Security Through Transparency and Open Documentation
Demonstrating Security Excellence Through Public ISMS Disclosure
π Document Owner: CEO | π Version: 2.1 | π
Last Updated: 2025-11-10 (UTC)
π Review Cycle: Annual | β° Next Review: 2026-11-10
Hack23 AB's core philosophy is that transparency enhances security rather than diminishing it. This document outlines our strategy for making our Information Security Management System (ISMS) public, demonstrating our expertise and building trust, while carefully protecting sensitive information that could introduce risk.
This plan defines what is considered public, what is confidential, and the processes for maintaining our commitment to security through transparency.
β James Pether SΓΆrling, CEO/Founder
- Default to Public: Policies, frameworks, and high-level procedures will be public unless a specific, documented risk is identified.
- Demonstrate, Don't Expose: The goal is to showcase our security maturity and processes, not to reveal secrets that could be exploited.
- Redact, Don't Hide: When a document contains a mix of public and sensitive information, we will redact the sensitive parts and publish the rest.
- Clarity and Rationale: The reason for keeping any information confidential will be clearly documented internally.
This table defines the publication status of ISMS documents and the rationale.
| Document / Information Type | Publication Status | Rationale & Redaction Rules |
|---|---|---|
| π Core Policies & Frameworks | ||
| π Information Security Policy | β Public | Demonstrates overall security posture. No sensitive details. |
| π·οΈ Classification Framework | β Public | Core to our methodology; showcases our approach to risk. |
| π Open Source Policy | β Public | Aligns with our open-source philosophy. |
| π Style Guide | β Public | Shows our commitment to quality and consistency. |
| π οΈ Operational Policies | ||
| π Access Control Policy | β Public | High-level policy is public. Specific roles and access lists are confidential. |
| β Acceptable Use Policy | β Public | Behavioral expectations and usage standards public. Demonstrates security culture and professional conduct. |
| π Physical Security Policy | β Public | Home office security framework and device protection standards public. Specific home addresses confidential. |
| π Cryptography Policy | β Public | Approved algorithms and standards are public. Key management procedures are confidential. |
| π οΈ Secure Development Policy | β Public | The framework is public. Specific tool configurations are confidential. |
| π Network Security Policy | β Public | Network architecture principles public. Specific configurations confidential. |
| π Change Management | β Public | Process framework public. Specific change details confidential. |
| π Vulnerability Management | β Public | Process public. Active vulnerabilities confidential. |
| πΎ Backup & Recovery Policy | β Public | Policy framework public. Specific procedures confidential. |
| π€ AI Governance Policy | β Public | AI governance framework and EU AI Act compliance public. AI vendor assessments confidential. |
| π‘οΈ OWASP LLM Security Policy | β Public | Comprehensive LLM security framework demonstrating OWASP Top 10 alignment and implementation transparency. Shows foundation strength while clearly identifying future development areas. |
| π― Threat Modeling Policy | β Public | STRIDE methodology and threat assessment framework public. Specific threat intelligence confidential. |
| π Management & Governance | ||
| π» Asset Register | Complete asset inventory public including all systems, services, and configurations. Only specific credentials, API keys, and account numbers replaced with [REDACTED]. |
|
| π Risk Register | Complete risk framework and all risks public. Only specific financial impact values replaced with [REDACTED]. |
|
| π Third-Party Management | β Public | Complete policy framework and all procedures public. |
| π’ Supplier Security Posture | Complete supplier assessments public including all details. Only specific contract pricing and sensitive commercial terms replaced with [REDACTED]. |
|
| π€ External Stakeholder Registry | β Public | Professional network and regulatory contacts demonstrate stakeholder engagement and compliance readiness. |
| π¨ Response & Recovery Plans | ||
| π¨ Incident Response Plan | β Public | Complete process framework and all procedures public. |
| π Business Continuity Plan | β Public | Complete strategies and all recovery procedures public. |
| π Disaster Recovery Plan | β Public | Complete architecture and all technical procedures public. |
| π Compliance & Legal | ||
| β Compliance Checklist | β Public | Demonstrates our commitment to transparency and provides a clear, auditable trail of our compliance posture against key frameworks. |
| π·οΈ Data Classification Policy | β Public | The classification levels and handling rules are public. The classification of specific datasets is confidential. |
| π’ Company Documentation | ||
| π Aktiebok | β Confidential | Share register details confidential. |
| π Annual Accounts | β Public | Filed annual reports are public record. |
| π Articles of Association | β Public | Corporate governance structure public. |
| π Business Plan | β Confidential | Financial projections, strategic roadmap, and revenue models confidential. |
| π Business Strategy | β Confidential | Strategic plans and business tactics confidential. |
| π’ Company Information | β Confidential | Corporate structure and internal operations. |
| π Copyright Assignment Agreement | β Confidential | Legal agreements and IP management confidential. |
| π Information Security Strategy | β Public | Strategic security initiatives and competitive security positioning differentiation through radical transparency. |
| π Marketing Plan | β Confidential | Tactical marketing implementation, campaigns, and operational details confidential. |
| π Marketing Strategy | β Confidential | Marketing strategies and competitive analysis confidential. |
| π€ Stakeholders Overview | β Confidential | Internal stakeholder alignment and strategic mapping confidential. |
| β Sensitive Information | ||
| Personal Data (CEO, future employees) | β Confidential | Per GDPR and privacy best practices. |
| Financial Records & Bank Details | β Confidential | Per Swedish Bookkeeping Act and security best practices. |
| Customer Data | β Confidential | Absolute confidentiality is paramount for client trust and GDPR. |
| Active Security Vulnerabilities | β Confidential | Public disclosure would be irresponsible. |
| Credentials, API Keys, Tokens | β Confidential | Extreme-level confidential data. |
| Risk Exposure Values | β Confidential | Specific financial impacts could enable targeted attacks. |
| Supplier Contract Details | β Confidential | Commercial terms, costs, and performance details. |
Hack23 AB practices radical transparency - we publish complete ISMS documents with only specific sensitive values redacted. This demonstrates our security maturity and operational excellence while protecting only the most sensitive information.
What We Publish (Everything):
- β Complete processes, procedures, and technical details
- β All system configurations, architectures, and operational procedures
- β All contact information (roles, escalation paths, response procedures)
- β All supplier names, assessments, and security postures
- β All risk assessments, risk details, and mitigation strategies
- β Complete asset inventories with all systems and services
What We Redact (Minimal):
- π Specific credentials, API keys, passwords, tokens
- π Specific account numbers, account IDs (replaced with
[REDACTED]) - π Specific financial impact amounts in risks (e.g., "$1.8M" β
[REDACTED]) - π Specific contract pricing and commercial terms
- π Personal phone numbers and personal email addresses
- Create Internal Version: The complete document is created as the "source of truth."
- Create Public Version: An identical copy is made for public release.
- Apply Minimal Redactions: Only specific sensitive VALUES are replaced with
[REDACTED]- structure and content remain intact. - Review: The CEO reviews to ensure only appropriate values are redacted.
- Publish: The document is published to the public GitHub repository.
- Credentials:
password: "abc123"becomespassword: [REDACTED] - Account Numbers:
Account: 172017021075becomesAccount: [REDACTED] - Financial Risk Values:
ALE: β¬65,700becomesALE: [REDACTED] - Personal Contact:
CEO: +46-XXX-XXXbecomesCEO: [REDACTED] - Contract Pricing:
$50/monthbecomes[REDACTED]/month
Everything else remains public and unredacted.
- GitHub Public: hack23/ISMS-PUBLIC - Complete public ISMS documentation
- Corporate Website: Links to documentation for client access
- Product Documentation: Specific security architectures for each project
- Citizen Intelligence Agency: https://www.hack23.com/cia-docs.html
- CIA Compliance Manager: https://www.hack23.com/cia-compliance-manager-docs.html
- Black Trigram: https://www.hack23.com/black-trigram-docs.html
- Documents Published: Framework complete with ongoing updates
- Public/Confidential Ratio: Approximately 70% public framework, 30% redacted operational details
- Client Engagement: Documentation views, security inquiries generated
From our comprehensive supplier management approach:
- Cloud Infrastructure: Critical dependency with robust continuity planning
- Development Platforms: High-impact services with documented alternatives
- Financial Services: Regulatory-compliant banking and payment processing
- Supporting Services: Managed risk profile across operational tools
Our systematic approach includes:
- Comprehensive Risk Assessment: Full spectrum risk identification and classification
- Regular Risk Reviews: Ongoing monitoring and reassessment cycles
- Risk Treatment Planning: Appropriate mitigation strategies based on impact analysis
- Continuous Improvement: Regular updates to risk management processes
- Monthly: Review redaction effectiveness and update metrics
- Quarterly: Update publication classifications and risk assessments
- Annually: Complete transparency strategy review
- Ad-hoc: Following security incidents or significant business changes
π Document Control:
β
Approved by: James Pether SΓΆrling, CEO
π€ Distribution: Public
π·οΈ Classification:
π
Effective Date: 2025-09-22
β° Next Review: 2026-09-22
π― Framework Compliance: 
