ISO/IEC 27001 Information Security

Anadea's information security practices are designed in alignment with ISO/IEC 27001:2022 , the international standard for managing information security. Our Information Security Management System is currently undergoing the formal certification audit, covering the development of custom software and AI solutions. This page explains what the standard requires, where we stand, and how to request written confirmation directly from our team

We have built our information security practices around the full set of ISO/IEC 27001:2022 requirements and operate in line with them across our engagements. The certification audit (the independent, staged assessment that results in a formal certificate) is underway.

Until that audit concludes, we describe our status precisely: we conform to the standard's criteria and are completing certification, rather than claiming a certificate we have not yet been issued. We would rather be accurate about this than overstate it.

The certification is being issued to our main operating legal entity, Anahoret SL. The scope of our Information Security Management System (ISMS) comprehensively covers our key operational nodes: our offices (sites) in Spain and Ukraine, as well as our fully remote personnel working under the Spanish entity. This ensures that no matter where your dedicated team is located, their workflows and data handling adhere to the same strict security protocols.

If your procurement or security team needs written confirmation of our current status, we can provide it on request.

ISO/IEC 27001 is the international standard for an Information Security Management System (ISMS) – the documented set of policies, processes, and controls an organization uses to manage information security risk. Clauses 4 to 10 contain the mandatory requirements an organization must comply with to achieve certification, and they are the focus of the audit. Alongside them sits Annex A, a reference set of 93 security controls an organization selects from based on its own risk assessment.

The mandatory clauses break down as follows.

The standard requires an organization to define why it handles information, what data it manages, and the scope its ISMS covers. An auditor can only assess an ISMS once they understand its goals – so the scope and purpose have to be documented before anything else is judged.

Accountability for information security has to sit with senior management, not be delegated downward as a purely technical task. Leadership is responsible for the security policy, for assigning roles, and for backing the ISMS with real resources.

This is the core of the system. The organization runs a documented risk assessment, decides how to treat each risk, and records the results in a Statement of Applicability that justifies which Annex A controls apply and why. The 2022 revision reduced Annex A to 93 controls grouped into four themes – organizational, people, physical, and technological.

Covers the resources behind the ISMS: competent people, documented information, internal awareness, and controlled communication. Staff have to know their security responsibilities, and that knowledge has to be demonstrable.

The point where policy becomes practice. The organization carries out its risk treatment plan and keeps records showing the controls operate as intended — not just that they exist on paper.

The ISMS has to be measured. This clause requires monitoring, internal audits, and formal management reviews so the organization can show its controls are effective, not merely present.

When something falls short, it has to be corrected and the root cause addressed. The standard treats an ISMS as a system that is maintained and improved over time, which is also why certification is followed by recurring surveillance audits.

For most enterprise and regulated clients, ISO/IEC 27001 conformance is a procurement requirement rather than a nice-to-have. Maintaining the standard is particularly relevant for regulated industries, SaaS providers with enterprise customers, and global organizations handling sensitive data.

The systems we build process sensitive financial, real estate, and personal data at scale. Aligning our internal practices to ISO/IEC 27001 means the way we handle your information, manage access, and respond to incidents is governed by a documented, auditable framework.

Whether we develop your custom software or AI solutions from our offices in Spain and Ukraine, or via our secure remote infrastructure, the entire lifecycle is protected. Our ISO/IEC 27001 compliance extends explicitly to remote work environments and distributed teams, ensuring seamless, borderless security for your intellectual property.

Anadea is working toward ISO/IEC 27001 certification. If your procurement or legal team requires formal confirmation, we can provide an official "Confirmation of ISO certification" statement on behalf of Anahoret SL (Anadea) detailing our current audit status.

Please contact us and we will share this documentation directly with your team, under NDA where required.