IT Infrastructure X-Ray

The ISO27001 requests a scope for your ISMS – meaning that you will need to define what you will take in scope and what is out scope. Defining components of your IT Infrastructure will help you to define your scope. 

Next to that this overview will be a great support during preparation for certification. As it is a great summary of all ISMS information you will need to share with your external auditor at the beginning of the audit.  
Once you have added this information – you can create a PDF – and use it during compliance processes with your customers, providing them with general and high level security information on certain parts of your Infrastructure. 

First of all – the most important tip – be modest – never add components that you want to develop in future, this is not a sales pitch. Only components that are in place will be part of your scope. It is way easier to build an ISMS with limited components, compared with a very difficult infrastructure and multiple products and services. Starting small is a benefit for you. So no business development plans… limit it to current state.  

In this section you can add components, depending on your IT Infrastructure, Value Proposition and Data flows.  All the components together will form a Visual of your ISMS Organization – your X-Ray. Below you can find an example of an X-Ray. In this example we have 5 components in place. 

1. App environment
2. AWS environment (data storage)
3. Azure-Power BI (data analytics)
4. Web Portal for Customers
5. Separate Web Portal for SuperCoolCustomer Team

 You can already prepare some of the components, while we will plan an X-Ray Session and co-create your X-Ray. 

How-to Prepare: 

  1. Start with creating components. First check the drop down list (type or component). Every type of component has its own template with request for information.  
  2. Choose the components that are applicable for you – multiple are possible – add a name (top field  X-Ray Component ) and  Save  by making use of the yellow button top right: 
    • App – add the name of the app  
    • Web Portal – meaning a web application for your customer or end-user, your own team – name that product/portal  
    • Server Environment – your cloud environment (AWS, Google, Azure, local, own server etc) add the name of the supplier. If you have multiple server environments add more. You will also have to choose if this is outsourced (AWS, Google etc. ) or if you have your own server at side. This will create different template. 
    • Office Network – this is your office, even if you have an online office and only working remotely – you will need to add this component. 
    • API/SDK Environment – not every API needs to become a separate component, only if this is a specific part of your product / service 
    • other [we are in the process of defining more type of components – in the meantime you can use this general component template for eg BlockChain environment or other technologies. 
    • If you are not sure – do not add – we will co-create during X-Ray Session.  
  3. Once you have created components – you will be able to edit the content. Every component will have different topics to address and Helper buttons with support tips or questions that help you adding information. Keep the information High Level – make use of adding links to your own wiki environment with more details information – so that Compleye online is linked to evidence in your own environment. You can add documents and graphics for more explanation. Keep the language understandable for everyone, not all auditors or compliance professionals have a good technical background.  
  4. Make sure you add no confidential information – as you might want to use the PDF functionality – for external communication. 
  5. During the X-Ray Session we will check if all components are in place and are needed.  
  6. Once all information is documented, C-level can give an approval after reviewing the content and make use of approval features (see below) 
  7. You will make changes during the year in these environments. (additional securities – features or functionalities). And you will need to adjust the documentation. Small notes can also be made in section Changes (see below) to keep track of these changes. It will be easy to address during audits and keep your ISMS Team and external partners up to date.  








X Ray Component 

free text for the name of the component 


Type or component 

select from drop down menu: App/Web Portal/Server Environment/ Office Network/ API/SDK Environment/ Other 



free text field – describe high level the Application purpose, functions and/or intended use 

[describe purpose of the app] 


free text field – describe the authentication features adopted to access and use the API/SDK environment 

All login credentials are stored in LastPass 


free text field – describe the server environment including the description of each component 


Assets stored 

free text field – indicate and describe the assets stored in the server environment 


Access management 

free text field – describe how are the access management rights organized and managed 

All access management is documented on Confluence 


free text field – if applicable describe the process of collection and managing consents obtained for the purpose of processing personal data 

consent is prompted during the user registration flow  

Type of data collected 

free text field – specify the type/categories of personal data collected, stored and processes 

self reported information: gender data, year of birth, email address  

Specific features 

free text – indicate the key features of the Application  



free text field – indicate if there is a setting function available, with the options, including the options that can be changed by user   


User flow overview 

free text field – name of the document + upload the document functionality 

User flow January 2022 

Links to more information  

free text field – name of the source/link 

+ upload a document – for any other relevant product description content or diagram 



free text field – what are the security measures implemented? 

encryption data 


free text field – how do you monitor this component of quality, security and availability? Is there a standard report or dashboard in place? How do you monitor incidents? 

monitoring is performed by collection of managed services by Amazon working in unison (CloudWatch, CloudTrail, GuardDuty…), Following items are also monitored: RDS database critical metrics (CPU and storage)… 




Assessment finding 



+ Add new assessment 

Assessment date: select date Finding: free text  


Approvals of assessment & findings 



+ Add new review 

approval date: select + click approve  



Was this article helpful?
0 out of 5 stars
5 Stars 0%
4 Stars 0%
3 Stars 0%
2 Stars 0%
1 Stars 0%
How can we improve this article?
Please submit the reason for your vote so that we can improve the article.