OIP Insurtech

ISMS Presentation

Sign in with your OIP account to continue

Access restricted to OIP Insurtech accounts.
Navigate by keyboard

Information Security

ISMS Overview

ISO/IEC 27001:2022 Certified Framework

🛡 Security in Mind. Innovation at Heart. Building Trust.
PRESS → OR CLICK TO CONTINUE
01 - Purpose

OIP ISMS - Purpose & Objectives

📌 What We're Presenting

  • ✓ Share OIP's security posture and operational controls
  • ✓ How OIP manages its operations and data protection
  • ✓ Physical security measures across all service areas
  • ✓ Welcome any questions or concerns specific to your organization

🛡 Our Security Commitment

  • ✓ ISO/IEC 27001:2022 certified ISMS framework
  • 0 active security policies & procedures
  • 0 Annex A controls - 100% implemented
  • ✓ Continuous improvement through PDCA cycle
  • ✓ GDPR-compliant data handling across all operations
🛡 ISO 27001
🇪🇺 GDPR
🔎 Annual Audits
✓ Tested DR Plan
02 - Services

Scope of Services Provided

📝 Underwriting & KPO Services

Skilled assistant underwriters and knowledge process outsourcing supporting policy administration, claims processing, and insurance operations

📈 InsurTech Solutions

Ready-made InsurTech products and services designed to boost efficiency and quality across your insurance business

👥 IT Staff Augmentation

Augmented IT teams embedded into your operations, covering data engineering, DevOps, systems administration, BA, QA, and system integration

💻 Software & Technology Support

Full-stack development, QA, CI/CD, and L1/L2 technical support

🔒 Remote Access Architecture - We support all types of remote connectivity as required by our clients

VPN-secured connections to client environments Role-based access with MFA enforcement Dedicated workstations for client operations Network segmentation per client/project Session logging and activity monitoring
03 - Site Security

OIP Sites Overview & Physical Security

🌐 Operations Centers

  • Nevada USA - HQ
  • Belgrade Serbia - Operations Center
  • Nis Serbia - Operations Center
  • Zagreb Croatia - Operations Center
  • Skopje North Macedonia - Operations Center
  • Hyderabad India - Operations Center

Geographic distribution enables business continuity and follow-the-sun support

🔒 Physical Security Controls

  • ✓ Access-controlled entry (badge/biometric)
  • ✓ CCTV monitoring of all common areas
  • ✓ Escort procedures
  • ✓ Secure areas for sensitive operations
  • ✓ Clear desk & clear screen policy enforced
  • ✓ Equipment security and secure disposal
04 - ISMS: Access & Identity

Access Model & Identity Controls

👤 Identity & Access Management

  • ✓ Role-Based Access Control (RBAC) - least privilege enforced
  • ✓ Multi-Factor Authentication (MFA) on all critical systems
  • ✓ Centralized identity via Entra ID (Azure AD) and Google Workspace (GCPW)
  • ✓ Standardized provisioning and de-provisioning workflows
  • ✓ Regular access reviews - quarterly certification

☁ Cloud IAM

  • ✓ Role-based access control across cloud platforms
  • ✓ Centralized identity management with conditional access
  • ✓ Privileged Access Management for admin accounts
  • ✓ Session timeouts and idle lockout policies
Policy References: OIPIP12 OIPIP29
05 - ISMS: Endpoints

Endpoint & Device Security

💻 Device Management

  • ✓ Company-managed laptops with enforced security baselines
  • ✓ Mobile Device Management (MDM) enforced on all company devices
  • ✓ Endpoint detection and response (EDR)
  • ✓ Automatic OS and application patching
  • ✓ Full-disk encryption mandatory
  • ✓ USB and peripheral device restrictions
  • ✓ Remote wipe capability for lost/stolen devices

🏠 Remote Work Security

  • ✓ Mandatory VPN for all remote access
  • ✓ Split tunneling disabled
  • ✓ Company-issued devices mandatory - No BYOD permitted
  • ✓ Home network security guidance provided
  • ✓ Automatic screen lock on idle
  • ✓ Same controls as on-site: MFA, encryption, monitoring
Policy References: OIPIP02 OIPIP28 OIPIP07
06 - ISMS: Data Privacy

Client Data Handling Policy

🔒 Standard Operations

  • ✓ OIP Insurtech does not store or process client data on OIP Insurtech infrastructure
  • ✓ Staff access client data exclusively via client-provided remote connectivity
  • ✓ Client controls the type of access, scope, and data permissions granted
  • ✓ Data never leaves the client's environment

📄 Edge Cases - No Remote Capability

  • ✓ Where remote access is not available, strict on-site procedures apply
  • ✓ All residual files and data deleted from workstations at end of each workday
  • ✓ No client data retained on OIP Insurtech infrastructure overnight

💻 InsurTech / Development Projects

  • ✓ Clients provide test environments, mock data, or scoped database views only
  • ✓ Dedicated environment per client/project - isolated, access-restricted
  • ✓ Only project-assigned staff can access the environment
  • ✓ Data retained for the duration of active project work or ongoing service delivery under contract
  • ✓ Upon final contract termination, client data retained for up to 90 days for audit or dispute purposes, then deleted upon explicit client request, or as defined in the contract - whichever comes first
  • ✓ Deletion performed via secure wipe with documented confirmation provided to the client
07 - ISMS: Data Protection

Internal Data Handling & Confidentiality Controls

📄 Data Classification & Handling

  • ✓ Four-tier classification: Confidential, Restricted, Internal, Public
  • ✓ Mandatory labeling of all documents and data
  • ✓ Handling procedures enforced per classification level
  • ✓ Data transfer controls - encrypted channels only
  • ✓ Information deletion and retention policies

🔒 Encryption & Data Protection

  • ✓ AES-256 encryption for all data at rest
  • ✓ TLS 1.2+ for all data in transit
  • ✓ Secrets and credentials managed via cloud vaults (Azure Key Vault / GCP Secret Manager) - no credentials stored in code or .env files
  • ✓ Data Loss Prevention (DLP) controls active
  • ✓ Backup encryption - off-site storage
Policy References: OIPIP05 OIPIP19 OIPIP20
08 - ISMS: People

People Security & Training

👥 Employee Onboarding & Offboarding

  • ✓ Standardized onboarding and offboarding procedures
  • ✓ Pre-employment background screening
  • ✓ Security terms in employment contracts
  • ✓ Confidentiality and NDA agreements
  • ✓ Asset return procedures on termination
  • ✓ Access revocation within 1 hour of offboarding

🎓 Security Awareness

  • ✓ Mandatory security awareness training for all staff, conducted annually
  • ✓ Role-specific security training for technical teams
  • ✓ Phishing simulation exercises
  • ✓ Incident reporting awareness - all employees
  • ✓ Disciplinary process for policy violations

Governed by ISO 27001 Annex A.6 - People Controls (8/8 implemented)

09 - ISMS: Operations

Secure Engineering & Support Operations

💻 Secure Development

  • ✓ Security integrated into every SDLC phase
  • ✓ Mandatory code reviews before deployment
  • ✓ SAST/DAST vulnerability testing
  • ✓ Separation of dev/test/production environments
  • ✓ Secure deployment pipelines with approval gates

🛠 IT Operations & Configuration

  • ✓ Infrastructure as Code for consistent deployments
  • ✓ Change management with approval workflows
  • ✓ Configuration baselines
  • ✓ Automated patch management
  • ✓ Capacity monitoring and planning

🤖 AI-Assisted Operations - BoundAI

  • ✓ AI-assisted automation used to enhance insurance operations and client workflows
  • ✓ AI tools integrated into development, data processing, and quality assurance
  • ✓ All AI-driven outputs reviewed and validated before delivery to clients
  • ✓ Client data used in AI workflows only with explicit client authorization
  • ✓ AI solutions built and deployed in isolated, access-controlled environments

☁ Multi-Cloud Security Architecture

Microsoft Azure

Production & Client Services
Network & Isolation
VNet Isolation Network Security Groups Private Endpoints No Public Access
Identity & Access
Entra ID RBAC Conditional Access Key Vault
Data & Encryption
Azure Key Vault AES-256 at Rest TLS 1.2+ in Transit

Google Cloud Platform

Internal Services & Tooling
Network & Isolation
VPC Isolation Firewall Rules Private Connectivity No Public Endpoints
Identity & Access
IAM & RBAC Least Privilege Secret Management
Data & Encryption
Cloud KMS AES-256 at Rest TLS 1.2+ in Transit
ISO 27001 Aligned GDPR Compliant Encryption Everywhere Isolated Client Environments
10 - ISMS: Incident Response & BC

Incident Response & Business Continuity

🚨 Incident Response

1
Identify - Detection & classification
2
Contain - Isolate & limit damage
3
Eradicate & Recover - Restore ops
4
Improvement Implementation - CAPA

📈 Monitoring & Logging

  • ✓ Audit logging across all cloud services
  • ✓ Real-time alerting & anomaly detection
  • ✓ Log retention per compliance requirements

📖 Business Continuity

  • ✓ BCP activation criteria defined
  • ✓ Crisis management team with clear roles
  • ✓ Recovery procedures for all critical functions
  • ✓ Multi-office resilience: Belgrade, Nis, Zagreb, Skopje, Hyderabad
  • ✓ Full remote work capability
Click for details

🏭 Disaster Recovery

  • ✓ Comprehensive DR procedures
  • ✓ RTO/RPO defined per service
  • DRP Test Report: Oct/Nov 2025 - validated
  • ✓ Geo-redundant backups (OIPIP20)
Click for details
11 - ISMS: Governance

Governance, Audits, Certifications & Assessments

📜 Internal Audit

Comprehensive audit program with audit plans, reports, non-conformity tracking, and operational audits.

🔧 CAPA Process

Corrective & Preventive Action ensuring identified issues are systematically addressed and prevented from recurring.

📚 Documentation Protocol

Standardized document control with version tracking, classification, approval workflows, and retention policies.

📊 Key Metrics & Risk Management

  • ✓ 17 risks tracked in 2026 register
  • ✓ 4-step treatment process (Mitigate, Accept, Transfer, Avoid)
  • ✓ Annual risk review cycle
  • ✓ Risk register linked to Statement of Applicability

Document Update Timeline

December 2025
12 documents updated to v2 - major revision cycle
Oct – Nov 2025
DRP Test Report completed - live testing validation
93 ISO 27001 Annex A controls - 100% coverage across all 4 categories
A.5 Organizational (37) A.6 People (8) A.7 Physical (14) A.8 Technological (34)

Click any category to explore individual controls and evidence mapping:

📄 Policy & Procedure Documentation (30 Policies)

Governance
Technical
Operational
Compliance
Continuity
12 - Risk Governance

Risk Assessment & Treatment

Risk Assessment Matrix

LIKELIHOOD →
2026 Risk Register • 17 Risks Tracked

Risk Treatment Approach

🛡
Mitigate
13 of 17 risks — controls from Annex A
Accept
3 risks — within defined appetite
🚫
Avoid
1 risk — activity eliminated
🔄
Transfer
0 risks
Click for full treatment details

🛡 Your Data, Our Controls

  • Data confidentiality: Classification, Encryption, DLP
  • Access to your systems: RBAC, MFA, VPN, session logging
  • Personnel risks: Screening, NDAs, training, offboarding procedures
  • Service continuity: BCP, DRP, multi-office resilience, tested plans
  • Regulatory compliance: GDPR, ISO 27001, applicable legislation
  • Third-party risk: Supplier security policy, contractual clauses

📊 Continuous Improvement Cycle

  • ✓ Quarterly risk register review by ISMS Committee
  • ✓ Annual management review & risk appetite reassessment
  • ✓ Internal audit programme - full ISMS cycle
  • ✓ Corrective actions tracked to closure
  • ✓ Surveillance audit by certification body annually
  • ✓ Lessons learned and feedback incorporated into risk treatment plans

Your Security. Our Priority.

0
Policies & Procedures
0
Documents & Artifacts
0
Annex A Controls
100%
Control Coverage
🛡 Questions & Discussion

OIP Insurtech • Client Security Assessment • ISO/IEC 27001:2022