At ISACA, trust is a responsibility. As an international organization, we recognize privacy expectations differ worldwide. We commit to respecting regional laws, protecting your data with integrity, transparency, and accountability. Our privacy and security approach is based on global best practices. This Center details how we manage your data and your rights under local laws, ensuring privacy as a universal right.

ISO Certifications
Illustration of a certificate on the wall with man in front

ISO certifications are globally recognized credentials given to organizations whose management systems align with international standards like information security or quality management. They provide third-party validation, building trust with customers, partners, and regulators. Internally, they enhance operational excellence through structured processes. These certifications offer a competitive edge, showcasing commitment to best practices and unlocking business opportunities that demand such credentials.

ISO 27001 Certified by schellman
Information Security Management System

This certification confirms our structured approach to protecting sensitive information and maintaining strong, continuously improving security controls.

ISO 27701 Certified by schellman
Privacy Information Management System

This standard builds on ISO 27001 with a dedicated focus on privacy, confirming a strong Privacy Information Management System aligned with global regulations.

SOC 2 Type 2 AICPA SOC
Security Controls Management System

SOC 2 Type II provides independent assurance that our security controls are well-designed, operate effectively over time, and consistently protect sensitive information.

Privacy Compliance
Illustration of a privacy checkmark on a computer

ISACA is dedicated to protecting data privacy across all jurisdictions. As a globally recognized organization, we adhere to the privacy laws and regulations in every country we operate. Guided by principles of lawfulness, fairness, transparency, purpose limitation, and accountability, our practices adapt to global legislative and regulatory changes. No matter your location in North America, Europe, Asia, Africa, or beyond, we uphold your privacy rights as a fundamental principle, not just an obligation.

General Data Protection Regulation (GDPR)

We adhere to the GDPR, which governs the processing of personal data of individuals within the European Union (EU) and the European Economic Area (EEA). Our compliance ensures that we provide data subjects with rights to access, rectify, and erase their personal data.

Personal Information Protection and Electronic Documents Act (PIPEDA)

We process personal data from Canadian residents in compliance with PIPEDA, ensuring we obtain consent and provide rights of access and correction.

ePrivacy Directive (EU)

We comply with the EU ePrivacy Directive and applicable national laws governing the use of cookies, similar technologies, and electronic communications. These requirements complement data protection laws and help ensure transparency and user choice when information is stored on or accessed from user devices.

Lei Geral de Proteção de Dados (LGPD)

For individuals in Brazil, our data processing activities are based on the legal grounds outlined in the LGPD, ensuring proper legal bases for all processing and secure international data transfers.

Personal Data Protection Act (PDPA) - Singapore

We obtain consent before collecting, using, or disclosing personal data of individuals in Singapore, unless permitted or required by the PDPA, and implement reasonable security arrangements.

Personal Information Protection Law (PIPL) - China

We process personal data from China in accordance with PIPL. We obtain separate consent for cross-border data transfers and implement necessary security measures to protect the data.

Digital Personal Data Protection Act (DPDP) - India

As a data fiduciary under the DPDP, we obtain clear and informed consent for data processing and implement all necessary technical and organizational measures to protect your data.

Privacy Act 1988 - Australia

We adhere to the Australian Privacy Principles (APPs), ensuring your personal information is handled in an open and transparent manner with rights of access and correction.

Act on the Protection of Personal Information (APPI) – Japan

We process personal data relating to individuals in Japan in accordance with APPI, including requirements related to lawful use, security safeguards, and crossborder transfers.

UK General Data Protection Regulation (UK GDPR)

For individuals in the United Kingdom, we process personal data in accordance with the UK GDPR and applicable UK data protection laws.

Technical Controls
Illustration of technology

To ensure the confidentiality, integrity, and availability of personal data, ISACA employs a multi-layered set of technical safeguards. These controls are continuously evaluated and updated to align with global best practices and evolving threat landscapes. Our infrastructure, systems, and applications are designed with security and privacy embedded by default.

Data Encryption

  • Encryption at Rest and in Transit: Strong encryption is used to protect personal data whether it is stored or transmitted.
  • Secure Key Management: Cryptographic keys are managed using industryaccepted security practices.
  • Ongoing Review: Encryption mechanisms are periodically reviewed to remain effective against evolving threats.

Access Management

  • Role-Based Access Control (RBAC): Access to systems and data is granted based on job function and necessity, minimizing exposure and enforcing least privilege.
  • Multi-Factor Authentication (MFA): Critical systems require MFA to verify user identity and prevent unauthorized access.
  • Audit Logging: All access and administrative actions are logged and monitored to detect anomalies and support forensic investigations.

Network and Infrastructure Security

  • Firewalls and Intrusion Detection Systems (IDS): Network boundaries are monitored and protected against unauthorized access and malicious activity.
  • Network Segmentation: Sensitive systems are isolated to reduce lateral movement and limit exposure.
  • Continuous Monitoring: Infrastructure is monitored to detect anomalies and potential threats.

Application and Endpoint Security

  • Secure Development Lifecycle (SDL): Security is integrated throughout application design, development, testing, and deployment.
  • Endpoint Protection: Devices accessing corporate systems are protected with endpoint detection, antimalware, and security monitoring tools.
  • Vulnerability Management: Systems are regularly assessed to identify and remediate security weaknesses.

Security by Design

  • Built In Security Controls: Security considerations are embedded into systems from initial design through deployment.
  • Least Privilege Architecture: Systems are designed to minimize access and reduce unnecessary exposure.
  • Change Validation: Security controls are validated when systems or configurations change.

Data Minimization and Retention

  • Purpose Limitation: Only personal data necessary for defined and legitimate purposes is collected and processed.
  • Retention Controls: Personal data is retained only for as long as required for operational or legal needs.
  • Secure Disposal: Data is securely deleted or anonymized when it is no longer needed.

Monitoring and Incident Response

  • RealTime Monitoring: Security operations monitor systems for threats, anomalies, and unauthorized activity.
  • Incident Response Procedures: Documented processes guide the identification, escalation, containment, and remediation of security incidents.
  • Continuous Improvement: Lessons learned from incidents inform ongoing security enhancements.

Vulnerability Disclosure Program

  • Responsible Disclosure: Security researchers and external parties are encouraged to responsibly report potential security vulnerabilities.
  • Formal Intake Process: A defined channel is available for submitting, reviewing, and tracking reported vulnerabilities.
  • Risk Based Remediation: Reported issues are assessed and addressed in a timely manner to reduce risk and strengthen our security posture.

Artificial Intelligence and Emerging Technologies

  • Responsible Use of AI: Artificial Intelligence is used in a manner consistent with ethical principles, privacy expectations, and applicable laws.
  • Privacy Aware Design: AI systems are designed to minimize personal data use and reduce the risk of unintended data exposure.
  • Human Oversight: Appropriate governance and oversight are applied to AI supported processes.
  • Risk Based Review: AI and emerging technologies are periodically assessed for privacy, security, and compliance risks.
Organizational Controls
Illustration of tech buildings

At ISACA, protecting personal data is not only a technical challenge, it is a core organizational responsibility. We have established a comprehensive governance framework that ensures privacy and security are embedded into our culture, operations, and decision-making processes. These controls are designed to uphold accountability, reduce risk, and ensure compliance with the laws and expectations of the regions in which we operate.

Privacy Governance and Oversight

  • A dedicated privacy and security team oversees data protection strategy, risk management, and compliance.
  • Internal policies and procedures guide how data is collected, used, stored, and shared across the organization.
  • Regular audits and assessments are conducted to evaluate the effectiveness of our privacy and security practices.

Privacy by Design and Default

  • Privacy protections are built into ISACA’s systems and services from the outset.
  • Data protection is integrated throughout the full development and operational lifecycle, in compliance with applicable privacy laws and regulations.
  • Privacy risks are identified early, and only the personal data necessary for a defined, legitimate purpose is collected and used.
  • As a result, privacy is the default setting… not an afterthought!

Third-Party Risk Management

  • All vendors and partners undergo privacy and security due diligence before engagement.
  • Data Processing Agreements (DPAs) and other contractual safeguards are used to ensure third parties meet our standards for data protection.
  • Ongoing monitoring and periodic reviews are conducted to validate third-party compliance.

Employee Training and Awareness

  • All employees receive mandatory training on privacy, data protection, information security, and the responsible use of Artificial Intelligence.
  • Awareness campaigns reinforce the importance of ethical data handling, regulatory compliance, and emerging technology risks.
  • Employees participate in periodic security awareness activities, such as simulated phishing exercises, to strengthen threat recognition and safe datahandling practices.

Incident Response and Breach Management

  • A formal documented Incident Response Plan (IRP) guides the identification, containment, and resolution of all security events.
  • Processor contracts legally require data processors to provide immediate incident notification and adhere to our security controls.
  • Cross-functional teams are prepared to respond swiftly to incidents, including notifying affected individuals and authorities when required.
  • Lessons learned from incidents are used to strengthen future prevention and response efforts.

Data Subject Rights Management

  • Processes are in place to respond to requests from individuals seeking to access, correct, delete, or restrict the use of their personal data.
  • Requests are handled in accordance with the laws of the jurisdiction in which the individual resides.
  • Our Privacy Team is trained to guide individuals through their rights and available options.

Frequently Asked Questions

Our FAQ section offers quick, clear answers to common questions about our privacy, security, and data handling practices. We prioritize transparency and aim to provide essential information in an accessible format. Regular updates incorporate your feedback, keeping it relevant and useful. If your question isn’t addressed, feel free to contact us directly for further assistance.

How does ISACA protect my personal data?

ISACA uses a combination of administrative, technical and organizational safeguards designed to protect personal data against unauthorized access, disclosure, alteration, or loss. These measures include access controls, encryption where appropriate, secure system development practices, employee privacy and security training, and oversight of thirdparty service providers.

We apply these safeguards throughout the data lifecycle, from collection and use to storage and deletion, and regularly review our practices to ensure personal data is handled responsibly and in accordance with applicable privacy laws.

Does ISACA share my data with third parties?

ISACA may share limited personal data with trusted thirdparty service providers that help us operate our services (such as technology, event management, and communications support). All such providers are bound by contractual obligations requiring them to safeguard personal data and use it only for authorized purposes.

Any data sharing is conducted in accordance with applicable privacy laws and with appropriate safeguards in place.

You can view our current list of thirdparty processors here:
https://www.isaca.org/processors

In some cases, personal data may be shared in connection with a specific event, conference, webinar, or chaptersanctioned activity. These data disclosures are limited to what is necessary for that activity and are described in the privacy information provided for the relevant event or resource.

What rights do I have over my personal data?

Depending on your country of residence, you may have rights such as accessing your data, requesting corrections, deleting your data, or limiting how it is used. We honor these rights and provide clear processes for submitting requests through our Privacy Rights Portal or support channels.

How can I submit a privacy-related request or concern?

You can contact our Privacy Team by emailing them at the email address listed on this page or submitting a question within our Privacy Rights Portal . We respond to all valid requests in accordance with the laws of your jurisdiction and within legally required timeframes.

What happens if there is a data breach?

In the event of a data breach, we immediately activate our incident response plan to detect, contain, and resolve the issue. If it is determined that your personal information is involved, we will notify you in accordance with all legal requirements and provide clear, actionable steps you can take to help keep yourself safe.

How does ISACA ensure compliance with international privacy laws?

As a global organization, we monitor and adapt to evolving privacy regulations worldwide. Our privacy practices are designed to be flexible and compliant with the laws of the countries where our users and customers reside. For more information on our privacy compliance practices, please see our Global Privacy Notice.

Trust and Privacy Resources

This section offers direct access to essential documents and support tools related to ISACA's personal data handling, user rights, and platform interactions. Designed to clarify our privacy practices, these resources help you manage preferences and report concerns. For legal terms, privacy notices, or reporting mechanisms, follow the hyperlinks below to reach the relevant resource directly.

Privacy Notice
Outlines how we collect, use, and protect personal data across all jurisdictions. This notice reflects our global privacy practices and commitment to respecting local laws.

Terms of Use
Defines the legal terms and conditions governing your use of our websites, platforms, and services.

Ad and Cookie Policy
Explains the types of cookies we use, their purpose, and how they impact your browsing experience.

Cookie Settings
Allows you to manage your cookie preferences, including enabling or disabling specific categories of cookies.

Privacy Rights Portal
Provides tools and instructions for submitting requests related to your personal data, including access, deletion, correction, and objection.

Bug Reporting
Use this form to report technical issues, glitches, or unexpected behavior in our products or services.

Test Security and Fraud Reporting
Submit confidential reports of suspected security vulnerabilities, fraud, or misconduct involving ISACA systems or affiliates. Reports are reviewed in accordance with our Code of Professional Ethics and applicable regulatory standards.

Support Portal
Offers help with account issues, technical support, and general inquiries related to our services.

Contact Us

If you have any questions or concerns regarding our security and privacy practices, please reach out to the appropriate team below.

Data Protection Officer

dpo@isaca.org

Privacy Team

privacy@isaca.org

Cybersecurity Team

security@isaca.org