Security Through Transparency and Open Documentation
Demonstrating Security Excellence Through Public ISMS Disclosure
Document Owner: CEO | Version: 1.0 | Last Updated: 2025-08-14 (UTC)
Review Cycle: Annual | Next Review: 2026-08-14
Hack23 AB's core philosophy is that transparency enhances security rather than diminishing it. This document outlines our strategy for making our Information Security Management System (ISMS) public, demonstrating our expertise and building trust, while carefully protecting sensitive information that could introduce risk.
This plan defines what is considered public, what is confidential, and the processes for maintaining our commitment to security through transparency.
— James Pether Sörling, CEO/Founder
- Default to Public: Policies, frameworks, and high-level procedures will be public unless a specific, documented risk is identified.
- Demonstrate, Don't Expose: The goal is to showcase our security maturity and processes, not to reveal secrets that could be exploited.
- Redact, Don't Hide: When a document contains a mix of public and sensitive information, we will redact the sensitive parts and publish the rest.
- Clarity and Rationale: The reason for keeping any information confidential will be clearly documented internally.
This table defines the publication status of ISMS documents and the rationale.
| Document / Information Type | Publication Status | Rationale & Redaction Rules |
|---|---|---|
| 🔐 Core Policies & Frameworks | ||
| 🔐 Information Security Policy | ✅ Public | Demonstrates overall security posture. No sensitive details. |
| 🏷️ Classification Framework | ✅ Public | Core to our methodology; showcases our approach to risk. |
| 🔓 Open Source Policy | ✅ Public | Aligns with our open-source philosophy. |
| 📐 Style Guide | ✅ Public | Shows our commitment to quality and consistency. |
| 🛠️ Operational Policies | ||
| 🔑 Access Control Policy | ✅ Public | High-level policy is public. Specific roles and access lists are confidential. |
| 🔒 Cryptography Policy | ✅ Public | Approved algorithms and standards are public. Key management procedures are confidential. |
| 🛠️ Secure Development Policy | ✅ Public | The framework is public. Specific tool configurations are confidential. |
| 🌐 Network Security Policy | ✅ Public | Network architecture principles public. Specific configurations confidential. |
| 📝 Change Management | ✅ Public | Process framework public. Specific change details confidential. |
| 🔍 Vulnerability Management | ✅ Public | Process public. Active vulnerabilities confidential. |
| 💾 Backup & Recovery Policy | ✅ Public | Policy framework public. Specific procedures confidential. |
| 📋 Management & Governance | ||
| 💻 Asset Register | Public version lists asset categories (e.g., "Cloud Services," "SaaS Platforms"). Specific account details, credentials, and configurations are CONFIDENTIAL. | |
| 📉 Risk Register | The framework and risk categories are public. Specific risk details, financial impacts, and vulnerabilities are CONFIDENTIAL. | |
| 🔗 Third-Party Management | Policy framework is public. Specific supplier assessments confidential. | |
| 🏢 Supplier Security Posture | Generic supplier examples and assessment methodology public. Specific supplier details and contracts are CONFIDENTIAL. | |
| 🚨 Response & Recovery Plans | ||
| 🚨 Incident Response Plan | The process framework is public. Specific contact details, technical procedures, and escalation paths are CONFIDENTIAL. | |
| 🔄 Business Continuity Plan | High-level strategies are public. Specific recovery steps, contact lists, and operational details are CONFIDENTIAL. | |
| 🆘 Disaster Recovery Plan | The architecture overview is public. Detailed recovery procedures, system configurations, and technical details are CONFIDENTIAL. | |
| 📊 Compliance & Legal | ||
| ✅ Compliance Checklist | The frameworks we align with are public. The detailed status and compliance gaps are CONFIDENTIAL to prevent targeted attacks. | |
| 🏷️ Data Classification Policy | ✅ Public | The classification levels and handling rules are public. The classification of specific datasets is confidential. |
| 🏢 Company Documentation | ||
| 🏢 Company Information | ❌ Confidential | Corporate structure and internal operations. |
| 📈 Marketing Strategy | ❌ Confidential | Marketing strategies and competitive analysis. |
| 📊 Business Strategy | ❌ Confidential | Strategic plans and business tactics confidential. |
| 📑 Articles of Association | ✅ Public | Corporate governance structure public. |
| 📊 Aktiebok | ❌ Confidential | Share register details confidential. |
| 📊 Annual Accounts | ✅ Public | Filed annual reports are public record. |
| ❌ Sensitive Information | ||
| Personal Data (CEO, future employees) | ❌ Confidential | Per GDPR and privacy best practices. |
| Financial Records & Bank Details | ❌ Confidential | Per Swedish Bookkeeping Act and security best practices. |
| Customer Data | ❌ Confidential | Absolute confidentiality is paramount for client trust and GDPR. |
| Active Security Vulnerabilities | ❌ Confidential | Public disclosure would be irresponsible. |
| Credentials, API Keys, Tokens | ❌ Confidential | Extreme-level confidential data. |
| Risk Exposure Values | ❌ Confidential | Specific financial impacts could enable targeted attacks. |
| Supplier Contract Details | ❌ Confidential | Commercial terms, costs, and performance details. |
- Create Internal Version: The complete, unredacted document is created and stored in a secure, internal repository. This is the "source of truth."
- Create Public Version: A copy of the document is made for public release.
- Apply Redactions: Based on the table above, sensitive information is removed or replaced with generic descriptions (e.g.,
[REDACTED],[Generic Example],[Representative Values]). - Review: The public version is reviewed by the CEO to ensure no sensitive information remains.
- Publish: The sanitized version is published to the public GitHub repository.
- Financial Data: Replace specific costs with ranges or generic examples (e.g., "$50K+" becomes "High switching costs")
- Risk Exposure: Remove specific dollar amounts, keep relative severity (e.g., "Critical risk" without "$1.8M exposure")
- Supplier Details: Use generic examples instead of actual supplier names and contracts
- Technical Details: Remove IP addresses, account IDs, specific configurations
- GitHub Public: hack23/ISMS-PUBLIC - Complete public ISMS documentation
- Corporate Website: Links to documentation for client access
- Product Documentation: Specific security architectures for each project
- CIA Platform: https://www.hack23.com/cia-docs.html
- CIA Compliance Manager: https://www.hack23.com/cia-compliance-manager-docs.html
- Black Trigram: https://www.hack23.com/black-trigram-docs.html
- Documents Published: Framework complete with ongoing updates
- Public/Confidential Ratio: Approximately 70% public framework, 30% redacted operational details
- Client Engagement: Documentation views, security inquiries generated
From our comprehensive supplier management approach:
- Cloud Infrastructure: Critical dependency with robust continuity planning
- Development Platforms: High-impact services with documented alternatives
- Financial Services: Regulatory-compliant banking and payment processing
- Supporting Services: Managed risk profile across operational tools
Our systematic approach includes:
- Comprehensive Risk Assessment: Full spectrum risk identification and classification
- Regular Risk Reviews: Ongoing monitoring and reassessment cycles
- Risk Treatment Planning: Appropriate mitigation strategies based on impact analysis
- Continuous Improvement: Regular updates to risk management processes
- Monthly: Review redaction effectiveness and update metrics
- Quarterly: Update publication classifications and risk assessments
- Annually: Complete transparency strategy review
- Ad-hoc: Following security incidents or significant business changes
Document Control:
Approved by: James Pether Sörling, CEO
Distribution: Public
Classification:
Effective Date: 2025-08-14
Next Review: 2026-08-14
Framework Compliance: 
