Information Security Management System (ISMS) Manual

SquareX Holdings, Inc.
ISO/IEC 27001:2022

Document Control Information

• Version: 1.0

• Date: 2025-08-22

• Prepared by: Venkat Pothamsetty , Consultant CISO

Revision History

1. Introduction

1.1 Purpose

This Information Security Management System (ISMS) Manual defines the objectives, structure, and operation of SquareX Holdings, Inc.’s ISMS. It demonstrates SquareX’s commitment to safeguarding customer and corporate information assets across its Browser Detection & Response (BDR), Enterprise Browser, Browser DLP, and Secure Access offerings.

ISMS Objectives:

• Establish a systematic approach to managing information security risks.

• Ensure compliance with ISO/IEC 27001:2022.

• Protect client data, intellectual property, and digital assets.

• Enable trust in SquareX products (e.g., BDR, DLP, Enterprise Browser).

• Support continuous improvement of information security practices.

1.2 Organization Overview

SquareX Holdings, Inc. is a cybersecurity software company providing an industry-first Browser Detection & Response (BDR) platform. Core offerings include:

• Browser Detection & Response (BDR): Malicious extension detection, phishing prevention, malware sandboxing, content disarm & reconstruction.

• Enterprise Browser: Secure access for SaaS, internal apps, contractors, and BYOD.

• Browser DLP: Prevents data exfiltration via browser/GenAI, clipboard, or file transfers.

• Secure Access: Enables secure access to SSH, RDP, unmanaged devices, and VDI.

1.3 Key Definitions

• ISMS: Information Security Management System.

• Information Asset: Any data, systems, or services (e.g., BDR modules, extension analysis, DLP logs).

• Risk: Effect of uncertainty on information security objectives.

• Incident: One or more unexpected information security events (e.g., extension compromise).

• Threat: Potential cause of an unwanted incident (e.g., AI agent misuse, malicious extensions).

• Vulnerability: Weakness exploitable by threats (e.g., misconfigured sandbox).

2. Context & Scope (Clause 4)

2.1 Internal and External Issues

Internal:

• Dependency on browser-level protection for clients.

• Need for scalable controls to secure SaaS, contractors, and BYOD.

• Cloud-based infrastructure (Google Workspace, CI/CD pipelines).

• Growing staff distributed across multiple geographies.

External:

• Increasing browser-based threats (malicious extensions, polymorphic code, GenAI misuse).

• Client regulatory expectations (e.g., GDPR, HIPAA).

• Competitor innovation and industry benchmarking.

• Supplier risk (cloud services, browser vendors).

2.2 Interested Parties

• Clients: Confidentiality, secure services, regulatory compliance.

• Employees: Secure working environment, privacy, clear guidance.

• Suppliers/Partners: Security requirements in contracts.

• Regulators: Proof of compliance and effective risk management.

• Management: Business continuity and brand trust.

2.3 ISMS Scope Statement

The ISMS scope covers:

• Development, operation, and delivery of BDR, Enterprise Browser, Browser DLP, and Secure Access.

• Corporate IT (endpoints, G Suite, secure development environments).

• All employees, contractors, and suppliers handling SquareX information.

Exclusions: Physical premises security beyond office access (SquareX is cloud-native).

3. Leadership (Clause 5)

3.1 Leadership & Commitment

Management demonstrates commitment by:

• Maintaining an Information Security Policy.

• Allocating resources for ISMS operations.

• Ensuring integration of ISMS into product lifecycles.

• Promoting continual improvement.

3.2 Information Security Policy

Policy commits to:

• Confidentiality, Integrity, Availability (CIA triad).

• Compliance with legal, regulatory, and contractual obligations.

• Continuous risk-based approach to security.

3.3 Roles & Responsibilities

• CISO (Jeswin Mathai): Overall ISMS accountability, risk acceptance.

• ISMS Lead: Daily ISMS operation, compliance monitoring.

• IT Manager: Endpoint, access control, vendor compliance.

• Engineering Leads: Secure product development.

• Employees: Policy compliance, incident reporting.

4. Planning (Clause 6)

4.1 Risk Assessment & Treatment

SquareX applies its Risk Assessment & Management Policy:

• Assets identified (BDR, browser agents, sandbox, DLP).

• Threats analyzed (extension malware, data leakage, identity abuse).

• Likelihood (0–1) × Impact (0–10) = Net Risk.

• Risks >8 → insurance considered.

• Risks <3 → acceptable.

4.2 ISMS Objectives (2025)

• 100% MFA for all systems.

• <4h response time to incidents.

• 100% endpoint encryption compliance.

• 100% completion of awareness training.

• Quarterly access reviews.

4.3 Statement of Applicability

Maintained as a controlled document (already prepared), linking Annex A controls to SquareX policies.

5. Support (Clause 7)

• Resources: Budget for security tools, staff, audits.

• Competence: Training, certifications, awareness programs.

• Awareness: Annual mandatory training, policy refreshers.

• Communication:

  • Internal (updates, alerts).

  • External (client briefings, regulator reports).

• Documentation: Controlled policies (e.g., PE-Access Control Policy18.pdf, PE-Risk Assessment & Management Policy10.pdf).

6. Operation (Clause 8)

• Planning & Control: Controls aligned to SoA.

• Risk Assessments: Annual and event-driven.

• Risk Treatment: Implemented controls, residual risk acceptance.

• Change Management: Applies to BDR features, DLP controls, policies.

• Supplier Security: Vendor assessments, contractual security clauses.

• Incident Management: Detection → Containment → Recovery → Lessons Learned.

7. Performance Evaluation (Clause 9)

• Monitoring: KPIs (incident resolution times, training %, encryption compliance).

• Audits: Annual ISMS audits (A.5, A.8, A.13 controls verified).

• Management Reviews: Semi-annual MRMs (inputs: KPIs, audits, risk status; outputs: improvements, resources).

8. Improvement (Clause 10)

• Nonconformity: Root cause analysis, corrective action tracking, effectiveness verification.

• Continual Improvement:

  • Risk trend analysis.

  • Audit results.

  • Incident lessons learned.

  • Stakeholder feedback.

  • Technology updates (e.g., new AI/GenAI controls).

Annexes

• Annex A: Risk Methodology & Template (SquareX policy, impact 0–10, likelihood 0–1).

• Annex B: Roles & Responsibilities.

• Annex C: ISMS Documents List (from policies screenshot).

• Annex D: Glossary.

• Annex E: References (ISO/IEC 27001:2022, SquareX ISMS policies, Risk Assessment Policy).