Versions Compared

Version Old Version 32 New Version Current
Changes made by

Roxy Sanchez

Benjy Meyer

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Expand
titleDoes your organisation conduct an annual independent information security review and act upon the findings?

Does your organisation conduct an annual independent information security review and act upon the findings?

Yes, our ISMS is audited annually both internally and externally. Along with other review mechanisms as part of our ISO 27001 requirements.

More information: https://commonplace.atlassian.net/l/cp/f9aW1Qpj

Expand
titleDo you have a formally documented information security management system (ISMS)?

Do you have a formally documented information security management system (ISMS)?

Yes, we operate a ISO 27001 certified information security management system.

More information: https://commonplace.atlassian.net/l/cp/ArZfB1RN

Expand
titleDoes your organisation have an appointed person responsible for information security, such as a CISO?

Does your organisation have an appointed person responsible for information security, such as a CISO?

An Information Security Working Group meets monthly to review information security requirements and issues:
Mike Saunders (CEO) | Leigh Gordine (Information & Security Officer), Benjy Meyer (Chief Product & Technology Officer), Denica Hristova (People Lead)

More information: https://commonplace.atlassian.net/l/cp/u8vA3JXN

Expand
Does your organisation have a documented Cybersecurity Policy or Information Security Policy?
titleDoes your organisation have a documented Cybersecurity Policy or Information Security Policy?

Yes, here is the board approved Information Security Policy.

Expand
titleDoes your organisation have a formal policy on the use of mobile devices?

Does your organisation have a formal policy on the use of mobile devices?

Yes, you may request a copy of our Mobile & Teleworking Policy from customers@commonplace.is

More information: https://commonplace.atlassian.net/l/cp/dWy3mBzn

Expand
titleDoes your organisation have a formal policy for remote working that includes security?

Does your organisation have a formal policy for remote working that includes security?

Yes, you may request a copy of our Mobile & Teleworking Policy from customers@commonplace.is

More information: https://commonplace.atlassian.net/l/cp/oVj6u2MH

Expand
title Does your organisation have a documented Acceptable Use Policy that outlines the rules for the acceptable use of company IT assets and information?

Does your organisation have a documented Acceptable Use Policy that outlines the rules for the acceptable use of company IT assets and information?

Yes, our Asset Management Policy contains this information and is available on request from customers@commonplace.is

In addition an Acceptable Use Policy for platform users is available https://www.commonplace.is/acceptable-use

More information: https://commonplace.atlassian.net/l/cp/QB3eUX7P

Yes, as part of our ISMS we have a fully documented information classification policy.

This consists of 4 categories: Public, Internal, Confidential and Personally Identifiable Information. All systems and information are assigned to 1 of these 4 categories
Expand
Does your organisation have a documented Information Classification Policy?
titleDoes your organisation have a documented Information Classification Policy?

More information: https://commonplace.atlassian.net/l/cp/bY0m2XtM

Expand
title Does your organisation have a documented Access Control Policy? How are administrator accounts authorised and managed?

Does your organisation have a documented Access Control Policy? How are administrator accounts authorised and managed?

Yes, you may request a copy of our Access Control Policy from customers@commonplace.is

We conduct access reviews quarterly, biannually or annually depending on the system.

More information: https://commonplace.atlassian.net/l/cp/FCfVRgLG

Expand
titleDoes your organisation have a Password Policy that is technically enforced throughout its IT estate?

Does your organisation have a Password Policy that is technically enforced throughout its IT estate?

Yes, for both employees and users, in accordance with Cyber Essentials

More information: https://commonplace.atlassian.net/l/cp/4ALmsaj0

Yes, this is documented in our Operating Procedures for Information and Communication Technology, which is available on request from customers@commonplace.is
Expand
Does your organisation have a documented Backup Policy?
titleDoes your organisation have a documented Backup Policy?

More information: https://commonplace.atlassian.net/l/cp/1BfZH75h

Does your organisation enforce a Clear Desk and Screen Policy?

Yes, you may request a copy of our Clear Screen & Desk Policy from customers@commonplace.is
Expand
titleDoes your organisation enforce a Clear Desk and Screen Policy?

More information: https://commonplace.atlassian.net/l/cp/wy0EzmZN

Expand
titleDoes your organisation prevent the use of removable media, and is this enforced technically?

Does your organisation prevent the use of removable media, and is this enforced technically?

Yes, enforced via mobile device management software.

More information: https://commonplace.atlassian.net/l/cp/R2dg1YSW

Expand
titleAre your organisation's information security policies accessible to all employees?

Are your organisation's information security policies accessible to all employees?

Yes, available via our intranet.

More information: https://commonplace.atlassian.net/l/cp/ucnpB1zM

Expand
titleAre your organisation's information security policies reviewed and approved by senior management at least annually?

Are your organisation's information security policies reviewed and approved by senior management at least annually?

Yes.

More information: https://commonplace.atlassian.net/l/cp/4XK3av1E

Yes. An Information Security Working Group meets monthly to review information security requirements and issues:
Mike Saunders (CEO) | Leigh Gordine (Information & Security Officer), Benjy Meyer (Chief Product & Technology Officer), Denica Hristova (People Lead)

Here is the board approved Information Security Policy.
Expand
Has your organisation documented senior management roles and responsibilities for security within your organisation?
title Has your organisation documented senior management roles and responsibilities for security within your organisation?

More information: https://commonplace.atlassian.net/l/cp/Y71ES0yG

Expand
Does your organisation include information security during the planning and delivery of projects?
title Does your organisation include information security during the planning and delivery of projects?

Yes, Jira tickets require a security risk level

More information: https://commonplace.atlassian.net/l/cp/GrfPb1z6

Does your organisation restrict employee access to business information based upon the principle of least privilege?

Yes.

Employees are granted access only to systems and resources required to complete their job functions. Administrative or other elevated permissions are strictly controlled and only granted when absolutely required. Generally, this is privileged access is only granted to those in more senior roles. eg. admin access to Commonplace platform infrastructure is only granted to the CPTO, Head of Technology and Tech Leads.

All access is recorded and reviewed on a regular basis (frequency is dependent on the criticality and sensitivity of the system and data) to ensure access remains in line with the restricted approach.
Expand
titleDoes your organisation restrict employee access to business information based upon the principle of least privilege?

More information: https://commonplace.atlassian.net/l/cp/StpXL2W4

Expand
Does your organisation have an internal audit function that ensures information security requirements are being met by the business?
titleDoes your organisation have an internal audit function that ensures information security requirements are being met by the business?

Yes. Our ISMS is audited annually both internally and externally. along with other review mechanisms as part of our ISO27001 requirements.

More information: https://commonplace.atlassian.net/l/cp/3HgecJNc

Does your organisation conduct security risk assessments for your full IT estate at least annually? Do you have a formally documented and board level approved risk management framework? Do you conduct regular risk and control assessments taking into account the latest vulnerabilities and changes to the threat landscape?

Yes, as part of ISMS we have a fully documented risk assessment and treatment process, which is reviewed regularly and at least annually. We maintain an organisation-wide risk register for IT and data security issues.
Expand
titleDoes your organisation conduct security risk assessments for your full IT estate at least annually? Do you have a formally documented and board level approved risk management framework? Do you conduct regular risk and control assessments taking into account the latest vulnerabilities and changes to the threat landscape?

More information: https://commonplace.atlassian.net/l/cp/1z05F0ZZ

Yes.
Expand
Does your organisation have a formal confidentiality or non disclosure agreement in place for all staff, contractors and third parties?
title Does your organisation have a formal confidentiality or non disclosure agreement in place for all staff, contractors and third parties?

More information: https://commonplace.atlassian.net/l/cp/DoyF2o8A

Does your organisation segregate duties to prevent unauthorised disclosure or access to information?

Employees are granted access only to systems and resources required to complete their job functions. Administrative or other elevated permissions are strictly controlled and only granted when absolutely required. Generally, this is privileged access is only granted to those in more senior roles. eg. admin access to Commonplace platform infrastructure is only granted to the CPTO, Head of Technology and Tech Leads.

All access is recorded and reviewed on a regular basis (frequency is dependent on the criticality and sensitivity of the system and data) to ensure access remains in line with the restricted approach.

Only customer users with an admin login to Commonplace have access to any personal information about respondents:

  • Email addresses are not available in the current dashboard.

    • Personally identifiable information is not included in downloads.
    Expand
    titleDoes your organisation segregate duties to prevent unauthorised disclosure or access to information?
    More information:

    https://commonplace.atlassian.net/l/cp/TGfChHym

    Expand
    titleDoes your organisation have a defined process that is followed when a client contract is terminated that includes the secure destruction of client data?

    Does your organisation have a defined process that is followed when a client contract is terminated that includes the secure destruction of client data?

    Yes. Two years after the license ends at the latest, each project is archived and the responses are pseudonomised.

    More information: https://commonplace.atlassian.net/l/cp/LZ4JWYHP

    Expand
    titleDoes your organisation use threat intelligence to inform decisions about information security?

    Does your organisation use threat intelligence to inform decisions about information security?

    Yes. We are subscribed to a number of newsletters from our vendors and other sources (inc UK NCSC) to maintain an overview of the security landscape across our application and network. All risks are logged in our risk register

    More information: https://commonplace.atlassian.net/l/cp/1de1J7Ys