Self-Hosted ISO 27001 Position
Password Pusher Pro – Self Hosted Edition
Apnotic, LLC
1. ISO 27001 Context for Self-Hosted Software
ISO 27001 certification applies to an organization's Information Security Management System (ISMS). For Self Hosted Pro, the customer's ISMS—not Apnotic's—governs the deployment.
| ISMS Scope Element | Self Hosted Pro |
|---|---|
| Asset Custodian | Customer owns all data assets |
| Risk Owner | Customer manages information security risks |
| Control Implementation | Customer implements and operates controls |
| ISMS Boundaries | Customer's infrastructure and operations |
2. Apnotic's Role vs. ISO 27001 Requirements
External Party Classification (ISO 27001:2022 Clause 5.20)
ISO 27001 requires organizations to manage information security in relationships with external parties. The classification of Apnotic for Self Hosted Pro:
| Relationship Type | Apnotic Classification |
|---|---|
| Supplier/Provider | ✅ Software vendor |
| Service Provider | ❌ Not applicable – no service delivery |
| Cloud Service Provider (CSP) | ❌ Not applicable – not cloud-hosted |
| Data Processor | ❌ Not applicable – no data processing |
Key Distinction: Apnotic is a software supplier, similar to vendors of operating systems, databases, or other software deployed on-premises.
3. Customer ISMS Responsibilities
Organizations implementing Self Hosted Pro must address the following ISO 27001 controls:
A.5 – Organizational Controls
| Control | Reference | Customer Responsibility |
|---|---|---|
| A.5.20 | Information security in supplier relationships | Classify Apnotic as software supplier; define security requirements |
| A.5.21 | Managing information security in ICT supply chain | Verify container image integrity; secure software distribution |
| A.5.22 | Monitoring and review of supplier services | Monitor own deployment; manage any support interactions |
A.6 – People Controls
| Control | Reference | Customer Responsibility |
|---|---|---|
| A.6.1 | Screening | Background checks for personnel managing deployment |
| A.6.2 | Terms and conditions | Security obligations for administrators |
| A.6.3 | Awareness, education, and training | Training on Password Pusher Pro administration |
A.7 – Physical Controls
| Control | Reference | Customer Responsibility |
|---|---|---|
| A.7.1 | Physical security perimeters | Data center or cloud facility security |
| A.7.2 | Physical entry controls | Access to infrastructure hosting the application |
| A.7.3 | Securing offices and facilities | Physical security of operational environment |
A.8 – Technological Controls
| Control | Reference | Customer Responsibility |
|---|---|---|
| A.8.1 | User endpoint devices | Management of devices accessing Password Pusher |
| A.8.2 | Privileged access rights | Admin account management for Password Pusher |
| A.8.3 | Information access restriction | RBAC configuration within the application |
| A.8.4 | Access to source code | N/A – customer does not have source code access |
| A.8.5 | Secure authentication | SSO/SAML configuration, MFA enforcement |
| A.8.6 | Capacity management | Resource monitoring and scaling |
| A.8.7 | Protection against malware | Container and host security |
| A.8.8 | Vulnerability management | Patch management for deployment |
| A.8.9 | Configuration management | Infrastructure-as-code, change control |
| A.8.10 | Deletion of information | Data retention policy implementation |
| A.8.11 | Data masking | Use of Password Pusher for secure sharing |
| A.8.12 | Data leakage prevention | DLP integration, egress monitoring |
| A.8.13 | Backup | Backup and recovery procedures |
| A.8.14 | Redundancy | High availability configuration |
| A.8.15 | Logging | Audit log configuration and review |
| A.8.16 | Monitoring | Security event monitoring, SIEM integration |
| A.8.17 | Clock synchronization | NTP configuration |
| A.8.18 | Use of privileged utility programs | Administrative tool management |
| A.8.19 | Installation of software on operational systems | Change management for updates |
| A.8.20 | Network security management | Network segmentation, firewall rules |
| A.8.21 | Security of network services | TLS configuration, secure protocols |
| A.8.22 | Segregation of networks | Network isolation if required |
| A.8.23 | Web filtering | Proxy/filter for outbound connections |
| A.8.24 | Use of cryptography | Encryption configuration and key management |
| A.8.25 | Secure development life cycle | N/A – applies to Apnotic, not customer deployment |
| A.8.26 | Application security requirements | Security baseline configuration |
| A.8.27 | Secure system architecture | Secure deployment architecture |
| A.8.28 | Secure coding | N/A – compiled software provided |
| A.8.29 | Security testing | Customer testing of security configuration |
| A.8.30 | Outsourced development | N/A – applies to Apnotic's development practices |
| A.8.31 | Separation of development, test, and production environments | Customer's environment management |
| A.8.32 | Change management | Change control for deployment modifications |
| A.8.33 | Test information | Test data management |
| A.8.34 | Protection of information systems during audit testing | Coordination of any external audits |
4. Statement of Applicability (SoA) Considerations
When documenting Self Hosted Pro in your SoA:
| Consideration | Recommendation |
|---|---|
| Asset Classification | Classify deployment as "Information System – Self-Hosted Application" |
| Risk Assessment | Include risks related to self-managed secure sharing |
| Justification for Exclusion | N/A – all A.8 controls apply to customer deployment |
| Control Implementation | Document how each control is implemented in your environment |
| Supplier Controls | Reference software license agreement with Apnotic |
5. Supplier Security Assessment
For Customer's ISO 27001 Supplier Management Process:
| Assessment Item | Apnotic Self Hosted Pro |
|---|---|
| Supplier Type | Software vendor / Licensor |
| Access to Customer Data | None |
| Access to Customer Systems | None (except by explicit customer grant for support) |
| Security Requirements | Software integrity, secure distribution |
| Assessment Method | License agreement review, container image verification |
| Monitoring Approach | Version tracking, security advisory subscription |
| Right to Audit | Not applicable – no processing of customer information |
6. Third-Party Supplier Chain
Under ISO 27001 A.5.21 (ICT supply chain), customers should understand the software supply chain:
Apnotic (Software Development)
↓
Container Registry (registry.apnotic.com)
↓
Customer Infrastructure (Pull & Deploy)
↓
Customer Operations (Run & Manage)
Customer Actions: - Verify container image signatures (if provided) - Scan images for vulnerabilities upon pull - Maintain inventory of software components - Subscribe to Apnotic security advisories
7. For Information Security Teams
Common Question: "Is Apnotic ISO 27001 certified? We need certified vendors."
Response Framework:
Apnotic provides Self Hosted Pro as licensed software for deployment within your ISMS scope. In this model, you implement and operate the information security controls within your certified ISMS. Apnotic is a software supplier, similar to your operating system or database vendors.
ISO 27001 certification of software suppliers is not a standard requirement. What matters is: 1. Your implementation of controls over the software deployment 2. Your management of the supplier relationship per A.5.20 3. Your verification of software integrity per A.5.21 4. Your security testing and configuration of the application
Apnotic's security practices during software development support your assurance needs, but the certification scope covers your ISMS and deployment environment.
Document Version: 1.0
Last Updated: April 2026
Contact: support@apnotic.com | https://apnotic.com