Updated on 1 July 2023


The following definitions are used in this policy:

Information Security Management System means the Iress information security management system, as more particularly described in paragraph 1 of this policy.

Input Data has the meaning set out in the Terms and Conditions for the Supply of Software and Services

Penetration Testing has the meaning set out in paragraph 5 of this policy.

Penetration Testing Attestation has the meaning set out in paragraph 5 of this policy.

Security Control Weakness means the identification by Iress of a vulnerability within its Information Security Management System that has (or is likely to have) a materially adverse impact on the Iress Services.

Security Incident: means the unauthorised access, disclosure loss of, or alteration to, the Input Data caused by a Security Control Weakness.

Information Security

1. Iress shall operate an Information Security Management System that is aligned with the international security standard ISO/IEC 27001:2013, or equivalent international standard. The Information Security Management System shall encompass the following control areas:

(a) Information security policies;

(b) Organisation of information security;

(c) Human resource security;

(d) Asset management;

(e) Access control;

(f) Cryptography;

(g) Physical and environmental security;

(h) Operations security;

(i) Communications security;

(j) System acquisitions, development and maintenance;

(k) Supplier relationships;

(l) Information security incident management;

(m) Information security aspects of business continuity management; and

(n) Compliance.

2. Iress shall operate the following software security controls which, in each case, shall align to the Open Web Application Security Project (OWASP) Application Security Standard 4.0, or equivalent international standard:

(a) Architecture, design and threat modelling;

(b) Data protection verification;

(c) Error handling and logging verification;

(d) Stored cryptography verification;

(e) Validation, sanitisation and encoding verification;

(f) Access control verification;

(g) Session management verification;

(h) Authentication verification;

(i) Communications verification;

(j) Malicious code verification;

(k) Business logic verification;

(l) File and resources verification;

(m) API and web service verification; and

(n) Configuration verification.

3. Where relevant to any hosted Iress Services provided to the Customer, Iress shall operate the following platform security controls which, in each case, shall align to Centre for Internet Security (CIS) version 7, or equivalent international standard:

(a) Inventory and control of hardware assets;

(b) Inventory and control of software assets;

(c) Continuous vulnerability management;

(d) Controlled use of administrative privileges;

(e) Secure configuration for hardware and software on mobile devices, laptops, workstations and servers;

(f) Maintenance, monitoring and analysis of audit logs;

(g) Email and web browser protections;

(h) Malware defences;

(i) Limitation and control of network ports, protocols, and services;

(j) Data recovery capabilities;

(k) Secure configuration for network devices, such as firewalls, routers and switches;

(l) Boundary defence;

(m) Data protection;

(n) Controlled access based on the need to know;

(o) Wireless access control; and

(p) Account monitoring and control.

4. Where relevant to any hosted Iress Services being provided to the Customer, Iress shall operate the following physical and environmental security controls which, in each case, shall align to ISO/IEC 27001:2013, or equivalent international standard:

(a) Physical entry controls;

(b) Securing offices, rooms and facilities;

(c) Protecting against external and environmental threats;

(d) Working in secure areas;

(e) Delivery and loading areas;

(f) Equipment siting and protection;

(g) Supporting utilities;

(h) Cabling security;

(i) Equipment maintenance;

(j) Removal of assets;

(k) Security of equipment and assets off-premises;

(l) Secure disposal or reuse of equipment;

(m) Unattended user equipment; and

(n) Clear desk and clear screen policy.

Security Testing

5. Iress shall, on an annual basis, undertake penetration testing of the Software which forms part of the Iress Services provided to the Customer (“Penetration Testing”). Iress shall produce a letter of attestation citing any material vulnerabilities identified during the Penetration Testing process (“Penetration Testing Attestation”). Upon written request, Iress shall make the latest Penetrating Testing Attestation available to the Customer.


6. Iress shall, as soon as possible (and where reasonably practicable within 72 hours after becoming aware) notify the Customer of:

i. a Security Incident; and
ii. a Security Control Weakness

and shall provide all relevant information within its possession.

7. Iress shall remedy any Security Control Weakness as soon as reasonably practicable, and will provide the Customer with timely updates until the Security Control Weakness is remedied.

Version control

1 July 2021 Date of first publication on the website
1 July 2022 Update to paragraph 7.
1 July 2023 References to “Customer Data” changed to “Input Data”. Clause 3 and 4 - references to “hosted services” changed to "hosted Iress Services”.