Soon — Information Security Management System (ISMS)¶
This repository is the single source of truth for Soon's security policies and our path to ISO/IEC 27001:2022 certification (the primary goal), for the company and the Soon Workforce Management (WFM) SaaS platform. A SOC 2 report may follow later, reusing the same controls and evidence.
Everything is Markdown so it's easy to read, diff, review and process. We prepare and maintain every document through Claude Code — that's the main interface for both Olaf (internal) and Andrea (external consultant). A small script keeps the whole set valid and produces a live register and status dashboard.
- Policies only — never application code or secrets (kept in a separate repo).
- English only. Keep documents lean and practical — we're a small company.
1. Quick start (5 minutes)¶
What you need once¶
- Claude Code installed, opened in this repository folder.
- Python 3 + PyYAML (only needed to run the checker locally / it runs in CI too):
pip install pyyaml - Access to the GitHub repo (Olaf invites collaborators; auditors get read-only).
Your first commands¶
Open Claude Code in this folder and type:
/isms:status → see where everything stands right now
/isms:gap → see what's missing for ISO 27001, prioritised
That's it. You don't need to know git — Claude Code does the file work for you.
2. The everyday workflow¶
We do almost everything through eight commands. Type them in Claude Code:
| Command | Use it to… |
|---|---|
/isms:status |
Rebuild the register/dashboard, validate, and summarise progress |
/isms:gap [iso\|soc2] |
Find missing controls/documents, prioritised (defaults to ISO) |
/isms:new <id> "<title>" |
Create a new document in the right place (e.g. the Statement of Applicability) |
/isms:draft <control/doc> |
Turn a raw template into a Soon-specific draft |
/isms:review <doc> |
Pressure-test a document the way an auditor will |
/isms:approve <doc> |
Record owner sign-off (status → approved, review date set) |
/isms:evidence <control> |
Verify a policy against the real app/infra (run in that repo) |
/isms:meeting |
Prep the weekly Thursday 13:00 CEST session |
A typical document goes: /isms:draft → answer the TODO(owner:) questions →
/isms:review → fix → /isms:approve. Only approved documents count toward
certification.
Prefer not to use Claude Code for a quick edit? You can edit any file directly on GitHub in the browser — see CONTRIBUTING.md. The commands just make it faster and consistent.
3. Browse it as a website (optional, nice for reading & auditors)¶
The repo is readable as-is on GitHub, but you can also render it as a searchable site:
pip install -r requirements-docs.txt # once
python3 tools/site.py serve # → http://127.0.0.1:8000
In Claude Code you can just run /isms:site. To host it privately behind a login
(Cloudflare Pages + Access — good for sharing read-only with an external auditor),
see docs/_reference/hosting-and-deploy.md.
4. Where everything is¶
| If you want to… | Go to |
|---|---|
| Understand how we run this repo | MASTERPLAN.md |
| See the certification plan, timeline & every document we need | ROADMAP.md |
| See the live list of all documents | REGISTER.md (auto-generated) |
| See progress, % approved, overdue reviews | STATUS.md (auto-generated) |
| Understand what Soon is (context & ISMS scope) | docs/04-context/ISMS-04-01-context-and-scope.md |
| Learn how to contribute | CONTRIBUTING.md |
| See rules for AI assistants | AGENTS.md (Claude Code reads this) |
| Read the customer-facing security summary | docs/_reference/soon-security-overview.md |
5. Repository layout¶
.
├── README.md # you are here — how to use the repo
├── MASTERPLAN.md # operating model: how Olaf + Andrea run this via Claude Code
├── ROADMAP.md # certification plan + every document we need (with status)
├── REGISTER.md # live list of all documents ← auto-generated
├── STATUS.md # progress dashboard ← auto-generated
├── AGENTS.md # canonical instructions for AI assistants
├── CLAUDE.md # pointer to AGENTS.md (Claude Code entry point)
├── CONTRIBUTING.md # how to write/edit (incl. browser-only workflow)
│
├── docs/ # the ISMS, organised by ISO 27001 structure
│ ├── 04-context/ # Clause 4 — context & scope ✅ authored
│ ├── 05-leadership/ # Clause 5 — policy, roles, leadership
│ ├── 06-planning/ # Clause 6 — objectives, risk, Statement of Applicability
│ ├── 07-support/ # Clause 7 — competence, comms, documented information
│ ├── 08-operation/ # Clause 8 — operational planning & change
│ ├── 09-performance/ # Clause 9 — monitoring, internal audit, management review
│ ├── 10-improvement/ # Clause 10 — nonconformity & corrective action
│ ├── annex-a/ # Annex A controls: A5 Org · A6 People · A7 Physical · A8 Tech
│ ├── _templates/ # the document template to copy
│ └── _reference/ # security overviews, asset lists, source logs
│
├── .claude/commands/isms/ # the /isms:* slash commands
├── prompts/ # the same task prompts, for any AI tool
├── tools/isms.py # build (register + dashboard) & check (validation)
├── .github/workflows/ # CI: validates docs on every change
└── source/ # original .docx / .xlsx files (archived, read-only)
6. Document status legend¶
Used in REGISTER.md and STATUS.md:
- 📝 template — converted from a template, not yet tailored to Soon
- ✏️ draft — being written
- 👀 in-review — ready for the Thursday review
- ✅ approved — signed off by the owner; counts toward certification
- 🗄️ superseded / ➖ not-applicable — with justification
The authoritative plan and to-do list live in ROADMAP.md.
7. Behind the scenes (good to know, not required)¶
- Each document carries a YAML front-matter header (id, owner, status, version, control mappings, review dates, evidence). That metadata is what powers the register and dashboard.
python3 tools/isms.py buildregeneratesREGISTER.mdandSTATUS.md;python3 tools/isms.py checkvalidates the repo (the commands run these for you).- GitHub Actions runs the validator on every pull request and fails if the register is out of date — so nothing silently rots.
8. Context in one paragraph¶
Soon is a privately-held HRTech company (founded 2019) providing a cloud-based Workforce Management SaaS — scheduling, time & attendance, leave management, and AI-powered forecasting/auto-scheduling. It runs on AWS (eu-west-1, Ireland) with all customer data resident in the EU, operates as a GDPR data processor, and is delivered by a small, fully-remote team. The ISMS scope covers development, operation and support of that platform and its supporting cloud infrastructure. Full detail in the Context & Scope.