Skip to main content

Deloitte’s Technology Risk Management Framework

Deloitte Australia has been ISO 27001:2002 certified

Deloitte is committed to providing our clients with the highest level of security and assurance. Our comprehensive Risk Management Framework is based on industry best practices and is continuously updated to reflect the latest threats and risks.

With cyber-risks, privacy breaches, regulation, and legal concerns to address, it is essential to safeguard your organisation and customer’s data. To proactively mitigate these risks in the solutions we develop, we have a set of policies and standards, and a well-defined process to manage risk and guide the creation, delivery and management of technology solutions.

The risk management framework ensures Deloitte technology assets and solutions align with industry security standards and processes and are hosted on Deloitte-certified environments.

Our comprehensive framework is meticulously designed to safeguard our clients’ data on Deloitte’s solutions throughout the entire lifecycle, from inception to operation within our Deloitte-certified environments. At every stage – designing, implementing, and operating technology solutions – security and risk mitigations take centre stage. Our teams proactively assess potential risks, integrate robust security measures during coding and development, and continuously monitor and update defences on a day-to-day basis. With a full lifecycle approach to security, we ensure that the solutions we offer remain fortified, enabling our clients to navigate the technology landscape with confidence and focus on their core business objectives without compromise.


  • Safeguard your organisation and customer data.
  • Ensure all technology assets are secure and compliant with industry standards.
  • Cost-effective, quality solutions that are quick to market.
  • Reduce the risk of cyber-attacks.
  • Improve the quality and efficiency of technology development and management.

How it works

We build our software following Deloitte’s Global Technology Operating Model (GTOM), a firmwide set of well-defined standards. These standards allow us to build secure solutions and deliver confidence to our clients. These standards are critical to ensuring we are ISO 27001:2002 compliant.

The Global Technology Operating Model (GTOM) consists of five key pillars:

Cybersecurity: Security is embedded into the entire application development lifecycle and is managed by approved cyber security professionals. There are several security checkpoints that must be met during the application development lifecycle, including security scanning and penetration testing.  Deloitte also conducts Vendor Cyber Risk Management for third-party technology assets, solutions, or services, to ensure they are compliant and secure.

Professionals maintain and annually renew an active certification through the Global Asset Program’s Technical Certification Framework, and are regularly trained around safe data handling, how to use technology and how we train our clients to use it.

Solution Development: All technology assets are developed in collaboration with IT or a Development Hub to ensure they satisfy proper protocols and meet infrastructure, security, quality, and compliance requirements.

Hosting: Assets are built and hosted on Deloitte-certified environments and are subject to a defined set of risk controls. Cloud environments have guardrails in place that are managed globally by Deloitte. These guardrails ensure that solutions can be deployed to the cloud in a secure and compliant manner.

Planning and Program Management: A documented management process is followed to guarantee quality, accelerate speed to market for technology enhancements, tailor applications to new use cases, and ensure we are building technology as cost-effectively as possible.

Privacy and risk: Technology solutions and related activities follow a risk controls framework and process. This requires a confidentiality and privacy risk assessment to be completed for all Deloitte technology assets, to help mitigate potential risks to data privacy and ensure regulatory compliance.