ISO/IEC 27001

ISMS in operation, certification in process.

AIQCAT operates an ISMS aligned with the ISO/IEC 27001 control set, in active use across access control, change management, supplier risk, incident response, and business continuity. A formal certification audit is being arranged with an accredited certification body.

ISO/IEC 27001 — alignedCertification — in processGDPR / UK GDPR / APPI

Dual Frontier AI · Defense

Two frontier AIs — OpenAI and Anthropic — guarding your data.

OpenAI Trusted Access for Cyber (TAC) Enterprise · GPT-5.5

OpenAI’s cyber-defense-hardened stack. AIQCAT runs GPT-5.5, cleared through the rigorous vetting of the enterprise “Trusted Access for Cyber” program adopted by global leaders such as JPMorgan Chase and NVIDIA.

OpenAI announcement (May 7, 2026) →

Claude Security Opus 4.8

Anthropic’s vulnerability-scanning stack. A current best-in-class reasoning model — adopted by leading security firms such as Microsoft Security and CrowdStrike — guards your data.

Anthropic announcement (April 30, 2026) →

Based on each company’s official announcements.

ISO conformance map

Our AI vulnerability-response pipeline, mapped to ISO.

Every step of the autonomous vulnerability-response pipeline maps to controls in ISO/IEC 27001:2022 and ISO/IEC 42001:2023. Dynamic and static analysis verify each change, and the remediation itself is handled by both GPT TAC and Claude Code Security.

#	Step	Owner	Type	ISO/IEC 27001:2022	ISO/IEC 42001:2023
1	Threat-intel acquisition	AI	Intelligence gathering	A.5.7 · A.8.8	A.7.3 · A.6.2.6
2	Error detection & triage	GPT TAC	Dynamic analysis	A.8.16 · A.8.8	A.6.2.6
3	Penetration testing	GPT TAC (GPT-5.5-Cyber)	Dynamic verification	A.8.29 · A.8.8	A.6.2.4
4	Static analysis (SAST)	Claude Code Security	Static verification	A.8.28 · A.8.29	A.6.2.4
5	Fix-code generation & implementation	GPT TAC / Claude Code Security	Implementation	A.8.28 · A.8.25	A.6.2.5
6	Push / deploy	CI/CD	Change	A.8.32 · A.8.19	A.6.2.5
7	Audit trail	System	Log	A.8.15 · A.8.16	A.6.2.8
8	Anomaly detection & alerting	Monitoring	Notification	A.8.16 · A.5.25 · A.6.8	A.6.2.6 · A.8.4

Cross-cutting (all steps): ISO/IEC 27001 A.5.14 (Information transfer) · A.5.23 (Cloud services) · A.5.24 (Incident-management planning); ISO/IEC 42001 A.3.2 (AI roles & responsibilities) · A.10 (Third-party & customer relationships). Control titles refer to each standard's Annex A.

Controls

What we operate.

Encryption in transit

TLS 1.3 with HSTS and modern cipher suites only.

Encryption at rest

AES-256 with per-tenant envelope encryption.

Identity & access

SSO (SAML 2.0, OIDC). MFA required for administrative access.

Network

Private cloud per tenant tier; no public ingress to the grading environment.

Logging & monitoring

Centralised logging with immutable audit trails retained 12 months.

Vulnerability management

Continuous scanning; critical issues patched on a defined SLA.

Endpoint

Managed devices with mandatory disk encryption.

Personnel

Background checks and annual security training for all staff.

Incident response

If something goes wrong.

AIQCAT operates a documented incident-response plan with a severity rubric. Confirmed data-exposure events are notified to affected customers without undue delay, followed by a root-cause report.

Critical

Confirmed data exposure or material integrity event — immediate mobilisation and prompt customer notification.

High

Availability degradation or near-miss — notification and a published post-incident review.

Standard

Operational issue with no customer-data impact — tracked in the operations digest.

Responsible disclosure

Report a vulnerability.

Researchers acting in good faith are protected under the AIQCAT safe-harbour policy. Submit findings to security@aiqcat.org; we acknowledge within one business day and credit qualifying reports.

Security disclosures

security@aiqcat.org

Report →