Information governance

Our Information Governance Programme is key to assuring customers that we continually fulfil and exceed our contractual, regulatory, legal, risk and operational obligations.

CISM

iCONX information governance programme

Given both the nature and volume of the data we process, information technology management and governance has always had a seat at our top table. We’ve been COBIT aligned since 2003, and have always exceeded expectations when undertaking customer commissioned audits such as SOX compliance.

In tandem with customer initiated audits, the iCONX information governance programme has continually delivered independent assurance to customers based on international standards and best practice frameworks as to the privacy, confidentiality, security, integrity and availability of their data.

Continue reading about our information governance programme initiatives below.

BS 10012:2017 Personal information management

In 2017 we decided to further enhance our governance model through the adoption of and certification to the BS 10012:2017 Personal Information Management Standard, thus assuring customers of our systematic and best practice approach to the management of privacy risk and improvement of our ASP services. Adoption of the BS 10012:2017 standard enhances compliance with the GDPR Regulation (EU) 2016/679 valid May 25th 2018.

The BS 10012:2017 certification assessments are carried out by our accredited partner Certification Europe. We undertake surveillance audits at yearly intervals in order to continually improve privacy risk management and to maintain certification validity. This certification is renewed every 3 years. The current certificate may be viewed here.

For further information contact our Data Protection Officer

BS 10012
ISO 22301

ISO 22301:2012 Business continuity certification

In 2015 we decided to again further enhance our governance model through the adoption of and certification to the ISO 22301:2012 standard, thus assuring customers of our systematic and best practice approach to managing risk with respect to business continuity.

A key component of the program was the upgrade of our information systems infrastructure stack at our primary and secondary data centres, DB2 & DB3.

The ISO 27001 audits are carried out by our accredited partner Certification Europe. This certification is renewed every 3 years. We undertake surveillance audits at six-monthly intervals to maintain the certification.

The current certificate may be viewed here.

ISO/IEC 27001:2013 Information security certification

In 2014 we decided to further enhance our governance model through the adoption of and certification to the ISO/IEC 27001:2013 standard, thus assuring customers of our systematic and best practice approach to managing information security risks.

The ISO 27001 audits are carried out by our accredited partner Certification Europe. We undertake surveillance audits at six-monthly intervals to maintain the certification. This certification is renewed every 3 years.

Our control set for the audits consisted of all 114 of the controls specified within the ISO 27001:2013 standard.

The current certificate may be viewed here.

iso 27001
information governance

AICPA SOC 1 SSAE 18 – Independent audit report

In 2015 we initiated an internal project culminating in the 2016 issuance of an AICPA SOC 1 SSAE 16 Type II Report. The purpose of the SOC 1 Type II audit report is to provide our stakeholders independent assurance regarding the adequacy of information system financial integrity controls as applied to customer data hosted within our ASP during a defined period.

The annual audits and subsequent reporting (now SSAE 18) are carried out by​ Grant Thornton.

Data protection – audit report / GDPR alignment

In 2014 we initiated an internal data protection project with a view to establishing our status in respect of the now imminent enforcement of GDPR Regulation (EU) 2016/679.

An industry recognised subject matter expert audited our control environment. The subsequent audit report and recommendations fed into our continual improvement cycle and provided a strong starting point on our road to GDPR compliance.

EC Standard
information governance

AICPA SAS 70 – Independent audit report

In 2008 we initiated an internal project culminating in the 2009 issuance of an AICPA SAS 70 Type I Report. The purpose of the independent report based on the SAS 70 standard was to provide our customers with independent assurance regarding the adequacy of information system controls as applied to customer data hosted within our ASP.

The audit and subsequent reporting are carried out by Grant Thornton. Our controls were based on the ISACA COBIT framework.