Assurance Portal

• Use of artificial intelligence is governed by an AI governance and acceptable-use policy, with organizational guidance covering acceptable use and the handling of sensitive data.
• Generative-AI access is provided through a managed enterprise account, and any new AI tool or product is evaluated and approved by a dedicated committee before adoption.
• A structured AI enablement program provides user awareness, training, use-case evaluation, and formal instruction on appropriate and effective use of generative-AI tools.

Featured Alignment: NIST CSF GV.PO; NIST AI RMF (Govern, Manage); GDPR Art. 5, 32; ISO 27001:2022 A.5.10

• The cybersecurity program undergoes a formal annual review of governance, control effectiveness, maturity, and compliance.
• Security objectives are established, tracked, and formally reviewed on an annual cycle.
• An independent third-party program review periodically assesses effectiveness and improvement opportunities.

Featured Alignment: NIST CSF GV.OV, ID.IM; GDPR Art. 32(1)(d), 24; ISO 27001:2022 A.5.35 (Cl. 9-10)

• A dedicated cybersecurity function led by an accountable CISO operates under a documented program charter aligned to the NIST Cybersecurity Framework.
• Cybersecurity risk is governed through a recurring executive reporting cadence covering objectives, projects, threats, training, and incidents.
• A formal IT portfolio-governance process provides regular project status reporting to executive leadership.

Framework Alignment: NIST CSF GV.OC, GV.RM, GV.OV; SOC 1 Type II; GDPR Art. 24, 5(2); ISO 27001:2022 A.5.1, A.5.2

• A formal risk register and risk-exception workflow document, own, and track risks, reviewed in recurring leadership reporting.
• Risk is assessed against the NIST Cybersecurity Framework, with a documented baseline and a prioritized remediation roadmap.
• The risk-management program defines roles, responsibilities, and risk strategy, and incorporates third-party risk management.

Framework Alignment: NIST CSF GV.RM, ID.RA; GDPR Art. 35, 24; ISO 27001:2022 Cl. 6.1

• All employees participate in an ongoing security awareness program, including short-form monthly training and quarterly instructor-led sessions, supplemented by a dedicated new-hire onboarding track.
• Training content is risk-aligned, with targeted material for higher-risk audiences such as executives and finance.
• Recurring phishing simulations are conducted, with engagement reinforced by linking simulation performance to performance incentives.

Featured Alignment: NIST CSF PR.AT; CIS Control 14; GDPR Art. 32, 39; ISO 27001:2022 A.6.3

• A complete cybersecurity policy suite (information security, access management, vulnerability and patch management, data classification, and more) is maintained and reviewed at least annually.
• Policy exceptions follow a formal request, approval, and tracking workflow with a documented audit trail.
• Standards of conduct are enforced through a formal disciplinary process.

NIST CSF GV.PO; GDPR Art. 24, 5(2); ISO 27001:2022 A.5.1, A.5.37