Security & Assurance
At SmartyGrants, security, governance and compliance are fundamental to how we design, operate and continuously improve our platform.
We maintain a structured, independent assurance framework that provides confidence in our information security, operational controls and risk management practices.
Our approach is built on internationally recognised standards, independent audit, and alignment with government security frameworks.
Layered Assurance, Not Single Certification
Each assurance layer serves a distinct purpose:
| Layer | Focus | Scope |
|---|---|---|
| ISO/IEC 27001:2022 Certification | Enterprise security governance | Organisation-wide ISMS |
| Annual ASAE 3402 Type II Assurance | Control operating effectiveness | Period-based assurance |
| IRAP Assessment (ISM Alignment) | Government security alignment | Technical & regulatory posture |
Our Assurance Framework
ISO/IEC 27001:2022 Certification
Enterprise-wide Information Security Management
SmartyGrants maintains ISO/IEC 27001:2022 certification, the internationally recognised standard for Information Security Management Systems (ISMS).
This certification demonstrates that we:
- Operate a formal, risk-based information security framework
- Maintain structured governance and risk management processes
- Identify, assess and manage information security risks on an ongoing basis
- Undertake independent annual surveillance audits
- Complete full recertification audits every three years
- Continuously monitor and improve our controls
ISO 27001 covers organisational governance, access control, incident management, supplier risk, secure development practices and business continuity.
Annual ASAE 3402 Type II Assurance
Independent Validation of Control Effectiveness
SmartyGrants completes annual ASAE 3402 Type II assurance engagements.
ASAE 3402 Type II reports provide independent validation of the design and operating effectiveness of key internal controls over a defined reporting period.
This includes assurance over:
- Control environment governance
- Change management processes
- Access management controls
- Operational procedures and monitoring
- System oversight
Type II reporting confirms that controls are not only appropriately designed, but operate effectively over time.
IRAP Assessment (ISM Alignment)
Australian Government Security Framework
SmartyGrants is undertaking IRAP assessment aligned to the Australian Government Information Security Manual (ISM), governed by the Australian Cyber Security Centre (ACSC).
IRAP provides:
- Independent review by ASD-accredited assessors
- Alignment with Australian Government security requirements
- Validation of technical and operational controls
- Assurance suitable for government data environments
This ensures our platform aligns with the expectations of government agencies managing sensitive information.
Continuous Monitoring and Improvement
Security is not a one-off activity.
SmartyGrants maintains a continuous improvement approach through:
- Regular internal audits and control reviews
- Independent external audit and assurance processes
- Ongoing risk assessment and mitigation
- Incident monitoring and response processes
- Continuous enhancement of policies, procedures and controls
This ensures our platform evolves alongside emerging risks and regulatory expectations.
Security by Design
Security considerations are embedded into the design and operation of the SmartyGrants platform, including:
- Role-based access control and least privilege principles
- Secure development and change management practices
- Monitoring and logging of system activity
- Data protection and privacy controls
- Business continuity and disaster recovery planning
Supporting Government and Enterprise Requirements
SmartyGrants supports the security and governance expectations of:
- Government agencies
- Corporate and philanthropic grantmakers
- Large-scale and multi-program funding environments
Our assurance framework is designed to meet the requirements of organisations operating in regulated and high-trust environments.
Request Documentation
If you require copies of our certifications, assurance reports or procurement framework details for due diligence purposes, please contact our team.