The following eight findings were classified as Phase 1 priorities: High-priority Non-Compliant controls requiring remediation within 0–30 days. These represent active compliance violations or governance gaps with direct regulatory exposure.
| ID | Finding | Owner | Why It Cannot Wait |
|---|---|---|---|
| GA-001 | Information Security Policy | CISO | No documented management commitment to information security. ISMS certification cannot proceed without it. |
| GA-002 | Roles and Responsibilities | CISO | No defined ownership for information security roles. Without assigned accountability, every other control is unenforceable. |
| GA-004 | Incident Response Plan | CISO | No structured process for detecting, containing, or recovering from a security incident. The 72-hour GDPR notification window cannot be met without this. |
| GA-007 | Access Control Policy | CISO | No documented rules governing who can access what systems and under what conditions. All access management controls are unverifiable without a policy baseline. |
| GA-028 | Lawful Basis for Processing | Compliance Officer | Personal data of 100,000 users is being processed across 10 data types with no documented Article 6 legal basis. Active GDPR violation. |
| GA-029 | Privacy Notice | Compliance Officer | Users receive no information about how their data is processed. Direct violation of GDPR Articles 13 and 14. |
| GA-034 | Breach Notification Procedure | Compliance Officer | No 72-hour escalation chain, no supervisory authority notification template, no breach register. GDPR Article 33 compliance is not achievable without this. |
| GA-035 | Data Protection Impact Assessment | Compliance Officer | Three processing activities — KYC biometric verification, behavioural profiling, and large-scale financial processing — meet the DPIA threshold under Article 35 and have not been assessed. |