Intility Trust Center

A portal for information security and compliance

This Trust Center provides insight, transparency and information regarding our technical and organizational security initiatives and controls. Our customers can use it to support their own compliance requirements.

Intility’s audit reports and other relevant documentation can be downloaded here: Compliance Document Center

Please do not hesitate to contact compliance@intility.no if you have further questions or need more information.

Privacy and Data Protection

To safeguard the privacy of our customers, we continuously apply improvements to our information security management system. This is ensured through risk assessments of our systems and infrastructure, evaluation of existing controls, documentation of data processing activities, audits of third-party providers and acquisition of new security technologies.

All assurance documentation is made available to customers in the form of two comprehensive attestation reports: ISAE 3402 Type II and ISAE 3000 Type II.

Independent Security and Penetration Testing​

Security and penetration testing is an integrated part of Intility’s platform service. Independent third parties perform continuous security assessments and penetration tests. These tests are conducted by reputable cyber security firms, and supplements Intility’s own security monitoring and response capabilities.

Customers of Intility can also conduct tailored security assessments/penetrations tests specific to their own environments upon request.

Disaster Recovery

To ensure service availability, Intility’s platform infrastructure is redundantly designed. Failover testing to ensure that the redundancy work as intended are performed regularly. In addition, response activities for different disaster scenarios are tested in simulated production environments on regular intervals.

Critical physical infrastructure such as power, cooling and firefighting mechanisms are maintained, tested and audited in accordance with contractual agreements. These control activities are also audited as part of the annual ISAE 3402 Type II attestation report available to all customers.

Cloud Security Alliance - CSA

The Cloud Security Alliance (CSA) is the world’s leading organization dedicated to defining and raising best practices to help ensure a secure cloud computing environment. Intility was the first Norwegian corporate member of this alliance, which harnesses the subject matter expertise of industry practitioners, associations, governments, and businesses. Other corporate members of the Alliance include Microsoft, Google, Hewlett Packard, Cisco, IBM and Amazon Web Services as well as audit and security organizations such as ISACA, (ISC)², PwC, Deloitte, KPMG and Ernst & Young.

The Alliance has developed Cloud Controls Matrix (CCM), which is a framework designed to provide fundamental security principles for guiding cloud service providers and to assist prospective customers in assessing relevant risks. The CCM is the world’s only framework of cloud-specific security controls mapped to leading standards, best practices and regulatory requirements such as COBIT, PCI-DSS and ISO 27001.

Intility was the first Norwegian corporate member of the Cloud Security Alliance, and we have documented our response to all 16 control domains (comprising of 300 control activities) in the CCM. These are available upon request.

Intility's attestation reports

Increasingly, organizations and enterprises outsource IT services to support and further develop their own core business. In response, the International Auditing and Assurance Standards Board (IAASB), which is part of the International Federation of Accountants (IFAC), has issued the International Standard on Assurance Engagements (ISAE). The audit standards are international recognized and used all over the globe for assurance reporting on controls at a service organization.

The ISAE 3402 type II report describes whether Intility’s information security controls has been appropriately designed and operationally effective throughout an audit period of 12 months. The controls in the assurance report are based on the control framework Cloud Controls Matrix from the Cloud Security Alliance (CSA).

The ISAE 3000 type II report describes whether Intility’s controls and activities related to our role as a data processor pursuant to Article 28 of the GDPR have been appropriately designed and operationally effective throughout an audit period of 12 months. The controls in the assurance report are based on the control frameworks NOREA NOREA Privacy Control Framework (PCF) and the Cloud Security Alliance (CSA) Code of Conduct for GDPR Compliance.

The ISAE 3402 type II report is a key delivery to Intility’s customers and their auditors to provide audit assurance for the following domains:

  • Security governance and risk management
  • Independent audit assurance
  • Security monitoring and incident response
  • Vulnerability management
  • Identity and access management (Intility and Microsoft cloud services)
  • Endpoint security (Windows, MacOS, iOS and Android)
  • Business continuity and operational resilience (Intility and Microsoft cloud services)
  • Data center security (access management, HVAC and power management)
  • Change control and configuration management 

The ISAE 3000 type II report is a key delivery to Intility’s customers and their auditors to provide audit assurance for the following domains:

  • Privacy management
  • Privacy roles and responsibilities
  • Privacy risk management
  • Privacy incident and breach management
  • Privacy staff competences
  • Privacy staff awareness and training
  • Legal review of changes to regulatory requirements/business requirements
  • Use, storage and disposal of personal information
  • Third party agreements and data transfers
  • Disclosure
  • Monitoring and enforcement
  • Data security

Compliance Document Center

Intility’s Compliance Document Center contains detailed descriptions of our security measures and controls. Here you can find governing policies, audit reports, certifications, data center security descriptions, security incident monitoring and response descriptions, a Q&A and more.

Customers can freely use this material to document internal assurance requirements, perform risk assessment and perform other internal control related initiatives.

Please contact compliance@intility.no if you need access to documentation that is not available in the Compliance Document Center or have other enquiries.