Security Policy

V1.1 - Last edited 05th January 2022

Our Commitment to Information Security

At AUIT, information security is fundamental to how we operate and deliver services. We are proud to be independently audited and certified compliant with ISO/IEC 27001:2022, the international standard for information security management systems (ISMS). A copy of our certification is available on request and linked on our company websites.

Purpose

This policy outlines AUIT’s overarching commitment to protecting information assets and managing information security risks. It applies to all subsidiaries and staff across the Group.

Scope

AUIT, headquartered at 14/98 Sawmill Circuit, Hume ACT 2620, operates in IT and communication services. We are committed to ensuring the confidentiality, integrity, and availability of both physical and digital information assets that support our business and our customers.

Information Security Objectives

Our ISMS aligns with our business goals and the needs of our stakeholders. It is designed to:

  • Identify and manage information security risks
  • Support compliance with legal, regulatory, and contractual obligations
  • Continuously improve security practices across the organisation

We maintain clear, measurable objectives for information security, aligned with ISO 27001, and review them regularly as part of our risk management and continuous improvement process.

Risk Management and Controls

We manage security through a structured risk management framework.

  • All ISO 27001:2022 Annex A controls are addressed in our Statement of Applicability
  • Risks are regularly assessed, with treatment plans assigned to appropriate owners across the business
  • Special projects may include additional risk assessments and targeted controls

Supporting policies and procedures ensure that security measures are effectively implemented and communicated throughout the organisation.

Roles and Governance

Our Management Review Board, led by the Chief Information Security Officer (CISO), oversees the ISMS. The board includes senior leadership and relevant specialists and is responsible for reviewing risks, policies, and security performance.

All staff and relevant external parties within the ISMS scope are required to comply with this policy and undergo appropriate security training.

Definitions

We define information security as preserving the:

  • Confidentiality – ensuring access is restricted to authorised individuals
  • Integrity – maintaining the accuracy and completeness of information
  • Availability – ensuring information is accessible when needed

These principles apply to all formats of information-digital, printed, verbal-and the systems and devices used to store or process them.

Continuous Improvement

This policy and the ISMS are reviewed at least annually or in response to significant business or risk changes. Our commitment includes maintaining ISO 27001 certification and other relevant accreditations.

Policy Ownership

This policy is owned by the Chief Executive Officer (CEO) and is maintained in accordance with ISO 27001 requirements. It is reviewed and approved by the Management Review Board on a version-controlled basis.