Effective Date: 1 January 2025
Version: 1.0 — Ultra-Final (Djenie Edition)

1. INTRODUCTION

In Delay There Lies No Plenty Pty Ltd ACN 162 881 138 ATF Future Thinking Family Trust t/a Djenie ABN 98 399 797 036 (“Djenie”) maintains a multi-layered, standards-aligned security and governance program designed to safeguard membership data, client information, critical systems, and operational infrastructure.
As the technology and data custodian behind major membership platforms—including the Scouts QLD Membership Management System (SMS v2)—Djenie applies rigorous controls aligned with international security frameworks.
This overview outlines:

  • Current security controls
  • Governance and accountability structures
  • Data protection obligations
  • Supplier assurance processes
  • AI security considerations
  • Roadmap to ISO/IEC 27001:2022 certification

2. SECURITY GOVERNANCE

Accountable Executive: Chief Executive Officer
Security & Compliance Lead: Oversees ISMS alignment, risk registers, IAM governance, supply-chain security, and incident response.
Data Protection Lead: Ensures compliance with the Australian Privacy Act, GDPR/UK GDPR, CPRA, PIPL, and LATAM data protection laws.
Technology Leadership: Manages secure architecture, DevSecOps pipelines, cloud configuration, and monitoring.
The program aligns with:

  • ISO/IEC 27001:2022
  • ISO/IEC 27701 (Privacy Information Management)
  • NIST Cybersecurity Framework 2.0
  • Australian Information Security Manual (ISM)
  • APRA CPS 234 expectations for supplier security
  • CSA Cloud Controls Matrix

3. SECURITY FRAMEWORK ALIGNMENT

Djenie integrates ISO/IEC 27001:2022 Annex A controls across:

  • Organisational controls
  • People controls
  • Physical controls
  • Technological controls

NIST CSF 2.0 functions (Identify, Protect, Detect, Respond, Recover) are mapped to internal processes to maintain a complete security posture.

4. CURRENT SECURITY CONTROLS

4.1 Identity & Access Management (IAM)

  • Least-privilege role-based access control (RBAC)
  • Multi-factor authentication (MFA) across admin and sensitive systems
  • Automated deprovisioning workflows
  • Periodic access certifications

4.2 Encryption & Data Protection

  • AES-256 encryption at rest
  • TLS 1.2+ encryption in transit
  • Encrypted backups
  • Data minimisation and retention enforcement

4.3 Network & Infrastructure Security

  • Secure cloud configuration management
  • Segmented network environments
  • Web Application Firewall (WAF)
  • Intrusion/abnormal behaviour monitoring

4.4 Application Security (Secure SDLC)

  • Threat modelling for key modules
  • Code reviews and approval gates
  • SAST/DAST scanning
  • Dependency and container vulnerability scanning
  • OWASP ASVS-aligned controls

4.5 Vulnerability Management

  • Automated scanning of production and staging environments
  • CVSS-based severity scoring
  • Patching SLAs based on risk tier
  • Continuous monitoring through SIEM tooling

4.6 Operational Security

  • 24/7 log collection and centralised monitoring
  • Privileged access monitoring
  • Internal audit and metric-driven reviews

4.7 Incident Response

  • ISO-aligned IR procedures
  • Severity classification and escalation matrix
  • Regulator notification workflows for personal data breaches
  • Joint BC/DR invocation triggers
  • Forensic logging and chain-of-custody procedures

4.8 Business Continuity & Disaster Recovery

  • ISO 22301-aligned DR strategy
  • Multi-region redundancy
  • RPO/RTO targets:
    • Critical service RTO ≤ 4 hours
    • Critical data RPO ≤ 1 hour

5. SUPPLIER & SUBPROCESSOR SECURITY

Djenie requires critical suppliers to:

  • Undergo formal security assessments
  • Provide evidence of certifications (ISO 27001, SOC 2, etc.)
  • Maintain BCP/DR programs
  • Support contractual data protection requirements
  • Provide ongoing assurance documentation

All subprocessors must meet controls equivalent to those required by Djenie.

6. DATA PROTECTION & PRIVACY

Djenie complies with:

  • Australian Privacy Act & APPs
  • GDPR & UK GDPR
  • CPRA (California)
  • PIPL (China)
  • LGPD (Brazil)
    Cross-border data safeguards include:
  • Standard Contractual Clauses (SCCs)
  • UK Addendum
  • Adequacy decisions
  • Supplemental technical and organisational measures (TOMs)

7. AI SECURITY & ETHICAL USE

Djenie uses AI only in controlled internal contexts, applying:

  • Model access restrictions
  • Isolation of training and operational data
  • Safety guardrails
  • No deployment of AI in high-risk contexts (biometrics, employment, financial scoring)
  • Alignment with ISO/IEC 42001 AI governance principles

8. ROADMAP TO ISO 27001 CERTIFICATION

Phase 1 — Completed

  • Governance structure established
  • Preliminary risk assessment
  • Policy suite creation
  • Annex A control mapping

Phase 2 — Q2 2025

  • ISMS build-out
  • Evidence registers
  • Supplier assurance uplift
  • Internal audit preparation

Phase 3 — Q3 2025

  • Internal audit
  • Corrective action cycle
  • Leadership review

Phase 4 — Q4 2025

  • External certification audit
  • Statement of Applicability (SoA) finalisation
  • Certification issuance

Phase 5 — 2026 onward

  • Quarterly ISMS reviews
  • Annual surveillance audits
  • Continuous control monitoring

9. COMMITMENT TO TRANSPARENCY & TRUST

Djenie commits to:

  • Clear explanation of security controls to partners and users
  • Full cooperation with regulators
  • Responsible disclosure practices
  • Maintaining audit-ready documentation
  • Continuous security investment and governance maturation

VERSION CONTROL & GOVERNANCE

Version: 1.0 — Ultra-Final (Djenie Edition)
Effective Date: 1 January 2025
Approval: Chief Executive Officer, Djenie
Change Summary: Full rewrite from Cushi edition; alignment to Djenie’s SMS v2 platform, supplier model, cloud architecture, and operational risk profile.
Review Cycle: Annual or earlier if material change occurs.