Corporate Governance
Data Privacy, Data Protection and
Data Security
Data Privacy
Crisil has a robust data privacy framework. As part of our data
privacy programme, we have implemented robust policies and
frameworks to comply with global privacy regulations, including
GDPR, CCPA, PIPL etc. The risk-based framework enables Crisil
to comply with applicable data protection laws. We continuously
assess and enhance our data protection measures to minimise
risks associated with personal data processing.
Our privacy initiatives include:

Privacy Governance: A structured governance framework
with defined roles and responsibilities, ensuring privacy
is embedded in business processes.

Data Subject Rights Management: Implementing efficient
mechanisms to handle Data Subject Requests (DSRs) and
ensure individuals’ rights are respected.

Vendor assessment: Conducting privacy impact
assessments on vendors and partners to uphold our data
protection standards.

Employee Awareness & Training: Regular training sessions
and awareness campaigns to reinforce privacy principles
across the organisation.
Crisil’s privacy policy articulates the principles followed with
regard to collection, usage, disclosure, security and retention
of personal data.
Read Crisil’s Corporate privacy policy
Read Crisil’s Confidentiality Policy
Refer data table no. 6 of this Report for training on policies
Data Protection and Data Security
Protection of data and ensuring security during data
transmission is vital to Crisil’s business. Crisil has
implemented comprehensive measures, including strong
access controls, encryption for sensitive information, and
periodic audits to ensure compliance with organisational
policies. Data protection involves deployment of technical
and administrative control measures to protect against
vulnerabilities and threats such as malware or data theft.
Usage of latest tools/technologies enabling multifactor
authentication, data loss prevention, inbound and outbound
traffic configuration through firewall systems and proxy
solutions and configuration of controls on personal
devices used for accessing work related purposes, ensure
safeguarding of data from unauthorised access, alteration
and destruction.
In 2024, Crisil improved its operational maturity in
information security posture through new initiatives and
enhanced tools for preventing data loss and ensuring
intellectual property protection. These controls ensure
adequate and proportionate protection of Crisil’s confidential
information assets. Crisil measures its cyber policies and
preparedness against the NIST framework. The company
conducted comprehensive internal and external audits to
validate compliance and continuously improve its security
posture, ensuring resilience against evolving cyber threats
via continuously strengthening its security protocols.
To raise awareness, advisories are circulated and information
security training and phishing simulations are conducted
regularly to educate employees about emerging threats.
Crisil has been ISO 27001:2013 certified since 2015,
demonstrating its long-standing commitment to information
security management. We are actively upgrading to the ISO
27001:2022 standard, ensuring continued alignment with
the latest global best practices.
Crisil has achieved SOC 2 Type 2 certification for key
business units, along with three critical applications. This
certification, conducted by independent AICPA-accredited
auditors, reflects our commitment to addressing client
trust and regulatory requirements while maintaining robust
operational integrity.
29