The IOTICS ISMS

Leadership

Security at IOTICS starts with the commitment of our leadership team to support the operation, and enforcement of, the ISMS. Our Information Security Policy is signed off by the Chief Executive Officer and Chairman of the Board as demonstration of that commitment.

Access Control

Access to all IOTICS' corporate systems is controlled by our Access Management Policy and Procedures, which includes enforcement of strong passwords, multi-factor authentication and regular audits of granted privileges.

All staff are bound by the policy, including permanent employees, contractors, advisors and consultants.

We apply the principle of least privilege across all our systems.

Asset Management

IOTICS devices are controlled under our Asset Management Policy and procedures, which includes the use of endpoint security to provide automated OS patching, anti-virus, website filtering and encryption.

Training

All IOTICS staff, including permanent employees, contractors or consultants are required to complete mandatory Information Security training as part of their onboarding or return-to-work. Thereafter, all staff complete an annual refresher course to reinforce security procedures.

Training includes awareness of phishing and social engineering techniques, effective password management, and account protection.

Supplier Management

To protect our supply chain, IOTICS assesses the risk associated with all third party suppliers during onboarding, and annually thereafter.

We ensure that all critical suppliers can provide security assurances to the standard of ISO27001 as a minimum, and we verify the security processes in place for all other suppliers as appropriate for the services they provide and information they store or process for us.

Verification

The ISMS Management team assess the effectiveness of our controls through regular measurement of ISMS objectives, and these are further assessed by internal and external audits.

Information transfer

IOTICS leverages tier-1 cloud providers for the storage and processing of corporate data. We have implemented an Information Transfer Policy and procedure which aims to ensure that information relating to our business, customers, partners and suppliers is handled safely and appropriately according to its information security classification.

We do not store or transfer data on physical media (such as memory sticks) and instead use best-of-breed secure sharing capabilities provided by our corporate systems.

Secure Development

Our Product Engineering teams adhere to the Secure Development Policy and procedure, which ensures that our product is developed, tested and deployed in line with the best industry practice.

Our Product team regularly assesses vulnerabilities and threats which have been identified through threat analysis, security testing, penetration testing, or code review, as part of our product roadmap prioritisation processes.

We use automated tooling as part of our CI/CD architecture to continually cross-check with the National Vulnerability Database for relevant threats to our codebase.