Policies, Procedures and Certificates – Nexthink Help Center

Last edited by Divya Mishra on 13th March 2026

You'll find here Nexthink's corporate Information Security Policies, Procedures and Certificates. The full list can be found here: https://nexthink.sharepoint.com/sites/security/Corporate/

ISO 270xx certificates

You will find the ISO 27001:2022, 27017:2015, 27018:2019 and 27701:2019 here: https://nexthink.sharepoint.com/sites/security/Corporate/

Policies

Our policies describe the what - our procedures, the how.

Policy	Purpose
Information Security Policy	Define the security strategy and security requirements applicable to all Nexthink employees and systems. The aim of this document is to explain all the different measures that Nexthink has in place to ensure its own business continuity and recovery in case of a disaster.
Acceptable Usage Policy	Defines what constitutes an acceptable use of Nexthink's IT resources.
Acceptable Usage Policy - Annex 1 - Public AI Tools	Defines what constitutes an acceptable use of publicly available AI resources.
AI Policy	Guidelines for the responsible, secure, and lawful use of AI technologies across Nexthink.
Confidentiality Policy	This document describes the classification schemes and levels.
Data Retention Policy	This documents describes the retention applied to the different information managed by Nexthink.
Vulnerability Management Policy	Define how Nexthink identifies and remediates vulnerabilities in its IT infrastructure, product, and Cloud offering.
Security Governance Policy	Define security governance roles and responsibilities at Nexthink.
Security Incident Response Policy	Define the handling of security incidents at Nexthink.
Business Continuity and Disaster Recovery Plan	The aim of this document is to explain all the different measures that Nexthink has in place to ensure its own business continuity and recovery in case of a disaster.
Secrets Policy	Define a set of rules designed to enhance computer security and employ strong passwords following security best practices.
Access Control Policy	The purpose of this document is to define logical access control requirements at Nexthink.
Physical Security Policy	This policy describes the physical security controls applied in our offices but also in the data centers.
CCTV Policy	Defines the ground rules on how to manage and operate a "Closed-circuit television" system.
Cryptography Policy	This policy describes the standards and operational procedures used to produce, update and discard keys
Third Party Management Policy	This policy describes the process to manage third parties including consultants.
Cloud Security Policy	The Information Security Policy describes high level security and privacy principles in security engineering and software development. The present Cloud Security Policy aims to further explicit these domains for Nexthink SaaS solution.
Engineering Security Policy	Describes the high-level security principles applicable to Engineering and Software development and Operations.
ISMS & PIMS Governance Policy	Defines security governance roles and responsibilities at Nexthink.
API Security Policy	Defines the security principles for authentication of Application Programming Interfaces (APIs) within Nexthink.
Artificial Intelligence Policy	Provides guidelines and rules for using AI within our products and business processes, emphasizing compliance with legal requirements and ethical standards.
Asset Classification Policy	Describes the asset classification scheme at Nexthink for information systems.
Crown Jewel SaaS Platforms Management Policy	Establishes the framework for managing Crown Jewel SaaS platforms within the organization.
Information Security Awareness & Privacy Training Policy	Defines the information security and privacy training and awareness program at Nexthink.
IT Policy	Describes the IT usage Policy of Nexthink and serves as a mandatory baseline for using IT resources at Nexthink.
Mobile Device Policy	Define the security and privacy requirements for accessing Nexthink data using mobile devices.
Services Integration Policy	Describes the security requirements for integration of connecting two IT systems.
Asset Owner Policy	Defines the responsibilities of Nexthink’s asset owners.
HR Security Policy	Describes how Nexthink handles information security aspects related to the employee lifecycle.
ISMS & PIMS Scope Policy	Describe the scope of application of the Information Security Management System (ISMS) and the Privacy Information Management System (PIMS), their boundaries and limitations.

Procedures

Our policies describe the what - our procedures, the how.

Procedure	Purpose
Documentation Procedure	Describe how documentation is managed.
Incident Notification Procedure	Describes how security incidents should be reported by Nexthink employees.
Incident Response Procedure	Describes how the Security Team identifies and responds to security incidents.
Personal Data Breach Notification Procedure	Describes how Nexthink employees should identify and report a suspected or proven personal data breach. Defines communication and escalation flows for internal and external notifications.
Third-party Assessment Procedure	Describes how the Security Team assesses the security posture of third-party providers.
Risk Management Procedure	Describes the methodology to perform and track risk assessments.

Guidelines

Guideline	Purpose
Confidentiality Guidelines	A comprehensive guide to data classification.

ENS

Technical Safety Instructions (TSI) & STIC Series 800 Guides and Abstracts can be found here - https://ens.ccn.cni.es/es/normativa