Versions Compared

Version Old Version 28 New Version Current
Changes made by

Roxy Sanchez

Benjy Meyer

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Expand
titleDoes your organisation conduct an annual independent information security review and act upon the findings?

Does your organisation conduct an annual independent information security review and act upon the findings?

Yes, our ISMS is audited annually both internally and externally. Along with other review mechanisms as part of our ISO 27001 requirements.

More information: https://commonplace.atlassian.net/l/cp/f9aW1Qpj

Do you have a formally documented information security management system (ISMS)?

Yes, we operate a ISO 27001 certified information security management system.
Expand
titleDo you have a formally documented information security management system (ISMS)?

More information: https://commonplace.atlassian.net/l/cp/ArZfB1RN

Expand
titleDoes your organisation have an appointed person responsible for information security, such as a CISO?

Does your organisation have an appointed person responsible for information security, such as a CISO?

An Information Security Working Group meets monthly to review information security requirements and issues:
Mike Saunders (CEO) | Leigh Gordine (Information & Security Officer), Benjy Meyer (Chief Product & Technology Officer), Denica Hristova (People Lead)

More information: https://commonplace.atlassian.net/l/cp/u8vA3JXN

Expand
titleDoes your organisation have a documented Cybersecurity Policy or Information Security Policy?

Does your organisation have a documented Cybersecurity Policy or Information Security Policy?

Yes, here is the board approved Information Security Policy.

Does your organisation have a formal policy on the use of mobile devices?

Yes, you may request a copy of our Mobile & Teleworking Policy from customers@commonplace.is
Expand
titleDoes your organisation have a formal policy on the use of mobile devices?

More information: https://commonplace.atlassian.net/l/cp/dWy3mBzn

Expand
titleDoes your organisation have a formal policy for remote working that includes security?

Does your organisation have a formal policy for remote working that includes security?

Yes, you may request a copy of our Mobile & Teleworking Policy from customers@commonplace.is

More information: https://commonplace.atlassian.net/l/cp/oVj6u2MH

Yes, our Asset Management Policy contains this information and is available on request from customers@commonplace.is
Expand
Does your organisation have a documented Acceptable Use Policy that outlines the rules for the acceptable use of company IT assets and information?
title Does your organisation have a documented Acceptable Use Policy that outlines the rules for the acceptable use of company IT assets and information?

In addition an Acceptable Use Policy for platform users is available https://www.commonplace.is/acceptable-useMore information: https://commonplace.atlassian.net/l/cp/QB3eUX7P

Does your organisation have a documented Information Classification Policy?

Yes, as part of our ISMS we have a fully documented information classification policy.

This consists of 4 categories: Public, Internal, Confidential and Personally Identifiable Information. All systems and information are assigned to 1 of these 4 categories
Expand
titleDoes your organisation have a documented Information Classification Policy?

More information: https://commonplace.atlassian.net/l/cp/bY0m2XtM

Yes, you may request a copy of our Access Control Policy from customers@commonplace.is
Expand
Does your organisation have a documented Access Control Policy? How are administrator accounts authorised and managed?
title Does your organisation have a documented Access Control Policy? How are administrator accounts authorised and managed?

We conduct access reviews quarterly, biannually or annually depending on the system.

More information: https://commonplace.atlassian.net/l/cp/FCfVRgLG

Expand
Does your organisation have a Password Policy that is technically enforced throughout its IT estate?
titleDoes your organisation have a Password Policy that is technically enforced throughout its IT estate?

Yes, for both employees and users, in accordance with Cyber Essentials

More information: https://commonplace.atlassian.net/l/cp/4ALmsaj0

Expand
titleDoes your organisation have a documented Backup Policy?

Does your organisation have a documented Backup Policy?

Yes, this is documented in our Operating Procedures for Information and Communication Technology, which is available on request from customers@commonplace.is

More information: https://commonplace.atlassian.net/l/cp/1BfZH75h

Expand
titleDoes your organisation enforce a Clear Desk and Screen Policy?

Does your organisation enforce a Clear Desk and Screen Policy?

Yes, you may request a copy of our Clear Screen & Desk Policy from customers@commonplace.is

More information: https://commonplace.atlassian.net/l/cp/wy0EzmZN

Expand
titleDoes your organisation prevent the use of removable media, and is this enforced technically?

Does your organisation prevent the use of removable media, and is this enforced technically?

Yes, enforced via mobile device management software.

More information: https://commonplace.atlassian.net/l/cp/R2dg1YSW

Are your organisation's information security policies accessible to all employees?

Yes, available via our intranet.
Expand
titleAre your organisation's information security policies accessible to all employees?

More information: https://commonplace.atlassian.net/l/cp/ucnpB1zM

Expand
Are your organisation's information security policies reviewed and approved by senior management at least annually?
titleAre your organisation's information security policies reviewed and approved by senior management at least annually?

Yes.

More information: https://commonplace.atlassian.net/l/cp/4XK3av1E

Has your organisation documented senior management roles and responsibilities for security within your organisation?

Yes. An Information Security Working Group meets monthly to review information security requirements and issues:
Mike Saunders (CEO) | Leigh Gordine (Information & Security Officer), Benjy Meyer (Chief Product & Technology Officer), Denica Hristova (People Lead)

Here is the board approved Information Security Policy.
Expand
title Has your organisation documented senior management roles and responsibilities for security within your organisation?

More information: https://commonplace.atlassian.net/l/cp/Y71ES0yG

Does your organisation include information security during the planning and delivery of projects?

Yes, Jira tickets require a security risk level
Expand
title Does your organisation include information security during the planning and delivery of projects?

More information: https://commonplace.atlassian.net/l/cp/GrfPb1z6

Expand
Does your organisation restrict employee access to business information based upon the principle of least privilege?
titleDoes your organisation restrict employee access to business information based upon the principle of least privilege?

Yes.

Employees are granted access only to systems and resources required to complete their job functions. Administrative or other elevated permissions are strictly controlled and only granted when absolutely required. Generally, this is privileged access is only granted to those in more senior roles. eg. admin access to Commonplace platform infrastructure is only granted to the CPTO, Head of Technology and Tech Leads.

All access is recorded and reviewed on a regular basis (frequency is dependent on the criticality and sensitivity of the system and data) to ensure access remains in line with the restricted approach.

More information: https://commonplace.atlassian.net/l/cp/StpXL2W4

Expand
Does your organisation have an internal audit function that ensures information security requirements are being met by the business?
titleDoes your organisation have an internal audit function that ensures information security requirements are being met by the business?

Yes. Our ISMS is audited annually both internally and externally. along with other review mechanisms as part of our ISO27001 requirements.

More information: https://commonplace.atlassian.net/l/cp/3HgecJNc

Expand
Does your organisation conduct security risk assessments for your full IT estate at least annually? Do you have a formally documented and board level approved risk management framework? Do you conduct regular risk and control assessments taking into account the latest vulnerabilities and changes to the threat landscape?
titleDoes your organisation conduct security risk assessments for your full IT estate at least annually? Do you have a formally documented and board level approved risk management framework? Do you conduct regular risk and control assessments taking into account the latest vulnerabilities and changes to the threat landscape?

Yes, as part of ISMS we have a fully documented risk assessment and treatment process, which is reviewed regularly and at least annually. We maintain an organisation-wide risk register for IT and data security issues.

More information: https://commonplace.atlassian.net/l/cp/1z05F0ZZ

Expand
title Does your organisation have a formal confidentiality or non disclosure agreement in place for all staff, contractors and third parties?

Does your organisation have a formal confidentiality or non disclosure agreement in place for all staff, contractors and third parties?

Yes.https://commonplace.atlassian.net/l/cp/DoyF2o8A

Expand
titleDoes your organisation segregate duties to prevent unauthorised disclosure or access to information?

Does your organisation segregate duties to prevent unauthorised disclosure or access to information?

Employees are granted access only to systems and resources required to complete their job functions. Administrative or other elevated permissions are strictly controlled and only granted when absolutely required. Generally, this is privileged access is only granted to those in more senior roles. eg. admin access to Commonplace platform infrastructure is only granted to the CPTO, Head of Technology and Tech Leads.

All access is recorded and reviewed on a regular basis (frequency is dependent on the criticality and sensitivity of the system and data) to ensure access remains in line with the restricted approach.

Only customer users with an admin login to Commonplace have access to any personal information about respondents:

  • Email addresses are not available in the current dashboard.

    • Personally identifiable information is not included in downloads.

    https://commonplace.atlassian.net/l/cp/TGfChHym

    Expand
    titleDoes your organisation have a defined process that is followed when a client contract is terminated that includes the secure destruction of client data?

    Does your organisation have a defined process that is followed when a client contract is terminated that includes the secure destruction of client data?

    Yes. Two years after the license ends at the latest, each project is archived and the responses are pseudonomised.https://commonplace.atlassian.net/l/cp/LZ4JWYHP

    Expand
    titleDoes your organisation use threat intelligence to inform decisions about information security?

    Does your organisation use threat intelligence to inform decisions about information security?

    Yes. We are subscribed to a number of newsletters from our vendors and other sources (inc UK NCSC) to maintain an overview of the security landscape across our application and network. All risks are logged in our risk registerhttps://commonplace.atlassian.net/l/cp/1de1J7Ys