Security Framework

Introduction

We work with organizations in law enforcement, cybersecurity, and government sectors where security is a baseline expectation.

Our security framework defines how we manage information security risk across the company, from governance and operations to product development and infrastructure.

The framework covers:

• The operations of software development, sale and associated support
• All information assets processed and managed and all systems and services where information is processed by Cambridge Intelligence
• IT and telecommunications devices owned by Cambridge Intelligence
• Information stored and processed at the registered office address

1. ISO 27001 Certification
2. Framework Overview
3. Governance and Commitment
4. Risk Management
5. People and Training
6. Physical Security
7. Technical Security
8. Continuous Improvement
9. Customer Benefits

ISO 27001 certification

ISO 27001 is an internationally recognised standard for managing information security risk. It provides independent assurance that we have defined, implemented and continue to maintain appropriate policies, processes, and controls across our organization.

For our customers this means:

• Security risks are identified, assessed and managed systematically
• Controls are reviewed and audited independently
• Security is embedded into how we run the company, not as an afterthought

Cambridge Intelligence has implemented an information security management system that is certified to ISO 27001:2022 for the operations of software development, sale and associated support, all information assets processed and managed and all systems and services where information is processed by Cambridge Intelligence.

Security framework overview

Our security framework is designed around three core principles:

1. Governance and accountability
Security is owned at the company level, with defined responsibilities and management oversight.

2. Risk-based operations
We assess threats, vulnerabilities and impacts to prioritise controls where they matter most.

3. Continuous improvement
Security controls, processes, and risks are reviewed regularly and improved over time.

This framework underpins all operational, technical and organizational controls described below.

Governance and company commitment

• Security is supported and overseen by senior management
• Roles and responsibilities for information security are formally defined
• Security policies and procedures apply across the organization
• Internal audits are conducted to assess effectiveness and compliance

Security is treated as an ongoing operational responsibility, not a once-off certification exercise.

Risk management and operational controls

Information and data protection

• Information classification to ensure appropriate handling and access
• Defined data privacy and retention principles
• Asset management covering systems, devices, and information assets

Threat and vulnerability management, and incident response

• Threat intelligence used to inform risk assessments
• Vulnerability management
• Automatic updating of key software
• Defined incident response procedures
• Logging, monitoring and escalation processes to detect and respond to security events

Third-party and supplier management

• Risk-based assessment of suppliers and service providers
• Ongoing review of third-party security posture
• Controls governing access to systems and information

People, training and access management

Security controls extend beyond technology to people and processes.

Training and awareness

• Mandatory security awareness training during onboarding
• Ongoing training covering information security and phishing awareness
• Regular reinforcement of security responsibilities via elearning and in-person training

Access management

• Role-based access to systems and information
• Onboarding and offboarding processes to manage access change
• Periodic access reviews

Physical and office security

• Controlled access to office locations
• CCTV
• Out of hours security patrols
• Alarm system
• Secure handling of devices and workspaces, including desk/screen policies
• Minimal infrastructure onsite

Technical and platform security

Key infrastructure and platform

• Workspace: Google Workspace
• Cloud platform: AWS

Security controls include:

• Centralized logging and monitoring
• Network security with minimal internal infrastructure exposure
• Encryption of data where appropriate
• Backup and recovery processes, including monthly recovery drills

Secure software development

• Security is embedded into our software development practices.
• Secure software development policy
• Defined software development lifecycle
• Vulnerability and patch management processes
• Penetration testing conducted annually.

These controls apply to the development and maintenance of our SDKs and supporting systems.

Continuous improvement

Our security framework is reviewed and improved on an ongoing basis through:

• Regular internal audits
• Management review of security risks and controls
• Updates driven by audit findings

This ensures our security posture evolves alongside changes in technology and risk.

What this means for our customers

For customers, our security framework and ISO certification provide:

• Reduced vendor risk
• A consistent and certified security posture
• Faster procurement and security reviews
• Alignment with enterprise and government security expectations
• Customer data remains under customer control, consistent with our deployment and architecture model

Our products are designed to support secure deployment models that align with customer-controlled environments and policies.

Contact

If you require additional security or compliance information for procurement or risk assessment purposes, please contact us.

Read more in our Privacy Policy.