At a glance
NEXT AI maintains a documented information security policy framework covering governance, technical, and operational controls. Policies are owned by management, reviewed and approved at least annually, and acknowledged by employees; violations may be addressed with proportionate disciplinary action.
Policy framework at NEXT
Policies include (non-exhaustive): Acceptable Use, Anti-Corruption & Anti-Bribery, Asset Management, Backup, Business Continuity, Code of Conduct, Data Classification/Deletion/Protection, Encryption, Incident Response, Information Security, Password, Physical Security, Responsible Disclosure, Risk Assessment, Secure SDLC, System Access Control, Vendor Management, Vulnerability Management.
Governance & maintenance
Ownership & oversight: The security leadership (e.g., Security Officer/CISO) designs, maintains, and reports on the policy set and ISMS performance to top management.
Annual review & approval: Policies are reviewed, edited if needed, and approved at least annually by authorized personnel/committee.
Employee awareness & attestation
Training & acknowledgment: New hires complete security awareness during onboarding (within days) and annually thereafter, and acknowledge the Information Security Program (incl. Code of Conduct).
Access & availability
Policies are available to employees via the compliance platform (e.g., Drata) for continuous access and annual re-signing.
Enterprise customers can request copies of relevant policies.
Exceptions & enforcement
Exceptions require executive approval and annual re-review.
Enforcement: Policy violations may lead to disciplinary action, consistent with severity and HR process.
Standards alignment (authority)
ISO/IEC 27001:2022 β requirements for establishing, implementing, maintaining, and improving an ISMS (policy-driven governance).
NIST CSF 2.0 (Govern function) β emphasizes executive-level policy, roles, and oversight in cybersecurity risk management.
SOC 2 (AICPA Trust Services Criteria) β policy-based controls underpin Security, Availability, Processing Integrity, Confidentiality, Privacy.
FAQβ
Q: Can NEXT AI provide copies of specific policies for due diligence?
Yes. Enterprise customers may request copies of relevant policies for security assessments.
Q: How often are policies reviewed and approved?
At least annually, with review/approval documented by authorized personnel/committee.
Q: How does NEXT AI ensure employees follow the policies?
Employees receive onboarding and annual training and sign acknowledgments of the Information Security Program; violations may be disciplined proportionately.
Q: Is there a formal process to approve exceptions?
Yes. Exceptions require executive approval and are re-reviewed annually.
Q: Do these policies align with recognized frameworks?
Yes. The framework supports ISO/IEC 27001 ISMS governance, NIST CSF 2.0 Govern, and SOC 2 control requirements.