Information Security Policy Client‑Safe

Governance & management direction • Effective 28 Sep 2025

Policy Statement

Virtus Group Ltd protects information assets, meets legal obligations, and aligns practice with recognised standards (e.g., ISO/IEC 27001) and NZ requirements (e.g., Privacy Act 2020). This client‑safe version summarises commitments and omits operationally sensitive detail.

Scope

All staff, contractors and third parties acting on our behalf
All information assets we create, process, store, or transmit
All services and systems within our ISMS/PIMS boundary

Key Principles

Risk‑based selection of controls; continuous improvement and auditability
Classification and appropriate handling of information
Least‑privilege access with MFA and time‑bound elevation
Logging/monitoring, incident response and vulnerability management
Encryption in transit and at rest (TLS ≥ 1.2; AES‑256)
NZ residency by default; AU permitted for DR when elected

Practice Areas

Governance

Policies reviewed at least biennially; leadership oversight; resources allocated

Risk

Registers maintained; BIAs for critical systems; quarterly review

Access

MFA for privileged access; joiner/mover/leaver approval; periodic reviews

Operations

Logging/monitoring across critical systems; timely patching; change control

BC/DR

RTO/RPO defined; plans tested; quarterly sampled restore tests

Vendors

Security obligations in contracts; access monitored; periodic assurance

Crypto

Approved algorithms only; keys protected & rotated

Contacts

security@virtusgroup.biz • privacy@virtusgroup.biz • legal@virtusgroup.biz • compliance@virtusgroup.biz