| No. | Control | Applicable? | Implementation / Justification |
| 8.1 | User endpoint devices | Yes | No central MDM; users follow standard good computer practices (OS auto-updates, full-disk encryption defaults). |
| 8.2 | Privileged access rights | Yes | Root privileges restricted to a small set of predefined users; other access assigned per-system and no unapproved root rights granted. |
| 8.3 | Information access restriction | Yes | Role-based access controls enforced across production systems and SaaS tools to uphold least-privilege. |
| 8.4 | Access to source code | Yes | GitHub repos restricted to authorised engineers with MFA; branch protection and PR review required. |
| 8.5 | Secure authentication | Yes | Google SSO used; MFA currently optional (not enforced for all accounts) – improvement roadmap item. |
| 8.6 | Capacity management | Yes | Cloud resource metrics monitored; autoscaling & capacity planning processes ensure sufficient capacity. |
| 8.7 | Protection against malware | Yes | EDR agents installed on laptops; container images scanned for vulnerabilities and malware in CI pipeline. |
| 8.8 | Management of technical vulnerabilities | Yes | Vulnerability scans run every 2 months; remediation timelines follow defined SLAs (critical ≤72 h, high ≤14 days). |
| 8.9 | Configuration management | Yes | TODO – adopt Infrastructure-as-Code for standardised secure configs. |
| 8.10 | Information deletion | Yes | Data deletion via cloud lifecycle policies and crypto-shredding; retention periods defined in policies. |
| 8.11 | Data masking | Yes | TODO – implement masking/anonymisation of PII in non-production environments. |
| 8.12 | Data leakage prevention | Yes | TODO – evaluate and implement DLP controls in Google Workspace and cloud storage. |
| 8.13 | Information backup | Yes | Backups run per policy; restore tests performed every 2 months to verify integrity. |
| 8.14 | Redundancy of information processing facilities | Yes | TODO – implement multi-region/zone redundancy and automated failover for critical services. |
| 8.15 | Logging | Yes | Logs from production systems are centralised to cloud SIEM; tamper-evident storage with alerting on anomalies and defined retention. |
| 8.16 | Monitoring activities | Yes | SIEM alerts forwarded to Better Stack; SRE/Security teams review dashboards and investigate alerts 24/7. |
| 8.17 | Clock synchronisation | Yes | Cloud and endpoint systems synchronise via NTP to reliable time sources (Google time service). |
| 8.18 | Use of privileged utility programs | Yes | Only authorised SREs may execute privileged utilities; usage is logged and reviewed. |
| 8.19 | Installation of software on operational systems | Yes | Installation controlled via infrastructure-as-code and immutable containers; direct installs prohibited. |
| 8.20 | Network security | Yes | VPC firewall rules, AWS WAF, and zero-trust TLS connections secure network traffic. |
| 8.21 | Security of network services | Yes | Third-party network services assessed for encryption and SLA; connections restricted to secure protocols. |
| 8.22 | Segregation of networks | Yes | Production, staging, and development VPCs are logically separated with firewall segmentation. |
| 8.23 | Web filtering | TODO | Evaluate implementation of web filtering for malicious sites/phishing protection. |
| 8.24 | Use of cryptography | Yes | TLS 1.2+ in transit; AES-256 at rest with CMEK; key management via cloud KMS. |
| 8.25 | Secure development life cycle | Yes | Secure coding guidelines, threat modelling, and security reviews integrated into SDLC. |
| 8.26 | Application security requirements | Yes | OWASP ASVS used to define security requirements captured in user stories/tickets. |
| 8.27 | Secure system architecture & engineering principles | Yes | Microservice architecture follows least-privilege, defense-in-depth, and zero-trust principles. |
| 8.28 | Secure coding | Yes | Developers trained on OWASP Top 10; static analysis and linters enforced in CI. |
| 8.29 | Security testing in development & acceptance | Yes | Automated SAST/DAST in CI/CD; annual third-party penetration tests. |
| 8.30 | Outsourced development | No (N/A) | Clerk.io does not outsource software development. |
| 8.31 | Separation of development, test & production environments | Yes | Separate cloud projects/environments with restricted access and data segregation. |
| 8.32 | Change management | Yes | GitHub pull-request workflow with peer review and automated deployments enforces change control. |
| 8.33 | Test information | Partial | TODO – implement consistent use of anonymised or synthetic data in tests (linked to 8.11). |
| 8.34 | Protection of information systems during audit & testing | Yes | Audit scans and testing are scheduled and isolated to avoid production impact; backups in place. |