Information Security Management Certified

1. About ISO/IEC 27001:2022

ISO/IEC 27001 is the international standard for an Information Security Management System (ISMS). The 2022 revision restructures Annex A into four themes — Organisational (37 controls), People (8), Physical (14), and Technological (34) — covering 93 controls in total. Certification means an accredited body has verified the design and operation of the ISMS against the standard.

Our certification is held with BSI Group, an accredited certification body under UKAS (United Kingdom Accreditation Service). Certificate number IS 776421. The certificate is independently verifiable on the BSI client directory.

2. Scope of the ISMS

The certified ISMS scope, as stated on the certificate:

"The provision of cryptocurrency trading, custody, margin lending, and yield-generation services, including the design, operation and maintenance of supporting infrastructure, customer-facing platforms, and back-office systems, in accordance with the Statement of Applicability v3.2 dated 2025-08-04."

Geographic scope covers all entities operating under the bitexasia brand: Singapore (headquarters), Hong Kong, Dublin, and London delivery centres. Outsourced services in scope: cloud infrastructure providers, KYC vendors, on-chain custody partners.

3. Statement of Applicability

The Statement of Applicability (SoA) is the contract between our ISMS and the certifier — it lists every Annex A control, states whether it applies to us, and where it is documented in the internal control library. SoA v3.2 (2025-08-04) declares:

• 91 of 93 Annex A controls applicable; 2 excluded with documented justification:
  • A.7.10 (Storage media) — excluded because no removable physical media is used; all customer and operational data lives in encrypted cloud storage with hardware-backed keys.
  • A.7.11 (Supporting utilities) — partially excluded for office sites with no on-prem production systems; applies in full to data-centre regions.
• All applicable controls implemented and operating effectively as of the certification audit date.
• 2 controls with open improvement opportunities (non-conformities resolved before issue, tracked in management review minutes).

4. Annex A control coverage

Highlights from each theme:

Organisational controls (A.5)

Information security policies (A.5.1), segregation of duties on the trading and custody desks (A.5.3), supplier security assessment for every third party touching customer data (A.5.19–A.5.23), threat intelligence pipeline integrated into the SIEM (A.5.7).

People controls (A.6)

Background screening proportional to role sensitivity (A.6.1), formal information-security responsibilities in all employment contracts (A.6.2), structured security awareness training quarterly with phishing simulations (A.6.3), confidentiality agreements that survive employment (A.6.6).

Physical controls (A.7)

Tiered physical security at office and data-centre sites — visitor logging, badge access with anti-tailgate vestibules, biometric controls on rooms hosting cold-storage signing infrastructure (A.7.1–A.7.4). Clear desk and clear screen policy enforced (A.7.7).

Technological controls (A.8)

This is the largest theme and where most exchange-relevant controls live. Encryption at rest (AES-256) and in transit (TLS 1.2+) (A.8.24), secure development lifecycle with code review and SAST/DAST in CI (A.8.25–A.8.28), cryptographic key management with HSMs (A.8.24), comprehensive logging with tamper-evident retention (A.8.15–A.8.17), redundancy and tested business continuity plans (A.8.13–A.8.14).

5. Surveillance audit schedule

ISO/IEC 27001 certificates are valid for three years and require annual surveillance audits to confirm the ISMS continues to operate effectively. Our schedule:

• Stage 1 audit (documentation review): 2025-07-14 — passed, no major findings
• Stage 2 audit (implementation): 2025-08-11 to 2025-08-22 — passed, 2 minor non-conformities (both closed before certification issue)
• Certificate issued: 2025-09-12
• Surveillance audit 1: 2026-08 (upcoming)
• Surveillance audit 2: 2027-08
• Re-certification audit: 2028-07 (before certificate expiry 2028-09-11)

6. Certificate verification

The certificate can be verified independently via the BSI client directory at bsigroup.com/en-GB/our-services/certification/certificate-and-client-directory-search by entering certificate number IS 776421 or by searching for "bitexasia".

The certificate, the Statement of Applicability summary, and the Annex A control coverage map are also bundled in the SOC 2 Type II report — see the SOC 2 page for the request workflow.

7. Full certificate and contact

A scanned PDF of the certificate is available on request via audits@bitexasia.com. For deep-dive questions about a specific Annex A control or the SoA, please specify the control reference in your request; response within 5 business days.