Controls

Core security objectives are defined and communicated across the organisation.

All security practices align with and leverage the ISF's Standard of Good Practice for Information Security.

ISF monitors and audits compliance with security policies.

Non-compliance is proactively identified and remediated by the Security Committee and senior leadership.

Regular risk assessments are conducted on key systems, with risk managed in line with business objectives.

Recovery Point Objectives and Maximum Acceptable Outages are defined for all critical systems.

A formal incident response plan is in place with defined roles, responsibilities, and escalation procedures.

A Critical Incident Management Team coordinates response and recovery activities when the BCP is invoked.

All staff must read and accept security policies.

Mandatory security awareness training is provided during onboarding for all new employees.

All ISF Tools staff are security-screened as part of employee background checks prior to employment.

All staff are required to undergo security and data privacy training on an annual basis.

All staff must safeguard ISF data and equipment when working remotely.

Positive security behaviours are actively encouraged and highlighted to promote a culture of transparency.

Use of personal devices (BYOD) is restricted and subject to security controls.

Only IT-approved hardware, software, and cloud services may be used.

Use of personal devices (BYOD) is restricted and subject to security controls.

A whistleblower policy is maintained and communicated to all staff, that enables employees to raise instances of wrong doing.

ISF Tools platforms are hosted exclusively on Microsoft Azure infrastructure within the United Kingdom.

ISF Live is hosted on a Salesforce instance, built on AWS infrastructure in Sweden.

Data centres maintain ISO 27001, SOC 2, and other industry certifications. See here: Azure compliance documentation

Azure availability zones are utilised to ensure service resilience.

Infrastructure is monitored for uptime and efficiency, with appropriate alerting and monitoring.

All systems are monitored for capacity, with systems able to scale in times of increased utilisation.

Capacity requirements are reviewed regularly to ensure scaling limits are appropriate.

Production systems operate in isolated network segments with restricted access controls.

Network traffic is monitored and logged for security analysis.

Access to next-generation firewall configuration is heavily restricted to authorised employees in specified circumstances only.

All sensitive data is protected using industry-standard AES-256 encryption for data at rest and in transit.

Data transmission utilises current TLS protocols to ensure secure communication.

Azure Key Vault is utilised for encryption key management in Microsoft Azure environments.

Daily backups are performed and stored on redundant Azure West infrastructure.

Geo-redundant backups are maintained for additional protection.

Backups are tested regularly for both integrity and restoration suitability.

Access to systems and data is restricted to authorised users only.

Segregation of duties is enforced.

Remote access to ISF Tools infrasturcture requires authorised, encrypted connections.

Remote access to ISF Tools infrastructure requires approval from a senior manager and from the IT team.

Members can make use of SSO/FIAM connections to ISF Tools.

Security considerations are integrated from initial design through deployment and maintenance.

ISF conducts regular vulnerability scanning of applications and infrastructure.

All identified vulnerabilities are reviewed internally and remediated based on risk assessment.

Third-party penetration tests are undertaken annually. Summary reports are available to ISF Members.

ISF complies with UK GDPR across all jurisdictions.

A Data Privacy Officer oversees lawful data processing, transparency, and safeguarding of personal data.

All personal data is stored in Stockholm (Sweden) and replicated on ISF Tools platforms in the United Kingdom.

Personal data replication is minimised to ensure as little personal data as possible is transfered.

Personal data is collected only for specific, lawful purposes.

Data is processed fairly, transparently, and only for its original intended use.

A data privacy notice is made available to all users. See here: ISF Privacy Notice

A formal classification scheme governs how data is labelled, stored, transmitted, and shared.

No special categories of personal data are collected, except in specific and defined circumstances (e.g. information relating to accessibility requirements and dietary concerns is collected for ISF Events to ensure individuals are supported accordingly).

Retention periods are defined and applied for data (including personal data).

Secure deletion processes are followed on ISF-controlled hardware and with infrastructure providers.

All subprocessors are subject to contractual security and privacy requirements.

Supplier onboarding and access are governed by a Supplier Security Standard.

Suppliers undergo risk assessments and contractual reviews to ensure data is protected in line with ISF requirements.

Critical suppliers are documented and assessed and reviewed regularly.

Scheduled maintenance is performed during low-usage periods with advance notice to ISF Members.

No artificial intelligence or machine learning technologies are used across any of the ISF Tools, or on data stored on the platforms.