Timetabling Solutions has established an Information Security Management System (ISMS) to protect customer information, company information and business operations. Our ISMS incorporates governance practices aligned with recognised information security standards, including relevant principles of ISO/IEC 27001:2022, where appropriate to the organisation's size, operations and risk profile.
1. Management Commitment to Information Security
Timetabling Solutions is committed to protecting the confidentiality, integrity, and availability of its information assets to ensure the continued trust of our clients, compliance with legal and regulatory requirements, and the security of the data entrusted to us.
Our Information Security Management System (ISMS) is integrated into our business processes to safeguard sensitive information, prevent security breaches, and mitigate risks effectively. Senior management actively supports and promotes a culture of security awareness and continuous improvement. Information security controls are implemented using a practical, risk-based approach that reflects the nature of our business, the services we provide and the sensitivity of the information entrusted to us.
2. Compliance with Laws and Regulations
Timetabling Solutions ensures compliance with all applicable legal, regulatory, and contractual requirements related to information security and data protection. These include, but are not limited to:
Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs)
Notifiable Data Breaches (NDB) scheme (Australia)
Cybersecurity frameworks recommended by the Australian Cyber Security Centre (ACSC)
Education-specific data protection requirements as applicable in Australia, New Zealand, and the UK
Where customers are subject to overseas privacy legislation, including the European Union General Data Protection Regulation (EU GDPR) or the UK General Data Protection Regulation (UK GDPR), Timetabling Solutions supports those obligations through appropriate contractual arrangements, including a Data Processing Addendum where applicable.
Compliance with these regulations is reviewed regularly, and necessary actions are taken to ensure continued adherence to evolving security and privacy obligations.
Timetabling Solutions considers applicable privacy and data protection obligations in the jurisdictions in which it operates and supports customers in meeting their own regulatory requirements where appropriate.
3. Information Security Roles and Responsibilities
Timetabling Solutions defines clear roles and responsibilities to maintain the effectiveness of its ISMS:
Timetabling Solutions Board of Directors: Responsible for endorsing and promoting the ISMS, ensuring adequate resources are available, and reviewing security performance.
General Manager, Director of Software and Cloud Manager: Responsible for overseeing the implementation, maintenance and continual improvement of the Information Security Management System, ensuring appropriate information security controls remain effective and aligned with business requirements.
IT and Development Teams: Responsible for implementing security controls, monitoring system integrity, and managing vulnerabilities and incidents.
All Employees and Contractors: Required to comply with security policies, participate in information security awareness activities appropriate to their role, and promptly report suspected information security incidents.
4. Communication and Awareness
Timetabling Solutions recognises that maintaining effective information security requires ongoing communication, awareness and practical guidance for employees and contractors.
To support a strong security culture:
- New employees receive information security awareness as part of their induction, including the use of password managers, Multi-Factor Authentication (MFA), Single Sign-On (SSO), the secure handling of company information, and their responsibilities under the Information Security Management System.
- Employees are encouraged to report suspicious emails using the Microsoft Outlook Report Message feature and to promptly notify the Cloud Manager of suspected phishing attempts, security concerns or other information security incidents.
- Significant cybersecurity incidents, emerging threats and lessons learned from industry events are communicated to staff through Microsoft Teams and discussed during regular team meetings where appropriate.
- Information security policies, procedures and operational guidance are reviewed periodically and updated as required to reflect changes in technology, business operations and emerging risks.
Timetabling Solutions recognises that security awareness is an ongoing process and encourages all employees and contractors to remain alert to emerging threats and to actively contribute to protecting customer, company, and business operations information.
This ISMS statement is reviewed regularly to ensure continued alignment with our business objectives, regulatory obligations, and industry best practices.
The purpose of the ISMS is to proactively and actively identify, mitigate, monitor and manage information security vulnerabilities, threats and risks in order to protect Timetabling Solutions people, clients, suppliers, information, data and assets.
We are committed to:
- Complying with all applicable laws and regulations, contractual obligations and the continual improvement of the ISMS
- Making our policy easily available and known to interested parties
- Provide resources appropriate to the organisation's size, business requirements and assessed information security risks to support the effective operation of the ISMS.
- Ensure that all employees are made aware of their individual obligations in respect of this information security policy
- Consider information security risks when making business, technology and operational decisions, including the periodic review of information security risks and controls.
Responsibility for upholding this policy is company-wide. We actively encourage all our people to incorporate information security into their skills.
The policy has been approved by the Directors and is reviewed periodically, and at least annually, or following significant changes to business operations, technology or information security risks.
5. Information Security Governance
Timetabling Solutions maintains a suite of information security policies supporting its Information Security Management System. These policies cover areas such as information security, risk management, access control, asset management, secure software development, vulnerability management, business continuity, incident response, privacy, supplier security, and information handling.
The ISMS is supported by the Employment Handbook, the Business Continuity & Disaster Recovery Plan, the Incident Response Plan, the Patch Management Policy, the Modern Slavery Statement, and other operational procedures.
Approved by:
Michael Wood
Chairperson
Updated 29th June 2026