FAQ

NEUREALM Customer Security, Privacy & Compliance Response Repository

1. Information Security Governance

Does NEUREALM maintain a formal Information Security Management System (ISMS)?

Standard Response

Yes.

NEUREALM has established, implemented, maintained, and continually improves an Information Security Management System (ISMS) aligned with ISO/IEC 27001:2022 requirements.

The ISMS governs the protection of information assets through documented policies, standards, procedures, risk management practices, security controls, monitoring mechanisms, internal audits, management reviews, and continual improvement activities.

The ISMS covers:

• Information Security Governance
• Risk Management
• Access Control
• Asset Management
• Cryptography
• Incident Management
• Supplier Security
• Business Continuity
• Secure Development
• Security Awareness
• Physical Security

The ISMS is independently audited and certified against ISO/IEC 27001:2022.

Evidence Available: ISO/IEC 27001 Certificate

Owner: Information Security Team – GRC  

2. Risk Management

Does NEUREALM maintain a formal Enterprise Risk Management Program?

Standard Response

Yes.

NEUREALM maintains a documented Enterprise Risk Management (ERM) framework integrated with its Quality, Information Security, Privacy, AI Governance, Service Management, and Business Continuity Management Systems.

The risk management process includes:

• Risk Identification
• Risk Assessment
• Risk Treatment
• Risk Acceptance
• Risk Monitoring
• Periodic Risk Reviews
• Management Reporting

Risk assessments are performed periodically and whenever significant business, technology, security, privacy, or operational changes occur.

The framework aligns with:

• ISO 9001:2015
• ISO/IEC 27001:2022
• ISO/IEC 27701:2025
• ISO/IEC 42001:2023
• ISO 20000-1:2018

Owner: Process Excellence & Risk Management (Quality Team)  

3. Third Party Risk Management

Does NEUREALM have a Third-Party Risk Management Program?

Standard Response

Yes.

NEUREALM operates a Third-Party Risk Management (TPRM) process to assess, monitor, and manage risks associated with suppliers, subcontractors, consultants, cloud service providers, and other third-party entities.

The process includes:

• Vendor Due Diligence
• Security Assessment
• Privacy Assessment
• NDA Verification
• Contract Review
• Compliance Verification
• Risk Classification
• Periodic Reassessment

Security, confidentiality, privacy, and compliance obligations are contractually flowed down to applicable suppliers through contractual agreements.

Owner: Procurement, Security, Compliance & Legal  

4. Protection of Client Information and Intellectual Property

How does NEUREALM protect customer information and intellectual property during and after project execution?

Standard Response

NEUREALM recognizes the protection of client information and intellectual property as a critical business and contractual responsibility.

Our protection framework is supported by ISO 9001:2015, ISO/IEC 27001:2022, ISO/IEC 27701:2025, SOC 2 Type II, TISAX®, DPDPA and related governance controls.

During Assignment Execution

• Personnel are bound by Confidentiality Agreements (NDA), Employment Agreements, and Code of Conduct requirements.
• Access is granted on a Need-to-Know and Least Privilege basis.
• Role-Based Access Control (RBAC) and Multi-Factor Authentication (MFA) are enforced where applicable.
• Client information is protected through secure repositories, controlled access mechanisms, encryption, and monitoring controls.
• Security awareness training is conducted periodically.
• Third-party access is subject to authorization, contractual obligations, and security controls.
• Security incidents, vulnerabilities, and risks are monitored through established governance processes.
• Vulnerability Assessments and Penetration Testing are conducted periodically to identify and mitigate risks.

Intellectual Property Protection

• Client intellectual property remains protected in accordance with contractual obligations.
• Source code, documentation, designs, business processes, and deliverables are controlled through secure repositories and change management processes.
• Unauthorized disclosure, reuse, distribution, or replication of client intellectual property is prohibited.

After Assignment Completion

• User access is revoked upon project completion or separation.
• Client information is retained, archived, returned, or securely destroyed in accordance with contractual and regulatory obligations.
• Confidentiality obligations remain enforceable beyond employment termination and project closure.
• Backup media and retained information are managed according to documented retention and disposal procedures.

Compliance Support

NR’s information protection framework is supported by:

• ISO 9001:2015
• ISO/IEC 27001:2022
• ISO/IEC 27701:2025
• SOC 2 Type II
• TISAX
• DPDPA
• Internal and External Audits

Owner: Information Security-GRC , Legal  

5. Privacy and Personal Data Protection

Does NEUREALM comply with privacy regulations?

Standard Response

Yes.

NEUREALM has established a Privacy Information Management System (PIMS) aligned with ISO/IEC 27701:2025 requirements.

Privacy controls address:

• Personal Data Processing
• Data Subject Rights
• Consent Management
• Privacy Risk Assessments
• Third-Party Data Sharing
• Data Retention and Disposal
• Incident Management
• Cross-Border Data Transfers

NEUREALM also considers applicable privacy obligations arising from:

• DPDPA
• GDPR principles
• UK GDPR principles
• Contractual privacy requirements

Applicability depends on the engagement scope and contractual obligations.

Owner: GRC Team

6. AI Governance

Does NEUREALM use Artificial Intelligence and govern AI-related risks?

Standard Response

Yes.

NEUREALM has established an AI Management System aligned with ISO/IEC 42001:2023.

The governance framework includes:

• AI Acceptable Use Policy
• AI Risk Assessments
• AI Inventory Management
• Human Oversight Controls
• AI Incident Management
• Data Protection Controls
• Monitoring and Continuous Improvement

By default, customer confidential information and personal data are not used to train public AI models unless explicitly approved contractually and governed through approved controls. Owner: AI Governance Team

7. Secure Software Development

Does NEUREALM follow a Secure Software Development Lifecycle (SSDLC)?

Standard Response

Yes.

NEUREALM maintains a Secure Software Development Lifecycle (SSDLC) incorporating security throughout the software development lifecycle.

Controls include:

• Security Requirements Review
• Threat Modeling
• Secure Coding Standards
• Peer Code Reviews
• Static Application Security Testing (SAST)
• Dynamic Application Security Testing (DAST)
• Dependency Scanning
• Vulnerability Management
• Penetration Testing
• Secure Release Management

The SSDLC aligns with:

• ISO/IEC 27001
• OWASP
• NIST SSDF
• TISAX
• SOC 2

Owner: Delivery & Security

8. Incident Management

Does NEUREALM maintain an Incident Response Program?

Standard Response

Yes.

NEUREALM maintains a documented Incident Management and Response Program that includes:

• Incident Detection
• Classification
• Escalation
• Investigation
• Containment
• Eradication
• Recovery
• Lessons Learned

Security incidents are managed through defined response procedures and customer notification obligations are addressed in accordance with contractual and regulatory requirements. Owner: Information Security Team – GRC  

9. Business Continuity and Disaster Recovery

Does NEUREALM maintain Business Continuity and Disaster Recovery Plans?

Standard Response

Yes.

NEUREALM maintains documented Business Continuity and Disaster Recovery processes designed to ensure continuity of critical services and timely recovery of systems during disruptive events.

Activities include:

• Business Impact Analysis
• Risk Assessment
• BCP Testing
• DR Testing
• Recovery Validation
• Management Review

Owner: Business Continuity Team (Quality)

10. Before Answering Any Customer/Third Party Assessment Questionnaire

Mandatory Applicability Assessment

Before answering any customer questionnaire, the following must be confirmed:

• Project Scope
• Service Scope
• Data Classification
• Data Processing Activities
• Hosting Model
• Cloud Usage
• AI Usage
• Customer Environment Access
• Regulatory Applicability

Compliance should never be assessed before applicability is established.

This avoids incorrect responses, unnecessary escalations, and review delays.