Our Information Governance

iCONX Information Governance Programme

Given both the nature and volume of the data we process, information technology management and governance has always had a seat at our top table. We’ve been COBIT aligned since 2003, and have always exceeded expectations when undertaking customer commissioned audits such as SOX compliance.

In tandem with customer initiated audits, the iCONX information governance programme has continually delivered independent assurance to customers based on international standards and best practice frameworks as to the privacy, confidentiality, security, integrity and availability of their data.

Continue reading about our information governance programme initiatives below and refer any questions you may have via email to our CISM Certified Chief Information Security Officer.

AICPA SOC 2 Privacy Trust Service Principle / GDPR

Today, with GDPR Regulation (EU) 2016/679 enforcement just around the corner, and iCONX, being a large-scale processor of personal data on behalf of customers, we aim to demonstrate compliance with the GDPR through independent audit against an established audit standard well in advance of the May 2018 deadline.

The audit standard is AICPA SOC 2 and its underpinning trust service principles. The audit and subsequent reporting will be carried out by Grant Thornton. For further information contact our Data Protection Officer

ISO/IEC 20000:2011 IT Service Management

In 2016 we decided to further enhance our governance model through the adoption of and certification to the ISO/IEC 20000:2011 standard, thus assuring customers of our systematic and best practice approach to the design, transition, delivery and improvement of our ASP services.

The stage I & II audits will be carried out by our accredited partner Certification Europe during 2017.

ISO 22301:2012 Business Continuity Certification

In 2015 we decided to again further enhance our governance model through the adoption of and certification to the ISO 22301:2012 standard, thus assuring customers of our systematic and best practice approach to managing risk with respect to business continuity.

A key component of the program was the upgrade of our information systems infrastructure stack at our primary and secondary data centres, DB2 & DB3.

The ISO 27001 audits were carried out by our accredited partner Certification Europe. The certificate is valid for 3 years from June 2016. During the 3-year period of validity, we undertake surveillance audits at six monthly intervals to maintain the certification.

The current certificate may be viewed here 

ISO/IEC 27001:2013 Information Security Certification

In 2014 we decided to further enhance our governance model through the adoption of and certification to the ISO/IEC 27001:2013 standard, thus assuring customers of our systematic and best practice approach to managing information security risks.

The ISO 27001 audits were carried out by our accredited partner Certification Europe. The certificate is valid for 3 years from June 2016. During the 3-year period of validity, we undertake surveillance audits at six monthly intervals to maintain the certification.

Our control set for the audits consisted of all 114 of the controls specified within the ISO 27001:2013 standard.

The current certificate may be viewed here 

AICPA SOC 1 SSAE 16 – Independent Audit Report

In 2015 we initiated an internal project culminating in the 2016 issuance of an AICPA SOC 1 SSAE 16 Type II Report. The purpose of the SOC 1 Type II audit report is to provide our stakeholders independent assurance regarding the adequacy of information system controls as applied to customer data hosted within our ASP during a defined period.

The audit and subsequent reporting were carried out by Grant Thornton. Our control set for the SOC 1 audits were based on the ITIL 2011 framework.

Data Protection – Audit Report / GDPR alignment

In 2014 we initiated an internal data protection project with a view to establishing our status in respect of the now imminent enforcement of GDPR Regulation (EU) 2016/679.

An industry recognised subject matter expert audited our control environment. The subsequent audit report and recommendations fed into our continual improvement cycle and provided a strong starting point on our road to GDPR compliance.

AICPA SAS 70 – Independent Audit Report

In 2008 we initiated an internal project culminating in the 2009 issuance of an AICPA SAS 70 Type I Report. The purpose of the independent report based on the SAS 70 standard was to provide our customers with independent assurance regarding the adequacy of information system controls as applied to customer data hosted within our ASP.

The audit and subsequent reporting were carried out by Grant Thornton. Our controls were based on the ISACA COBIT framework.