Information Security Policy

Maverick Certification Services is committed to protecting the confidentiality, integrity, and availability of all information assets, including client data, certification records, and proprietary information. As a certification body delivering ISO 27701 and SOC 2 certification services, we maintain robust information security practices aligned with international standards. This policy establishes the framework for managing information security risks and ensuring the protection of sensitive information throughout our operations.

Security Objectives

Our information security program is built on three fundamental objectives:

Confidentiality

Ensuring that information is accessible only to those authorized to have access and protecting client and certification data from unauthorized disclosure.

Integrity

Safeguarding the accuracy and completeness of information and processing methods, ensuring certification records remain unaltered and trustworthy.

Availability

Ensuring that authorized users have access to information and associated assets when required for certification and business operations.

Our Security Commitments

Maverick Certification Services and all members of its team commit and adhere to the following information security policies:

MCS will implement and maintain an Information Security Management System (ISMS) aligned with ISO 27001 principles to systematically manage information security risks.
All information assets will be classified according to their sensitivity and criticality, with appropriate controls applied based on their classification level.
Access to information systems and data will be granted on a need-to-know basis, with the principle of least privilege applied to all user accounts and system access.
MCS will implement layered security controls including firewalls, intrusion detection systems, encryption, and anti-malware solutions to protect against external and internal threats.
All personnel will receive regular information security awareness training and will be required to acknowledge and comply with this policy and related security procedures.
Client certification records and sensitive data will be encrypted both in transit and at rest using industry-standard encryption algorithms and protocols.
MCS will conduct regular security assessments, including vulnerability scans and penetration testing, to identify and address security weaknesses.
Third-party suppliers and service providers with access to MCS information will be subject to security requirements and regular assessments to ensure adequate protection.
MCS will maintain documented incident response procedures and will promptly investigate and respond to any suspected or confirmed security incidents.
Business continuity and disaster recovery plans will be maintained and tested regularly to ensure the availability of critical systems and data.

Security Control Framework

MCS implements comprehensive security controls across the following domains:

Access Control

Role-based access management

Multi-factor authentication

Regular access reviews

Privileged access management

Network Security

Firewall protection

Intrusion detection/prevention

Network segmentation

Secure VPN connections

Data Protection

Encryption at rest and in transit

Data classification

Secure backup procedures

Data loss prevention

Physical Security

Secure office facilities

Visitor management

Clean desk policy

Secure document disposal

Operations Security

Change management

Malware protection

Logging and monitoring

Vulnerability management

Human Resources

Background verification

Security awareness training

Confidentiality agreements

Termination procedures

Incident Response

MCS maintains a structured approach to managing information security incidents:

Detection & Reporting

All personnel are required to immediately report any suspected security incidents through designated channels.

Assessment & Triage

Incidents are assessed for severity and impact, with appropriate escalation to the incident response team.

Containment & Eradication

Immediate actions are taken to contain the incident and prevent further damage, followed by root cause elimination.

Recovery & Restoration

Affected systems and services are restored to normal operation with verification of security controls.

Lessons Learned

Post-incident reviews are conducted to identify improvements and prevent recurrence of similar incidents.

Business Continuity

MCS maintains business continuity plans to ensure the continued availability of critical certification services in the event of disruption.
Regular backups of all critical data and systems are performed and stored securely at off-site locations with tested recovery procedures.
Business continuity and disaster recovery plans are tested at least annually, with results documented and improvements implemented.
Recovery time objectives (RTO) and recovery point objectives (RPO) are defined for all critical systems and regularly reviewed.

Compliance & Standards

Our information security practices are aligned with the following standards and frameworks:

ISO 27001

ISO 27002

ISO 27701

SOC 2

NIST CSF

MCS conducts regular internal audits and management reviews to ensure ongoing compliance with these standards and continuous improvement of our security posture.

Policy Review & Updates

This Information Security Policy is reviewed at least annually by senior management and updated as necessary to address changes in threats, technology, or business requirements.
All personnel are notified of significant policy changes and are required to acknowledge their understanding and compliance with updated requirements.
The effectiveness of security controls is monitored through regular assessments, audits, and key performance indicators reported to management.