Governance
Moneytree's security programme is built on a formal Information Security Management System (ISMS), independently certified to ISO/IEC 27001. The policies below provide management direction, define controls, and assign accountability across the organisation.
Core ISMS Documents
The following documents form the foundation of Moneytree's Information Security Management System. They establish the strategic direction, risk management approach, and scope of the ISMS — and are subject to annual review and executive approval.
- ISMS Framework
- Information Security Policy of Moneytree
- ISMS Process
- ISMS Risk Management Process
- Information Security Statement of Applicability (SoA)
Operational IT & Security Policies
To enforce security controls across day-to-day operations, Moneytree maintains a suite of targeted policies covering specific domains — from device management and access control to AI use and vendor lifecycle governance.
- Artificial Intelligence — Policy
- BYOD — Bring Your Own Device Policy
- Change Management Policy
- Cryptography Controls and Key Management Policy
- Data Classification Policy
- Data Loss Prevention Policy
- Device Update Policy
- Employee IT Equipment Purchase Policy
- Information Retention and Sanitisation Policy
- Information Systems Auditing and QA Policy
- IT Operational Service Level Agreement (SLA)
- IT Vendor Lifecycle Management Policy
- Network Monitoring Policy
- Remote Work Policy
- Security Training Awareness Policy
- Separation of Duties Policy
- Software Approval Policy
- System Access Governance Policy
- Threat Intelligence Policy
- User Authentication and Account Security Policy
Security Tooling
Moneytree operates a layered security stack covering endpoint protection, identity, cloud posture, data loss prevention, and observability. These tools enforce the controls defined in our policies and feed into continuous monitoring and incident response workflows.
AI-powered endpoint detection and response (EDR) for malware prevention, threat hunting, and real-time device protection across all managed endpoints.
Monitors and prevents insider-driven data exposure across file movement, cloud uploads, and removable media — aligned with the Data Loss Prevention Policy.
Automatically detects and raises pull requests to remediate known vulnerabilities in third-party dependencies across all code repositories.
Aggregates and prioritises findings from GuardDuty, Inspector, Config, Health, Trusted Advisor, and other AWS services into a unified security dashboard.
Centralised log ingestion and real-time analysis across infrastructure and applications, enabling threat detection, alerting, and compliance reporting.
Single sign-on (SSO) and multi-factor authentication (MFA) for all managed applications, enforcing least-privilege access and streamlining access lifecycle management.
Fleet management for macOS, iOS, and other devices — enforcing encryption, OS updates, compliance baselines, and remote wipe capabilities.
All policies are reviewed on a defined schedule aligned with the ISMS programme calendar. Core documents are reviewed at least annually; operational policies are reviewed when there is a material change or on a risk-driven basis. Review outcomes are reported to the Information Security Committee.