Last edited by Divya Mishra on 26/01/2025
You'll find here Nexthink's corporate Information Security Policies, Procedures and Certificates. The full list can be found here: https://nexthink.sharepoint.com/sites/security/Corporate/
ISO 270xx certificates
You will find the ISO 27001:2022, 27017:2015, 27018:2019 and 27701:2019 here: https://nexthink.sharepoint.com/sites/security/Corporate/
Policies
Our policies describe the what - our procedures, the how.
| Policy | Purpose |
|---|---|
| Information Security Policy | Define the security strategy and security requirements applicable to all Nexthink employees and systems.The aim of this document is to explain all the different measures that Nexthink has in place to ensure its own business continuityand recovery in case of a disaster. |
| Acceptable Usage Policy | Defines what constitutes an acceptable use of Nexthink's IT resources. |
| Defines what constitutes an acceptable use of publicly available AI resources. | |
| Guidelines for the responsible, secure, and lawful use of AI technologies across Nexthink. | |
| Confidentiality Policy | This document describes the classification schemes and levels. |
| Data Retention Policy | This documents describes the retention applied to the different information managed by Nexthink. |
| Vulnerability Management Policy | Define how Nexthink identifies and remediates vulnerabilities in its IT infrastructure, product, and Cloud offering. |
| Security Governance Policy | Define security governance roles and responsibilities at Nexthink. |
| Security Incident Response Policy | Define the handling of security incidents at Nexthink. |
| Business Continuity and Disaster Recovery Plan | The aim of this document is to explain all the different measures that Nexthink has in place to ensure its own business continuity and recovery in case of a disaster. |
| Secrets Policy | Define a set of rules designed to enhance computer security and employ strong passwords following security best practices. |
| Access Control Policy | The purpose of this document is to define logical access control requirements at Nexthink. |
| Physical Security Policy | This policy describes the physical security controls applied in our offices but also in the data centers. |
| Defines the ground rules on how to manage and operate a "Closed-circuit television" system. |
|
| Cryptography Policy | This policy describes the standards and operational procedures used to produce, update and discard keys |
| Third Party Management Policy | This policy describes the process to manage third parties including consultants. |
Procedures
Our policies describe the what - our procedures, the how.
| Procedure | Purpose |
|---|---|
| Documentation Procedure | Describe how documentation is managed. |
| Incident Notification Procedure | Describes how security incidents should be reported by Nexthink employees. |
| Incident Response Procedure | Describes how the Security Team identifies and responds to security incidents. |
| Personal Data Breach Notification Procedure |
Describes how Nexthink employees should identify and report a suspected or proven personal data breach. Defines communication and escalation flows for internal and external notifications. |
| Third-party Assessment Procedure | Describes how the Security Team assesses the security posture of third-party providers. |
| Risk Management Procedure | Describes the methodology to perform and track risk assessments. |
Guidelines
| Guideline | Purpose |
|---|---|
| A comprehensive guide to data classification. |
ENS
Technical Safety Instructions (TSI) & STIC Series 800 Guides and Abstracts can be found here - https://ens.ccn.cni.es/es/normativa