Marcus Johnston's headshot.

“The CISO Office leads with vision and vigilance—championing a global security strategy that not only protects our assets and ensures compliance, but also strengthens the foundation of customer trust. By anticipating risks and embedding resilience into our operations, we enable sustainable growth and uphold our commitments to stakeholders across the globe.”

Marcus Johnston
Chief Information Security Officer

Trust Through Security: Precisely’s Commitment to Information Protection

At Precisely, protecting the personal and confidential data of our customers, employees, and partners is foundational to our mission of delivering trusted data solutions. Our Information Security Management System (ISMS) is designed to uphold the highest standards of security and privacy, and is fully aligned with the ISO/IEC 27001:2022 framework.

Certified and Compliant

Precisely’s ISMS is:

  • Certified to ISO/IEC 27001 for SaaS platforms, support services, and strategic offerings worldwide
  • Mapped to SOC 2 Type II, CIS Controls, and NIST Cybersecurity Framework
  • Regularly audited and reviewed for continuous improvement

These frameworks guide our approach to risk management, control implementation, and regulatory alignment.

Governance and Oversight

Governance and Oversight

Security governance is led by our Chief Information Security Officer (CISO) and supported by:

  • Information Security & Security Operations teams
  • Business Information Security Officers (BISOs)
  • Product security team
  • A federated infosec model

Our Executive Risk Board (ERB) and Information Risk Board (IRB) meet regularly to:

  • Review risk assessments
  • Approve corrective actions
  • Align security posture with business objectives

Regulatory Alignment

Our ISMS supports compliance with global regulations including but not limited to:

  • GDPR
  • CCPA/CPRA
  • HIPAA
  • UK DPA 2018
  • India DPDP Act 2023
  • NIS2
  • DORA
  • EU AI Act

We proactively monitor legal and regulatory changes to ensure our controls remain effective and up to date.

Technical and Organizational Measures for Security

Precisely’s Information Security Management System (ISMS) is aligned with ISO/IEC 27001:2022, SOC 2 Type II, CIS Controls, and the NIST Cybersecurity Framework to protect the confidentiality, integrity, and availability of data across our global operations.

Organizational Measures

  • Governance & Oversight
    • Led by the Information Security Compliance Team, with oversight from the Executive Risk Board and Information Risk Board.
    • Policies are version-controlled and reviewed through formal change management.
  • Information Security Policies

Our comprehensive policy framework covers:

    • Information Security
    • Data Classification & Handling
    • Access Control & Identity Management
    • Asset Management & Physical Security
    • Acceptable Use
    •  Network & Cloud Security
    • Change Management, Security by Design & Secure Development
    • Incident Response & Business Continuity
    • Vendor Risk Management
    • Logging, Monitoring & Backup Standards
  • Training & Awareness
    • Mandatory security training for all employees.
    • Phishing simulations and targeted awareness campaigns.
    • Role-specific security expectations communicated prior to access provisioning.
  • Third-Party Risk Management
    • Vendor risk assessments and contractual clauses for data protection.
    • Sub-processor oversight and breach notification protocols.
  • Documentation & Communication
    • ISMS documentation is published on the corporate intranet.
    • Updates are communicated via email, training, and meetings.

Technical Measures

  • Access Control
    • Role-based access provisioning and de-provisioning.
    • Multi-factor authentication (MFA) and password policies.
  • Data Protection
    • Encryption at rest and in transit using industry-standard algorithms.
    • Secure data sanitization and destruction practices.
  • Network & Cloud Security
    • Firewalls, IDS/IPS, and network segmentation.
    • Cloud-specific controls aligned with ISO 27017 and NIST SP 800-144.
  • Monitoring & Logging
    • Centralized logging and continuous monitoring.
    • SIEM integration for threat detection and response.
  • Vulnerability & Patch Management
    • Automated vulnerability scanning and patch deployment.
    • Remediation tracked via risk logs and action trackers.
  • Incident Response
    • Formal incident response plans tested annually.
    • SLA-based notification procedures for stakeholders.
  • Secure Development
    • Static (SAST), dynamic (DAST), and software composition analysis (SCA).
    • Threat modelling and secrets detection integrated into CI/CD pipelines.
  • Penetration Testing
    • Annual internal and external penetration testing by certified third parties.
    • Results are used to validate and remediate vulnerabilities.
Expanding Splunk to Monitor & Analyze IBM i Security Data

Physical Security Measures

  • Facility Access Controls
    • Badge-based access systems and visitor escort policies.
  • Surveillance & Monitoring
    • CCTV coverage in sensitive areas with retention policies.
  • Environmental Controls
    • Fire suppression, temperature/humidity monitoring, and backup power systems.
  • Asset Protection
    • Locked storage for sensitive media and secure disposal procedures.
  • Remote Work Guidelines
    • VPN usage, screen locks, and physical device protection protocols.

People Security Controls

  • Onboarding & Role Assignment
    • Security responsibilities are communicated before access is granted.
    • Access rights are limited to job-relevant systems and data.
  • Security Awareness & Accountability
    • All personnel are required to complete annual security training.
    • Managers are responsible for enforcing security policies and may initiate disciplinary action for violations.
  • Policy Enforcement
    • Employees, contractors, and third parties must adhere to Precisely’s Acceptable Use and Information Security policies.
    • Violations are subject to investigation and potential disciplinary measures.
  • Social Engineering & Phishing Defence
    • Company-wide phishing simulations and awareness campaigns.
    • Reporting mechanisms for suspicious messages via the Cybersecurity Operations Center (CSOC).
  • Security Culture
    • Precisely promotes a federated security model where every employee is responsible for protecting company assets and data.

 AI Security Controls

  • AI Risk Screening & Governance
    • All AI use cases undergo cross-functional assessments including InfoSec, Legal, and Privacy reviews.
  • Supplier AI Security
    • Precisely’s Supplier Security Requirements for AI mandates:
      • Secure model training and deployment environments.
      • Data minimization and anonymization.
      • Logging and monitoring of AI interactions.
      • Breach notification and incident response protocols.
AI readiness
The Role of Tape Management Systems on zOS

Continuous Improvement

  • Internal audits and management reviews drive enhancements.
  • KPIs, risk logs, and action trackers measure ISMS effectiveness.
  • Feedback from assessments and customer questionnaires informs updates.

Message from CISO

“At the heart of our global security strategy, the CISO Office is committed to protecting company assets, ensuring regulatory compliance, and preserving customer trust. Through proactive risk management and robust security controls, we empower business growth while upholding our responsibilities to investors, regulators, and customers.”

Marcus Johnston
Chief Information Security Officer