadmap; certification status visible in the Trust Center.
• Annual surveillance audits will follow once certification is achieved.
• Shared responsibility model — customer owns identity, access, and their tenant data; we own platform confidentiality, integrity, and availability.

For customers running their own ISMS, QEHS modules can host the asset inventory, risk register, SoA, control evidence, awareness training records, and internal audit programme. The Documents module enforces versioned approval for policies, and the Audit log is tamper-evident (hash-chained, 1–7 years retention).