Telstra Enterprise - Customer Security Assurance Site
This site aims to provide Telstra Enterprise customers with Security Assurance information about Telstra. Key resources include our latest ISO/IEC 27001 certificates, ASAE 3150 (SOC2) reports, and other related links.
Telstra ISO 27001 Certification
ISO/IEC 27001 is the world's best-known standard for information security management systems (ISMS). It defines requirements an ISMS must meet.
The ISO/IEC 27001 standard provides companies of any size and from all sectors of activity with guidance for establishing, implementing, maintaining and continually improving an information security management system.
Conformity with ISO/IEC 27001 means that an organization or business has put in place a system to manage risks related to the security of data owned or handled by the company, and that this system respects all the best practices and principles enshrined in this International Standard.
Telstra maintains an information security management system including policies, controls and procedures that are certified to ISO/IEC 27001:2013 information security management standard.
The scope of Telstra’s Information Security certification includes the processes, systems, networks, and infrastructure to design, develop, build, provision, operate and assure technology solutions and services to business and government customers in accordance with the Statement of Applicability version 4.
Telstra ASAE3150 (SOC2) Audit Reports
The System and Organization Controls (SOC) Audit report is designed to demonstrate to customers of service-providing organisations the level of risk and security processes operating at the service providing organisation. The Australian Standard for producing a SOC Audit report is ASAE (Australian Standard Auditing Engagements) which is performed by an independent external party. Telstra engaged EY for this important work
Telstra has undertaken a whole of company ASAE 3150 (SOC 2) Type 1 and Type 2 Audit assessment. This assessment will be conducted each year (for the previous financial year). The Type 1 refers to control design and point in time operational control testing, whereas the Type 2 refers to design and control testing performing through the period of assessment. A combination of both type 1 and 2 enable a broader range of controls to be elected for testing thus potentially being applicable to more of Telstra customers for assurance purposes.
The Telstra ASAE3150 (SOC 2) Audit report can assist many types of our TE customers (e.g. APRA regulated, Government, Critical Infrastructure etc) in meeting their stakeholder/regulator requirement to gain Controls assurance over their key Suppliers.
For existing Telstra customer, a copy of the Telstra ASAE3150 (SOC2) Audit report(s) can be requested here
Telstra CyberGRX Report
CyberGRX (Third Party Cybersecurity Risk Management Program | CyberGRX) is a 3rd party Security Controls Assurance platform.
Telstra maintains a CyberGRX Security Assurance report (Tier 2). This report gives further assurance of some ~160 Controls (operating across Telstra) effectiveness including assessment of the related processes that support the Control operation.
The Telstra CyberGRX report can be accessed by logging onto your own account within the CyberGRX platform and requesting a Telstra report. Alternatively, you can request here that a Telstra CyberGRX report be sent to you which can be accessed inside the CyberGRX Platform.