Skip to main content

Overview

PassAgent includes an Information Security Management System (ISMS) module that provides the infrastructure for SOC 2 Type II and ISO 27001 compliance. The module covers asset management, security controls, risk assessment, incident response, evidence collection, policy management, supplier oversight, and vulnerability tracking. The ISMS builds on PassAgent’s existing security primitives — the audit client, evidence storage (S3/KMS), secrets manager, and queue-based job processing.

SOC 2 Type II

Trust Services Criteria coverage: Security, Availability, Confidentiality

ISO 27001

Annex A control mapping with Statement of Applicability support

Compliance Lifecycle

Core Domains

Asset Management

The asset register tracks all systems, data stores, and third-party services that handle sensitive credential data. Each asset is classified by data sensitivity and assigned an owner.
FieldTypeDescription
asset_idstringUnique identifier
typeenumsystem, database, service, endpoint, data_store
classificationenumpublic, internal, confidential, restricted
risk_levelenumlow, medium, high, critical
owner_idstringResponsible team member

Security Controls

Controls map to SOC 2 Trust Services Criteria and ISO 27001 Annex A clauses.
Control IDFrameworkPassAgent Implementation
CC6.1SOC 2Supabase RLS + row-level policies
CC6.2SOC 22FA enrollment, device trust, passkeys
CC6.3SOC 2Per-user scope checks in API routes
CC7.2SOC 2Audit log append-only store
CC8.1SOC 2Git-based deploy pipeline
A.8.1ISO 27001ISMS asset register
A.12.4ISO 27001ConsoleAuditClient / DynamoDB audit
A.14.2ISO 27001Pre-commit hooks, dependency scanning
A.18.1ISO 27001Scheduled management reviews

Risk Assessment

Risks are scored using a likelihood x impact matrix (1-5 scale each), producing scores from 1 (negligible) to 25 (critical):
Risk LevelScore RangeResponse
Low1-5Accept and monitor
Medium6-12Mitigate with controls
High13-19Prioritize remediation
Critical20-25Immediate escalation

Incident Management

Incidents record severity (P1-P4), a full timeline, root cause categorization, evidence artifacts uploaded to S3, and a blameless post-mortem with action items.

Evidence Collection

Evidence is the backbone of compliance audits. PassAgent uses a pluggable evidence storage system with two implementations:
ImplementationProviderUse Case
MemoryEvidenceClientIn-memory MapLocal development and testing
S3EvidenceClientAWS S3 with KMSProduction evidence storage
interface EvidenceClient {
  putObject(params: {
    bucket: string;
    key: string;
    body: Buffer | Uint8Array | string;
    contentType?: string;
  }): Promise<EvidencePointer>;
}
The worker consumer automatically collects evidence for every completed job: 
await evidence.putObject({
  bucket: "evidence",
  key: `${msg.id}.txt`,
  body: content,
  contentType: "text/plain"
});

await audit.append({
  id: msg.id,
  timestamp: new Date().toISOString(),
  actorUserId: "worker",
  action: "job_completed",
  target: msg.type,
  metadata: { jobId: msg.id }
});

Audit Logging

All security-relevant actions are recorded through the audit client: 
interface AuditRecord {
  id: string;
  timestamp: string;
  actorUserId: string;
  deviceId?: string;
  action: string;
  target?: string;
  consentCopy?: string;    // GDPR consent tracking
  metadata?: Record<string, unknown>;
}
The ConsoleAuditClient writes to stdout in development. In production, replace with an append-only store (DynamoDB with TTL disabled or RDS with hash-chain verification).

Policy & Supplier Management

Policies

Versioned documents with approval workflows. Key policies: Password Management, Access Control, Incident Response, Data Retention, Acceptable Use, and Supplier Security.

Supplier Oversight

SupplierServiceData AccessReview
SupabaseDatabase + AuthCredential metadataQuarterly
Browserless.ioBrowser automationTransient page contentQuarterly
AWS (S3/KMS/SQS)Evidence + SecretsEncrypted evidenceAnnual
AnthropicVision AIScreenshots (transient)Annual
GoogleGmail APIEmail content (transient)Quarterly

Vulnerability SLAs

SeverityTriageRemediation
Critical4 hours24 hours
High24 hours7 days
Medium48 hours30 days
Low7 days90 days

Infrastructure Providers

The ISMS module uses a factory pattern to create clients based on environment configuration: 
import {
  createQueueClient,
  createEvidenceClient,
  createAuditClient
} from "@/services/shared/factory";

const { client: queue } = createQueueClient();   // SQS or in-memory
const evidence = createEvidenceClient();          // S3 or in-memory
const audit = createAuditClient();                // Console (replace in prod)
ProviderDev ModeProduction
QueueInMemoryQueueClientSqsQueueClient (AWS SQS)
EvidenceMemoryEvidenceClientS3EvidenceClient (AWS S3 + KMS)
SecretsEnvSecretsClientAwsSecretsManagerClient
AuditConsoleAuditClientAppend-only DynamoDB / RDS

ISMS Export

The compliance export generates a package for auditors containing the asset register, control matrix with evidence links, risk register, incident log, policy inventory, supplier assessments, vulnerability status, and change management log.
The export contains sensitive security configuration details. Access should be restricted to authorized compliance personnel with explicit admin privileges.