Certifications

ISO/IEC 27001:2022

Doctena operates an ISO/IEC 27001:2022 certified Information Security Management System covering the Software Factory and supporting corporate functions. This page documents the scope, the Statement of Applicability, the applied policies, the Annex A controls and the audit cadence.

Last reviewed
Next review
Owner
Information Security Office
Version
1.1.0
On this page

At a glance

Standard
ISO/IEC 27001:2022
Certified since
January 2023
Statement of Applicability
v1.0 · 28 August 2025
Audit cadence
Annual + on-change

Scope of certification

The Information Security Management System (ISMS) certified scope covers the Software Factory teams and the corporate functions that materially support them:

  • Software Factory — software development, cloud operations, product management, customer support.
  • Corporate functions — general management, information security, internal IT, sales, marketing, finance, human resources, legal, compliance — within the scope of Software Factory processes.

Scope statement (verbatim from the certificate): "Design, development, operation and customer support of the Doctena appointment-booking platform and related services, including the supporting corporate functions, in accordance with the Statement of Applicability v1.0 dated 2025-08-28."

The scope statement explicitly includes hosting on Amazon Web Services Frankfurt, the four logical environments (Production, Staging, Demo and Test), the development tooling chain, and the endpoint estate (laptops, identity provider).

Statement of Applicability

The current Statement of Applicability is v1.0, approved on 28 August 2025 by the Information Security Steering Committee. It maps every Annex A control of ISO/IEC 27001:2022 to a decision (Applicable / Not Applicable) with a justification, the controlling document, the responsible owner and the implementation status.

The SoA is reviewed at least annually and whenever a material change affects the scope. A redacted version is available to customers on request, under NDA, by emailing privacy@doctena.com.

Applied policies

The ISMS rests on a documented set of policies, all owned by the Information Security Office and approved by the steering committee. Each policy is reviewed annually or on material change.

  • Information Security Policy
  • Data Protection (GDPR) Policy
  • Acceptable Use Policy
  • Access Control Policy
  • Data Classification Policy
  • Audit Logging and Monitoring Policy
  • Logging Review Policy
  • Acceptable Encryption Policy
  • Data Transfer Policy
  • Change Management Policy
  • Secure Development Policy
  • Threat and Vulnerability Management Policy
  • Password Policy
  • Remote Access Policy
  • Physical Access Policy
  • Incident Management Policy
  • Supplier Security Policy
  • Business Continuity Policy
  • Code of Conduct
  • Backup and Recovery Policy

Annex A controls

Doctena's SoA applies the great majority of the 93 controls in Annex A of ISO/IEC 27001:2022. The control families and the most-cited controls within each are summarised below.

A.5 Organisational

  • Information security policies (A.5.1)
  • Information security roles and responsibilities (A.5.2)
  • Segregation of duties (A.5.3)
  • Threat intelligence (A.5.7)
  • Information security in project management (A.5.8)
  • Asset management and acceptable use (A.5.9–A.5.10)
  • Supplier relationships (A.5.19–A.5.23)
  • Information security incident management (A.5.24–A.5.28)
  • Information security during disruption (A.5.29)
  • Privacy and PII protection (A.5.34)

A.6 People

  • Background screening (A.6.1)
  • Terms and conditions of employment (A.6.2)
  • Information security awareness, education and training (A.6.3)
  • Disciplinary process (A.6.4)
  • Remote working (A.6.7)
  • Information security event reporting (A.6.8)

A.7 Physical

  • Physical security perimeter (A.7.1)
  • Physical entry controls (A.7.2)
  • Securing offices, rooms and facilities (A.7.3)
  • Clear desk and clear screen (A.7.7)
  • Equipment maintenance (A.7.13)

A.8 Technological

  • User endpoint devices (A.8.1)
  • Privileged access rights (A.8.2)
  • Information access restriction (A.8.3)
  • Source code access (A.8.4)
  • Secure authentication and MFA (A.8.5)
  • Capacity management (A.8.6)
  • Protection against malware (A.8.7)
  • Management of technical vulnerabilities (A.8.8)
  • Configuration management (A.8.9)
  • Information deletion (A.8.10)
  • Data masking and pseudonymisation (A.8.11)
  • Data leakage prevention (A.8.12)
  • Information backup (A.8.13)
  • Logging and monitoring (A.8.15–A.8.17)
  • Use of cryptography (A.8.24)
  • Secure development lifecycle (A.8.25–A.8.29)
  • Outsourced development (A.8.30)

Internal and external audits

Doctena conducts an annual internal audit against the ISO 27001:2022 standard and the SoA, performed by an independent third party, and additional audits when a material change to the ISMS or to the scope warrants it.

Non-conformities, observations and improvement opportunities are recorded in the corrective-action register, allocated owners, and tracked through to closure with evidence. The register is reviewed at every steering committee.

Surveillance audits and recertification audits are performed on the cadence imposed by our certification body. The most recent recertification confirmed coverage of the :2022 edition.

Penetration testing

We commission an external penetration test of the production infrastructure and applications at least once a year, plus a focused test whenever a significant architectural change goes live. The 2025 annual test was performed by a recognised IT security firm; findings were remediated and validated before publication of the SoA v1.0.

A redacted executive summary of the most recent test is available to customers under NDA on request.

Continual improvement

ISO 27001 is a management system, not a checklist. Every quarter the steering committee reviews:

  • Status of the risk register and treatment plans.
  • Status of the corrective-action register from audits and incidents.
  • Status of training and awareness initiatives.
  • Sub-processor reviews and new supplier risk assessments.
  • Security objectives and KPIs (vulnerability remediation SLA, MFA coverage, phishing simulation results).

Certificate and verification

The current certificate PDF is available for download. The certificate names the certification body, the certificate number and the validity window — please verify the QR code on the certificate against the certification body's online register before relying on it.

Customers under NDA can additionally request:

  • The Statement of Applicability v1.0 (redacted for confidentiality).
  • The current Information Security Policy.
  • A summary of the latest penetration-test results.

Email privacy@doctena.com with the organisation requesting access and we will respond within two business days.

ISO 27001:2022 — held by Doctena S.A. and all six entities within the certified scope.

Also in this category

Compliance