ISMS Scope Statement
Defines the boundaries and applicability of CUI Labs Information Security Management System (ISMS) in accordance with ISO 27001:2022 requirements.
Document Owner
CISO
Approved By
CEO / Board
Effective Date
Q2 2026+
Review Cycle
Annual
1. Scope Definition
ISMS Scope: The CUI Labs Information Security Management System covers the design, development, deployment, and support of quantum-safe cryptographic solutions and autonomous systems for enterprise and government customers, including all associated infrastructure, data, and personnel.
This scope encompasses all activities, assets, and processes necessary to deliver secure products and services to customers while maintaining compliance with regulatory and contractual obligations.
2. Organizational Context
Company Information
- Legal Name: CUI Labs Pte. Ltd.
- Headquarters: Singapore
- Industry: Cybersecurity, Quantum Computing, AI
- Business Model: B2B SaaS and Enterprise Licensing
Organizational Structure
- • Engineering (Product Development)
- • Operations (Infrastructure, DevOps)
- • Security (CISO, SOC, Compliance)
- • Customer Success (Support, Professional Services)
- • Business Functions (Sales, Marketing, Finance, HR)
3. Physical & Logical Boundaries
Physical Locations
In Scope
- • Singapore headquarters office
- • Remote employee home offices (with company equipment)
- • Cloud data centers (AWS, Azure, GCP)
Out of Scope
- • Customer premises and infrastructure
- • Third-party vendor facilities (covered by contracts)
Logical Boundaries
In Scope
- • Production environments (all regions)
- • Staging and testing environments
- • Development environments (with customer data)
- • Corporate networks and systems
- • Customer data storage and processing
- • CI/CD pipelines and source code repositories
Out of Scope
- • Personal employee devices (BYOD not permitted)
- • Customer-managed infrastructure
- • Public marketing websites (non-authenticated)
4. Products & Services in Scope
QNSP (Quantum-Native Security Platform)
Post-quantum cryptographic key management and encryption services
QSIG (Quantum-Safe Interoperable Gateway)
Blockchain interoperability with quantum-safe cryptography
AIOS (Autonomous Interoperable Operating Systems)
AI-powered autonomous decision-making platform
DDIP (Deterministic Development Intelligence Platform)
AI-assisted software development with security controls
IACC (Industrial Autonomous Command Cloud)
Cloud infrastructure for autonomous industrial systems
Tunnel (Quantum-Safe Connectivity Fabric)
Secure communication layer with post-quantum encryption
5. Processes in Scope
Product Development
- •Requirements analysis
- •Design and architecture
- •Secure coding
- •Code review
- •Testing (unit, integration, E2E)
- •Security scanning (SAST, DAST, SCA)
Infrastructure Operations
- •Cloud infrastructure management
- •Network security
- •System monitoring
- •Patch management
- •Backup and recovery
- •Incident response
Customer Support
- •Ticket management
- •Technical support
- •Professional services
- •Customer onboarding
- •Training and documentation
Sales & Marketing
- •Lead management
- •Contract negotiation
- •Customer relationship management
- •Marketing campaigns
- •Website management
Finance & Administration
- •Financial reporting
- •Payroll
- •Procurement
- •Vendor management
- •Legal and compliance
Human Resources
- •Recruitment
- •Onboarding/offboarding
- •Training and development
- •Performance management
- •Access provisioning
6. Stakeholders
Customers
Enterprise and government organizations using CUI Labs products
Employees
Full-time staff and contractors
Regulators
MAS, PDPC, GDPR authorities, export control agencies
Partners
Technology partners, resellers, system integrators
Suppliers
Cloud providers, SaaS vendors, consultants
Investors
Shareholders and potential investors
7. Interfaces & Dependencies
Third-Party Services
Cloud Infrastructure
AWS, Azure, GCP
CriticalIdentity & Access
Auth0, Okta
CriticalMonitoring & Logging
Datadog, Splunk
HighCommunication
Slack, Zoom, Email
MediumDevelopment Tools
GitHub, GitLab, Jira
HighSecurity Tools
Snyk, Wiz, CrowdStrike
CriticalExternal Dependencies
- •Internet connectivity (multi-ISP redundancy)
- •Public key infrastructure (certificate authorities)
- •DNS services (Route53, Cloudflare)
- •Payment processing (Stripe, bank transfers)
8. Exclusions & Justifications
The following are explicitly excluded from the ISMS scope:
Customer-Managed Infrastructure
Justification: Customers deploy CUI Labs products in their own infrastructure. Security of customer infrastructure is the customer's responsibility, though we provide security guidance and best practices.
Personal Employee Devices (BYOD)
Justification: CUI Labs does not permit BYOD. All employees use company-issued, managed devices with security controls. Personal devices cannot access corporate resources.
Public Marketing Website (Unauthenticated Pages)
Justification: Public marketing pages (e.g., homepage, product pages) do not process or store sensitive data. Authenticated portals (customer dashboards, admin panels) are in scope.
9. Scope Changes & Future Expansion
The ISMS scope is reviewed annually or when significant organizational changes occur. Potential future expansions include:
- •Additional geographic locations (if offices opened)
- •New product lines or services
- •Acquired companies or merged operations
- •Expanded regulatory requirements (new jurisdictions)
Any scope changes require CISO approval and Board notification. Material changes trigger re-assessment of risks and controls.
10. Related Documents
Document ID
ISMS-SCOPE-001
Version
1.0
Classification
Public