Legal & compliance
Trust, transparency, and accountability
Central index of HLD Group policies, compliance framework hubs, and programme alignment. These documents apply to our public website and general engagement; specific customer or vendor agreements may add further terms.
Featured framework hubs
View all 36 frameworksSOC 2
Trust Services Criteria
SOC 2 is a cybersecurity compliance framework for service and technology providers that handle customer data, driving continuous security processes to protect customer data.
ISO 27001:2022
2022
ISO 27001 is a universal standard for organizations to establish, maintain, and continually improve their information security management system (ISMS).
CMMC 2.0
2.0
Cybersecurity Maturity Model Certification for DoD and federal agency contractors handling federal contract information and CUI.
GDPR
General Data Protection Regulation for organizations handling EU and UK personal data.
HIPAA
Health Insurance Portability and Accountability Act for plans, providers, insurers, and organizations handling PHI.
FedRAMP
Federal Risk and Authorization Management Program for cloud service providers working with US federal government or federal data.
Essential Eight
Australian Cyber Security Centre strategies to mitigate cyber threats and protect systems against common attacks.
NIST CSF 2.0
2.0
NIST Cybersecurity Framework helping organizations understand risk and improve cybersecurity programmes.
Compliance resource kits
Curated policy and control bundles for common assurance programmes.
- CMMC 2.0 Kit
SSP, POA&M, CUI policies, and Level 2 control mapping.
- SOC 2 Kit
Trust Services Criteria policies and evidence programme.
- ISO 27001 Kit
ISMS policies, risk treatment, and control alignment.
- HIPAA Kit
PHI safeguards, privacy, and breach response mapping.
- Risk Management Kit
Enterprise risk identification, assessment, and treatment.
- Third-party Risk Kit
Vendor due diligence, monitoring, and contractual controls.
Policies & statements
- Privacy Policy
How we collect, use, and protect personal information.
- Terms of Service
Rules for using our website and services.
- Cookie Policy
Cookies, similar technologies, and your choices.
- Accessibility statement
WCAG 2.1 alignment and how to request support.
- Acceptable use
Permitted and prohibited use of our systems and sites.
- Modern slavery statement
Our approach under Australian modern slavery reporting expectations.
- Whistleblower & speak-up
Raising concerns about misconduct safely and in good faith.
- Responsible disclosure
How security researchers can report vulnerabilities.
- Security researcher hall of fame
Researchers recognised for good-faith vulnerability disclosure.
- Information security practices
High-level security and data handling principles.
- Complaints handling
How to make a complaint and what to expect.
Enterprise programme policies
46 published policies supporting our compliance frameworks. Each document includes detailed requirements, roles, and enforcement provisions.
Security & operations
- Information security policyv3.0
- Responsible disclosurev1.2
- Data classification policyv1.3
- Data retention & disposal policyv1.0
- Incident response planv3.0
- Encryption policyv1.2
- Network security policyv1.0
- Logging & monitoring policyv1.0
- Vulnerability management policyv1.0
- Patch management policyv1.0
- Asset management policyv1.0
- Physical security policyv1.1
- Secure development policyv1.0
- Cloud security policyv1.0
- Security assessment policyv1.0
- Email & messaging security policyv1.0
Access & identity
Privacy & data
Business continuity
Third parties
Risk & compliance
Defense & federal
Governance & conduct
- Acceptable use policyv2.0
- Whistleblower & speak-upv1.1
- Complaints handlingv1.0
- Accessibility statementv1.1
- Modern slavery statementv1.0
- Personnel security policyv1.0
- Security awareness & training policyv1.0
- Remote work security policyv1.0
- Code of conductv1.0
- Anti-bribery & corruption policyv1.0
- Export controls & trade compliancev1.0
- Sanctions compliance policyv1.0