Security Statement

We are committed to protecting the confidentiality, integrity, and availability of information entrusted to us by our clients, partners, and stakeholders.

Information security is a core part of how we operate. We maintain a structured Information Security Management System (ISMS) that governs how we manage risks, protect data, and respond to security incidents.

Our information security practices are aligned with the NIST Cybersecurity Framework (CSF) 2.0, an internationally recognised framework for managing cybersecurity risk.

Relevant ACSC ISM guidance, including the Essential Eight, is adopted as a technical implementation baseline to support NIST CSF outcomes in line with Australian threat conditions. ACSC Essential Eight has been adopted to level 1 maturity.

Our approach covers:

• Govern – Security governance, policies, and oversight
• Identify – Understanding assets, risks, and dependencies
• Protect – Safeguards to protect systems and information
• Respond – Effective incident response and communication
• Recover – Resilience, backup, and recovery processes

We apply a risk‑based approach to information security, ensuring controls are appropriate to the sensitivity of the information and the nature of our services.

Risks are:

• Identified and assessed
• Documented in a risk register
• Treated using proportionate security controls
• Reviewed regularly and at least annually

We protect information through a combination of technical, organisational, and procedural controls, including:

• Strong identity and access management
• Multi‑factor authentication for all supported systems
• Secure configuration of devices and services
• Controlled access based on least privilege
• Secure backup and recovery processes

All information is classified and handled according to its sensitivity.

We use a simple and consistent classification model:

• Public
• Internal – General
• Internal – Restricted
• Client – General
• Client – Restricted

All data is labelled, and handling requirements are applied consistently to reduce the risk of unauthorised access or disclosure.

We maintain regular backups of business‑critical systems, including cloud services.

Key principles include:

• Backups performed at least daily
• Backups stored in a separate data repository
• Quarterly restore testing to verify recoverability

These measures support business continuity and resilience.

We maintain an incident response process to ensure security incidents are handled promptly and effectively.

Where incidents involve personal information, we assess and respond in line with Australia’s Notifiable Data Breaches (NDB) scheme under the Privacy Act 1988, including notification to affected individuals and the Office of the Australian Information Commissioner (OAIC) where required.

We assess and manage information security risks associated with suppliers and third parties.

This includes:

• Risk‑based assessment of suppliers
• Limiting access to the minimum required
• Reviewing supplier access and risks periodically
• Managing supplier‑related incidents appropriately

We support secure remote and mobile working through:

• Approved and managed devices
• Strong authentication and MFA
• Secure access controls
• Clear requirements for handling information outside office environments

Our ISMS is reviewed at least annually, including:

• Review of risks
• Review of suppliers
• Review of backups and recovery testing
• Review of assets and devices
• Identification of improvement opportunities

This ensures our security practices remain effective and aligned with business needs.

Information security is not static. We continually improve our controls through:

• Risk reviews
• Incident lessons learned
• Changes in technology and threats
• Feedback from clients and stakeholders

If you have questions about our information security practices, or wish to discuss security requirements, please contact us using the details provided on our website.