- 1 Is Credit Sense ISO 27001 certified?
Credit Sense is ISO 27001 certified by certification body Lloyds Register including all of our systems, assets, people and processes involved in supporting and maintaining our platform and its information security.
- 2 How is information security organised Credit Sense?
We organise our information security within our Information Security Management System (ISMS) framework. Our ISMS framework enables the structured recording, management, review and continuous improvement of our information security practices.
Our Information Security Committee meets regularly and oversees our information security practices, including opportunities for improvement, nonconformity and corrective action processes, risk management activities, change management, ISMS KPIs, supply chain management and internal audit.
- 3 Do you implement human resource information security practices?
Our human resource information security controls manage information security risks pre, during, and post-employment.
We complete fit and proper person and criminal history checks for all new staff before employment. Our requirements for confidentiality and compliance with our ISMS policies, processes and controls form part of our employment agreements.
We ensure competency through a comprehensive onboarding process and ongoing information security training and testing. We actively and regularly promote information security and maintain change management and non-conformance controls to ensure change is managed and communicated and policies and controls are effective.
We maintain effective off-boarding controls. We revoke access to systems and assets and conduct exit interviews where ongoing obligations, including those relating to confidentiality and privacy, are explained
- 4 How do you manage physical and environmental security?
We secure all physical locations by electronic access controls preventing access by unauthorised individuals. Information assets are encrypted at rest and stored on hardware sited at highly secure, specialised ISO 27001 certified facilities. Those facilities protect information assets from unauthorised physical access with 24/7 security personnel and multiple layers of access control and redundant systems to protect them from power loss, flooding, fire and other environmental threats.
- 5 Do you implement a data quality program?
Our data quality program controls ensure we maintain a high level of accuracy and protect the integrity of the information we collect and the products we supply. Controls include automated anomaly identification and preventive measures, regular manual review and audit, effective client feedback and communication mechanisms, and controlled data supplier management.
- 6 Do you implement asset management security practices?
We maintain effective asset management policies and controls to secure our physical and information assets from confidentiality, integrity, and availability threats. We apply appropriate classifications to information assets, privacy controls, and secure information transfer protocols are in place. Hardware assets are classified and inventoried, and we control their storage, location, assignment, return, and secure disposal.
- 7 How do you secure system access?
We implement zero-trust, least access role-based controls to manage access to systems and information. Strict policy and controls manage and monitor operational user access privilege activities, including provisioning, adjustment and removal, and privileged access rights. We communicate user responsibilities effectively and implement secure login controls. Access control is centrally managed and subject to continuous review and internal and external audit processes.
- 8 Do you implement cryptographic security protocols?
All data stored or transitioned through our infrastructure is cryptographically signed and secured. In addition, we protect all sensitive information with row-level encryption mechanisms with individual decryption keys stored in separate, appropriately access-controlled systems. We rotate encryption keys regularly, following our key management policy and controls.
- 9 How do you protect from malware?
All endpoint devices are centrally managed company hardware assets as part of our zero-trust access controls. We centrally deploy, manage and monitor anti-malware and anti-virus controls, software installation and version management, technical vulnerability scanning and patch management.
- 10 Do you implement technical vulnerability and threat management protocols?
All infrastructure is monitored in real-time to surface any newly identified vulnerabilities, including operating system, process, network and application monitoring. Logs are analysed in real-time for current threats and retrospectively against newly discovered threats. We scan all applications deployed to our infrastructure for CVE’s during the deployment process.
- 11 Do you implement secure development practices?
We implement secure development controls in our project management practices and software development lifecycle that manage privacy compliance and our information assets’ ongoing confidentiality, integrity, and availability.
Development, testing and production environments are separated. Environments are certified through our environment certification process that controls security, privacy, CI/CD, resource management, capacity planning, continuity management, disaster recovery, backup and restore, and other application lifecycle requirements.
Our CI/CD processes include peer review, and automated testing and technical vulnerability scanning and monitoring.
- 12 How do you manage security in your supply chain?
We implement supplier security policy and process that include supplier onboarding controls and regular reviews to manage contractual and operational information security risks in our supply chain. Our supplier security practices are subject to annual internal and external audits.
- 13 How do you manage incidents?
We maintain incident response policy and plans that manage our approach and activities when responding to information security, data breach and operational incidents. We train all employees in our incident response processes, and incident postmortems inform our continuous improvement practices.
- 14 How do you manage business continuity and disaster recovery?
Our business continuity plan, together with our disaster recovery controls, manage unplanned disruption to our services. Business continuity planning reduces service interruption by implementing highly available infrastructure, endpoint device and access control management, technical vulnerability and threat management and other internal alerting and continuity systems and controls.
- 15 Do you implement risk management practices?
Our risk management framework is aligned with the international risk management standard ISO 31000 and controls our risk identification, analysis, evaluation and treatment activities. Our risk management practices involve all employees, are managed by our Information Security Committee and are subject to annual internal and external certification audits.