Purpose
This register defines Maelstrom AI’s measurable information security objectives as required by ISO 27001:2022 Clause 6.2. Each objective is specific, measurable, and aligned with the security objectives stated in the Information Security Policy.
Scope
These objectives apply to all systems, processes, and personnel within the ISMS scope.
Objectives Register
| ID | Objective | Measurable Target | Measurement Method | Responsible Role | Timeframe | Evaluation Frequency | Current Status |
|---|---|---|---|---|---|---|---|
| OBJ-01 | Protect Cryptographic Integrity | Zero unauthorised key access events; zero signing key compromises | Incident count review; access log audit for key storage systems (Cloudflare Workers secrets, KV) | Cryptography Specialist | Ongoing | Monthly | On track |
| OBJ-02 | Maintain Service Availability | 99.9% uptime for production APIs (provii-verifier including hosted mode, provii-issuer) | Grafana Loki uptime panels driven by Workers Logs | Security Lead | Ongoing | Monthly | Pre-launch (baseline not yet established) |
| OBJ-03 | Secure Software Development | 100% of PRs pass security scanning; 100% of PRs receive code review; SLSA Level 3 provenance for all production builds | GitHub PR metrics (required checks, review approvals); CI pipeline logs (CodeQL, cargo audit, npm audit) | Developer | Ongoing | Monthly | On track |
| OBJ-04 | Protect Operational Secrets | Zero credential exposures in source code or logs; MFA enforced on all GitHub and Cloudflare accounts | GitHub secret scanning alerts; MFA enforcement audit on GitHub organisation and Cloudflare account | Security Lead | Ongoing | Quarterly | On track |
| OBJ-05 | Ensure Compliance | ISO 27001:2022 certification when commercially justified; zero regulatory findings from OAIC or other authorities | Gap analysis completion status; external audit results; regulatory correspondence review | ISMS Owner | When justified | Quarterly | In progress |
Objective Details
OBJ-01: Protect Cryptographic Integrity
Alignment with policy: Corresponds to Security Objective 1 in the Information Security Policy, ensuring the mathematical soundness and security of zero knowledge proof systems.
What is measured:
- Number of unauthorised access attempts to signing key material
- Number of signing key compromise events
- Timeliness of key rotation per the Cryptography Policy
Data sources: Cloudflare audit logs, Workers secrets access logs, incident records.
Escalation: Any non-zero count triggers immediate incident response per the Incident Response Procedure.
OBJ-02: Maintain Service Availability
Alignment with policy: Corresponds to Security Objective 2 in the Information Security Policy, providing reliable age verification services with minimal unplanned downtime.
What is measured:
- Uptime percentage for provii-verifier (including hosted mode) and provii-issuer
- Number and duration of unplanned outages
- Mean time to recovery (MTTR)
Data sources: Grafana Loki (Cloudflare Workers Logs sink), status page records, incident logs.
Escalation: Uptime below 99.9% in any calendar month triggers a management review action item.
OBJ-03: Secure Software Development
Alignment with policy: Corresponds to Security Objective 3 in the Information Security Policy, producing secure, auditable code through rigorous development practices.
What is measured:
- Percentage of PRs with passing security scans (CodeQL, cargo audit, npm audit)
- Percentage of PRs with at least one code review approval
- SLSA Level 3 provenance generation for production builds
Data sources: GitHub branch protection logs, CI pipeline run history, SLSA provenance attestations.
Escalation: Any PR merged without required checks or review is treated as a nonconformity.
OBJ-04: Protect Operational Secrets
Alignment with policy: Corresponds to Security Objective 4 in the Information Security Policy, safeguarding API keys, signing keys, and authentication secrets.
What is measured:
- Number of secret scanning alerts (GitHub)
- MFA coverage percentage across GitHub organisation and Cloudflare account
- Number of credential rotation events completed on schedule
Data sources: GitHub secret scanning dashboard, GitHub organisation security settings, Cloudflare account settings.
Escalation: Any exposed credential triggers immediate rotation and incident response.
OBJ-05: Ensure Compliance
Alignment with policy: Corresponds to Security Objective 5 in the Information Security Policy, meeting legal and regulatory requirements.
What is measured:
- Gap analysis completion percentage (controls implemented vs. total required)
- Number of internal audit nonconformities (trend over time)
- External audit readiness assessment score
- Number of regulatory findings or complaints
Data sources: Gap Analysis, Internal Audit Program (maintained internally; available to auditors and enterprise customers on request), regulatory correspondence.
Escalation: Significant gaps or regulatory findings trigger corrective action plans reviewed in management review.
Review Process
Annual Review
Security objectives are formally reviewed during the annual Management Review (maintained internally; available to auditors and enterprise customers on request). The review considers:
- Whether each objective was met, partially met, or not met
- Whether targets remain appropriate or need adjustment
- Whether new objectives are required based on changes to the risk profile
- Resource requirements for achieving objectives
Ad-Hoc Review
Objectives are reviewed outside the annual cycle when:
- A significant security incident occurs
- The risk profile changes materially (new services, new threats, organisational changes)
- Audit findings indicate objectives are not being met
- Regulatory requirements change
Reporting
The Security Lead prepares a quarterly objectives status report summarising:
- Current measurement values against targets
- Trend analysis (improving, stable, or declining)
- Corrective actions required for objectives not on track
- Recommendations for target or measurement adjustments
This report is provided to the ISMS Owner and discussed in management review.
Related Documents
- Information Security Policy - Policy objectives (lines 33-96)
- Risk Register - Risks that objectives address
- Management Review (maintained internally; available to auditors and enterprise customers on request) - Forum for objectives review
- Internal Audit Program (maintained internally; available to auditors and enterprise customers on request) - Audit of objectives achievement
- Gap Analysis - Compliance progress for OBJ-05
Document Information
- Version. 1.0
- Effective Date. 2026-02-13
- Owner. ISMS Owner
- Review Frequency. Annually
- Next Review. 2027-02-13
- Classification. Public