Robust Client Data Security & Confidentiality
This criterion assesses the organization's commitment to safeguarding client data and upholding confidentiality in accordance with Islamic principles and legal requirements. It evaluates the effectiveness of policies, procedures, and technologies implemented to prevent unauthorized access, use, disclosure, or loss of client information. This includes personal, financial, and health-related data. The criterion examines data governance, security measures (physical, technical, and administrative), staff training, incident response protocols, and compliance with relevant data protection regulations. Upholding client confidentiality is not just a legal obligation but also a fundamental requirement of Amanah (trustworthiness) in Islamic finance and professional services. This is underscored by Qur’an 33:72 (The Trust) and Qur’an 4:58 (rendering trusts to their owners). The concept of 'Sitr' (concealment/covering) mandates that organizations actively protect client privacy and refrain from undue curiosity or internal gossip (Ghibah). Furthermore, the principle of 'La darar wa la dirar' (no harm) necessitates strict controls for vulnerable clients to prevent harm from data misuse. Effective data security builds trust and confidence, essential for long-term relationships. The organization should demonstrate a culture of data privacy where 'Privacy by Design' is standard, continuously monitoring and improving practices to address evolving threats.
- Show your Record of Processing Activities (RoPA). Does it cover all client data flows and lawful bases?
- Provide the DSAR log for the last 12 months. Were all requests verified and answered within 30 days?
- Demonstrate the Joiner-Mover-Leaver (JML) process. Show evidence of access revocation for the last 3 leavers.
- Show the results of the last quarterly backup restore test and the last vulnerability scan/patch report.
- How does the organization operationalize the Islamic concept of 'Sitr' in its access controls and staff conduct policies?
- Provide evidence of International Transfer Risk Assessments (TRAs) and IDTAs for any data stored outside the UK/EEA.
- Show the retention schedule and evidence of the most recent data disposal/deletion cycle.
- Data Protection Policy & Islamic Code of Conduct (referencing Amanah/Sitr).
- Record of Processing Activities (RoPA) - Art 30.
- DSAR Log and Procedure Document.
- Retention Schedule and Disposal Certificates.
- International Transfer Register, IDTAs, and TRAs.
- Third-party Contracts (Art 28) and Supplier Due Diligence Reports.
- Patching Reports and Vulnerability Scan Results.
- Backup Restore Test Logs (Quarterly).
- Training Records (including Islamic ethics module).
- Incident Response Plan and Post-Incident Reports.
| Level | Rating | Description |
|---|---|---|
| 5 | 5/5 | Exemplary (Culture of Ihsan): ISO 27001/SOC2 certified or equivalent independent assurance; advanced controls (SIEM, DLP, PAM) fully operational; privacy engineering embedded in projects; predictive metrics used for continuous improvement. |
| 4 | 4/5 | Robust (Quantified Assurance): Meets all regulatory requirements including International Transfers and DSARs; Cyber Essentials Plus or equivalent baseline; quantitative KPIs (patching, training, restore tests) reported to Board quarterly; proactive risk management. |
| 3 | 3/5 | Adequate (Compliance Baseline): Policies, RoPA, and Privacy Notices in place; MFA and basic encryption (MCS) implemented; staff trained annually; Incident Response plan exists but testing is ad-hoc; generally compliant but reactive. |
| 2 | 2/5 | Weak (Inconsistent): Policies exist but are not operationalized (e.g., no retention schedule, ad-hoc access rights); basic security (AV/Firewall) present but lacks MFA or rigorous patching; documentation gaps in RoPA or contracts. |
| 1 | 1/5 | Inadequate: Significant non-compliance; no formal data governance; missing basic controls (backups, encryption); no evidence of staff training or lawful basis documentation. |
Related Criteria
Discussion (1)
📋 **Version updated: 1.0.0 → 2.9.7** **Changes:** Updated islamic_references from mizan-297.json
Sign in to post a comment.