Compliance & Audit
Living repository of certifications, audit reports and the enterprise risk register. Maintained jointly by IT, Risk and Internal Audit.
ISO/IEC 27001:2022
Certified • Valid till Aug 2027
SOC 2 Type II
Report dated Jan 2026
DPDP Act 2023
Compliant • DPO appointed
PCI-DSS v4.0
Scoped to payments enclave
Document Repository
| Name | Owner | Modified |
|---|---|---|
| ISO 27001 Statement of Applicability v6 | Security GRC | 02 May 2026 |
| Internal Audit Report — Q1 2026 | Internal Audit | 28 Apr 2026 |
| SOC 2 Type II — Final Report | External Auditor | 15 Mar 2026 |
| Risk Treatment Plan 2026 | CISO Office | 10 Mar 2026 |
| DPDP Compliance Assessment | DPO | 02 Mar 2026 |
| Vendor Risk Assessment Pack | Procurement | 27 Feb 2026 |
| BCP/DR Test Evidence — Q4 2025 | Operations | 18 Jan 2026 |
| Access Recertification Log | IAM Team | 12 Jan 2026 |
Top Enterprise Risks
- R-001HIGHRansomware on production serversTreatment: Treat • EDR + immutable backups in place
- R-007HIGHThird-party SaaS data exposureTreatment: Treat • DLP + vendor reviews quarterly
- R-012MEDInsider data leakageTreatment: Treat • UEBA monitoring & DLP rules
- R-018MEDCloud mis-configurationTreatment: Treat • CSPM scans daily
- R-024MEDUnpatched legacy systemsTreatment: Mitigate • Segmentation + patch waiver
- R-031LOWPhishing leading to credential theftTreatment: Monitor • MFA + awareness training