Precisely Trust Center

Security

Marcus Johnston's headshot.

“The CISO Office leads with vision and vigilance—championing a global security strategy that not only protects our assets and ensures compliance, but also strengthens the foundation of customer trust. By anticipating risks and embedding resilience into our operations, we enable sustainable growth and uphold our commitments to stakeholders across the globe.”

Marcus Johnston
Chief Information Security Officer

Trust Through Security: Precisely’s Commitment to Information Protection

At Precisely, protecting the personal and confidential data of our customers, employees, and partners is foundational to our mission of delivering trusted data solutions. Our Information Security Management System (ISMS) is designed to uphold the highest standards of security and privacy, and is fully aligned with the ISO/IEC 27001:2022 framework.

Certification and Compliance

Precisely’s ISMS is:

  • Certified to ISO/IEC 27001 for SaaS platforms, support services, and strategic offerings worldwide
  • Mapped to SOC 2 Type II, CIS Controls, and NIST Cybersecurity Framework
  • Regularly audited and reviewed for continuous improvement

These frameworks guide our approach to risk management, control implementation, and regulatory alignment.

ISO 27001 Certification SOC3 Report

Governance and Oversight

Governance and Oversight

Security governance is led by our Chief Information Security Officer (CISO) and supported by:

  • Information Security GRC & Security Operations teams
  • Business Information Security Officers (BISOs)
  • Product security team
  • A federated infosec model

Our Executive Risk Board (ERB) and Information Risk Board (IRB) meet regularly to:

  • Align security posture with business objectives 
  • Review risk appetite and assessments 
  • Approve risk treatment plans 

Regulatory Alignment

Our Information Security Framework supports compliance with global regulations including but not limited to:

  • GDPR
  • CCPA/CPRA
  • HIPAA
  • UK DPA 2018
  • India DPDP Act 2023
  • NIS2
  • DORA
  • EU AI Act

We proactively monitor legal and regulatory changes to ensure our controls remain effective and up to date.

Technical and Organizational Measures for Security

Precisely’s Information Security Management System (ISMS) is aligned with ISO/IEC 27001:2022, SOC 2 Type II, CIS Controls, and the NIST Cybersecurity Framework to protect the confidentiality, integrity, and availability of data across our global operations.

Organizational Measures

  • Governance & Oversight
    Information Security Compliance Team leads, with oversight from Executive and Information Risk Boards.
    • Frequent security risk reviews and ongoing monitoring of emerging threats.
    • Robust risk mitigation strategy, regularly reviewed against risk appetite.
    • Independent internal audits to evaluate the effectiveness of controls.
    • Continuous improvement informed by audit outcomes. 
  • Information Security Policies
    Our comprehensive policy framework covers:
    • Information Security
    • Data Classification & Handling
    • Access Control & Identity Management
    • Asset Management & Physical Security
    • Acceptable Use
    •  Network & Cloud Security
    • Change Management, Security by Design & Secure Development
    • Incident Response & Business Continuity
    • Vendor Risk Management
    • Logging, Monitoring & Backup Standards
  • Training & Awareness
    • Mandatory security training for all employees.
    • Phishing simulations and targeted awareness campaigns.
    • Role-specific security expectations communicated prior to access provisioning.

  • Third-Party Risk Management
    • Vendor risk assessments and contractual clauses for data protection.
    • Sub-processor oversight and breach notification protocols.

  • Documentation & Communication
    • ISMS documentation is published on the corporate intranet.
    • Updates are communicated via email, training, and meetings.

Technical Measures

  • Access Control
    • Role-based access provisioning and de-provisioning.
    • Multi-factor authentication (MFA) and password policies.
  • Data Protection
    • Encryption at rest and in transit using industry-standard algorithms.
    • Secure data sanitization and destruction practices.
  • Network & Cloud Security
    • Firewalls, IDS/IPS, and network segmentation.
    • Cloud-specific controls aligned with ISO 27017 and NIST SP 800-144.
  • Monitoring & Logging
    • Centralized logging and continuous monitoring.
    • SIEM integration for threat detection and response.
  • Vulnerability & Patch Management
    • Automated vulnerability scanning and patch deployment.
    • Remediation tracked via risk logs and action trackers.
  • Incident Response
    • Formal incident response plans tested annually.
    • SLA-based notification procedures for stakeholders.
  • Secure Development
    • Static (SAST), dynamic (DAST), and software composition analysis (SCA).
    • Threat modelling and secrets detection integrated into CI/CD pipelines.
  • Penetration Testing
    • Annual internal and external penetration testing by certified third parties.
    • Results are used to validate and remediate vulnerabilities.
Expanding Splunk to Monitor & Analyze IBM i Security Data

Physical Security Measures

  • Facility Access Controls
    • Badge-based access systems and visitor escort policies.
  • Surveillance & Monitoring
    • CCTV coverage in sensitive areas with retention policies.
  • Environmental Controls
    • Fire suppression, temperature/humidity monitoring, and backup power systems.
  • Asset Protection
    • Locked storage for sensitive media and secure disposal procedures.
  • Remote Work Guidelines
    • VPN usage, screen locks, and physical device protection protocols.

People Security Controls

  • Onboarding & Role Assignment
    • Security responsibilities are communicated before access is granted.
    • Access rights are limited to job-relevant systems and data.
  • Security Awareness & Accountability
    • All personnel are required to complete annual security training.
    • Managers are responsible for enforcing security policies and may initiate disciplinary action for violations.
  • Policy Enforcement
    • Employees, contractors, and third parties must adhere to Precisely’s Acceptable Use and Information Security policies.
    • Violations are subject to investigation and potential disciplinary measures.
  • Social Engineering & Phishing Defence
    • Company-wide phishing simulations and awareness campaigns.
    • Reporting mechanisms for suspicious messages via the Cybersecurity Operations Center (CSOC).
  • Security Culture
    • Precisely promotes a federated security model where every employee is responsible for protecting company assets and data.

 AI Security Controls

  • AI Risk Screening & Governance
    • All AI use cases undergo cross-functional assessments including InfoSec, Legal, and Privacy reviews.
  • Supplier AI Security
    • Precisely’s Supplier Security Requirements for AI mandates:
      • Secure model training and deployment environments.
      • Data minimization and anonymization.
      • Logging and monitoring of AI interactions.
      • Breach notification and incident response protocols.
AI readiness
The Role of Tape Management Systems on zOS

Continuous Improvement

  • Internal audits and management reviews drive enhancements.
  • Key Performance Indicators (KPIs), risk logs, and action trackers measure ISMS effectiveness.
  • Feedback from assessments and customer questionnaires informs updates.