EthosGov

Policies

Policies

View our governance and legal policies in one place.

Information Security Management System Policy - EthosGov

PLACEHOLDER: This is a drafting placeholder, not a finalised ISMS Policy. Requires security / compliance review and alignment with ISO 27001 certification activities before publication. Hand to CISO (or commissioned auditor) for full ISMS documentation.

Last updated: 18 April 2026

EthosGov is committed to protecting the confidentiality, integrity and availability of the information entrusted to us by our customers. This Policy establishes the framework for our Information Security Management System (ISMS), aligned to ISO 27001 principles.

1. Scope

This Policy applies to:

  • All EthosGov employees, contractors and agents.
  • All EthosGov systems, platforms (www.ethosgov.io, app.ethosgov.io) and infrastructure.
  • All Customer Data processed by EthosGov.
  • All sub-processors engaged to support the Service.

2. Objectives

  • Protect the confidentiality, integrity and availability of Customer Data.
  • Meet legal, regulatory and contractual information security obligations.
  • Support customer compliance with Australian state and federal privacy and education data requirements.
  • Continuously improve security maturity through risk assessment, review and audit.

3. Governance

Information security is governed by the CEO and, where appointed, the Chief Information Security Officer. Security responsibilities are defined across engineering, operations, and commercial roles.

4. Risk Management

EthosGov maintains an information security risk register, assessed and reviewed at least quarterly. Controls are selected based on identified risks and aligned to ISO 27001 Annex A.

5. Access Control

  • Principle of least privilege.
  • Multi-factor authentication for administrative access.
  • Role-based access controls for Customer Data.
  • Quarterly access reviews.

6. Data Protection

  • Encryption in transit (TLS) and at rest.
  • Australian data residency for Customer Data by default.
  • Backup and disaster recovery procedures tested at least annually.
  • Secure disposal of media.

7. Incident Management

  • Documented incident response plan.
  • Notification of eligible data breaches in accordance with the Notifiable Data Breaches scheme.
  • Customer notification timelines set out in agreements.
  • Post-incident review applied to every significant event, with findings fed back into the risk register.

8. Vendor Management

Sub-processors are assessed for security posture before engagement and reviewed periodically. A current sub-processor list is available to customers on request.

9. Training and Awareness

All staff and contractors complete security training at onboarding and at least annually. Role-specific training is provided for engineering, customer-facing and administrative roles.

10. Continuous Improvement

The ISMS is reviewed at least annually. Improvement actions from audits, incidents and risk assessments are tracked to closure.

11. Changes

Material changes to this Policy are communicated internally and published here.

12. Contact

security@ethosgov.io

For customer-specific security questions: contact your account lead or security@ethosgov.io.

Related policies: Terms of Service | Privacy Policy | Cookie Policy | Code of Conduct

Board-ready in 30 days

EthosGov supports everyone who plays a role in school governance:

What you can expect

Governance Clarity

Boards get consistent, ready-to-present insights.

Assurance Confidence

No blind spots, everything tracked under ownership.

Compliance Control

State-aligned obligations managed and visible.

Risk Transparency

ISO-aligned risk management with accountability.

Book a Governance Review