News
OUR CLIENTS
Get in Touch
Book a Demo
Row of black hexagonal dumbbells on a rack in a gym with a brick wall background.

Cyber Security Overview

ABOUT
Jonas Leisure Logo Motif.

Introduction

Security is fundamental to how Jonas Leisure delivers software and services for fitness, aquatic and leisure operators across Australia and New Zealand.

Jonas Leisure recognises that customers entrust us with member, employee, operational and transactional data. Protecting the confidentiality, integrity and availability of that data is a core business commitment and is supported by an ongoing security programme that is reviewed as our organisation, technology landscape and threat environment evolve.

This overview summarises Jonas Leisure’s security and compliance approach for its information technology systems, customer-facing products and supporting services. It is designed to provide prospective customers, partners and tender evaluators with a clear view of the organisational, technical and operational controls used to protect customer data.

Key assurances at a glance

  • Information Security Management System aligned to ISO/IEC 27001:2022, NIST Cyber Security Framework 2.0 and ACSC Essential Eight.
  • Customer data protected through role-based access control, least privilege, multi-factor authentication and audit logging.
  • Encryption applied for sensitive data in transit and at rest using industry-standard controls.
  • Documented incident response, breach assessment, business continuity and disaster recovery processes.
  • Security monitoring, vulnerability management and change management practices embedded into operational routines.
  • Privacy commitments aligned to the Privacy Act 1988 (Cth), Australian Privacy Principles and Notifiable Data Breaches scheme.

Security Governance, Risk and Compliance

Jonas Leisure’s primary security focus is safeguarding customer and user data. The security programme is governed through documented policies, risk management activities, executive oversight and defined work plans that guide practical cyber risk reduction across the business.

Company-wide Security Mindset

Information security is an organisation-wide responsibility at Jonas Leisure.

Leaders, product teams, support teams and operational teams all play a role in maintaining secure ways of working and protecting customer information.

Security risks, incidents, control improvements and key assurance activities are reviewed through defined governance channels. This supports accountability and ensures that security remains visible in product, operational and customer delivery decisions.

At the IT and security team level, detailed work plans guide control improvements, risk treatment activities and operational security tasks.

Information Security Risk Management

Jonas Leisure assesses information security risks across systems, projects, applications and information assets. Risks that exceed appetite are prioritised for remediation through project delivery, operational work plans, vendor management or executive review.

Information Security Management System

Jonas Leisure maintains information security policies, standards and processes aligned to ISO/IEC 27001:2022, NIST Cyber Security Framework 2.0 and relevant Australian security guidance. Employees, contractors and relevant third parties are made aware of applicable policies and are expected to comply with them. Policies are reviewed at least annually or when material change requires earlier review.

Jonas Leisure Security Team

Jonas Leisure employs information technology, information security, privacy and risk professionals who support the security programme across our products, hosting environments and internal business systems.

The security function is responsible for maintaining security controls, supporting security review processes, monitoring for threats, assisting with risk assessments and helping product and operational teams apply secure practices.

Where additional assurance is required, Jonas Leisure engages external specialists to support activities such as penetration testing, security reviews, compliance assessment, technical advice and independent validation of controls.

Internal audit and compliance specialists

Jonas Leisure uses internal assurance activities and, where appropriate, independent external specialists to review compliance with security laws, regulatory expectations, contractual obligations and recognised security standards.

Compliance obligations are monitored so that changes in legislation, customer expectations and industry standards can be assessed and addressed in a timely manner.

Human Resources Security

Jonas Leisure embeds security awareness from onboarding through to ongoing employment. Staff are provided with guidance on acceptable use, privacy, data handling, password hygiene and their obligations when using company systems and customer information.

Employee background checks

Before staff join, Jonas Leisure may verify an individual's education and previous employment. Depending on the role, additional checks may also be conducted in line with legal, contractual and operational requirements.

Security training for all employees

All Jonas Leisure employees receive security awareness guidance as part of onboarding and ongoing employment. This includes expectations relating to acceptable use, privacy, data handling, password hygiene and responsible use of company systems.

Role-specific training is provided where required. This may include technical security briefings, awareness updates, product-specific guidance or professional development relevant to security responsibilities.

Identity and Access Management

Access to Jonas Leisure systems is managed through defined approval, authentication and review processes. Access is granted based on role, business need and the principle of least privilege.

Password Security

Jonas Leisure applies strong authentication practices and promotes secure password hygiene. Where available and appropriate, single sign-on and multi-factor authentication are used to reduce credential risk and strengthen access control.

Where a password is still required, Jonas Leisure applies minimum password requirements and promotes the use of strong, unique credentials. Account and password sharing is prohibited. Sensitive repositories of customer information use multi-factor authentication or single sign-on solutions where available and appropriate.

Access Management

Jonas Leisure uses a formal user access process. Access is granted through role-based controls, supported by approval workflows, authentication controls and logging for systems containing customer or sensitive information.

Segregation of Duties

Jonas Leisure segregates duties to reduce the risk of fraud, error or inappropriate access. Administrative functions such as user creation, approval and changes to access restrictions are separated where practical and subject to appropriate controls.

Restricted Privileged Access

Privileged access to customer and other sensitive data is restricted to authorised personnel with a legitimate business need. Access rights are based on job function, role, least privilege and need-to-know principles. Most employees are granted restricted access to standard business applications only.

Requests for additional access follow a formal approval process involving the relevant system owner, data owner, manager or authorised executive delegate.

Data Security and Privacy

Jonas Leisure is a custodian of customer personal information and business data. We apply technical, organisational and procedural controls designed to reduce the likelihood and impact of unauthorised access, data loss, misuse or privacy breach.

Cryptographic Protections

Industry-standard encryption is used when Jonas Leisure transmits data between internal or external systems.

Sensitive interactions with Jonas Leisure products and systems, including websites, portals and internal supporting systems, are encrypted in transit using Transport Layer Security (TLS) 1.3

Jonas Leisure uses industry-standard technologies to help protect data in transit and at rest.

Data Backup

Jonas Leisure backs up and replicates data to support fault tolerance and timely recovery where required. Customer and other sensitive data are backed up in line with operational requirements and protected through access controls, security monitoring and supporting business continuity practices.

Asset Management

Jonas Leisure maintains asset information to support effective management of critical business systems, data classification, incident response and access control. Jonas Leisure applies controls to protect information according to its sensitivity and business value throughout its lifecycle.

Information Security Incident Response and Notifiable Data Breach Process

Jonas Leisure maintains an incident management process for security events that may affect the confidentiality, integrity or availability of systems or data.

Incident response playbooks provide step-by-step guidance for handling information security incidents from detection through containment, remediation and review. Testing is performed for critical areas and considers scenarios such as insider threats, software vulnerabilities and service disruption.

Where an incident involves personal information, Jonas Leisure follows its Notifiable Data Breach process, including containment, assessment, notification where required, and remediation. Eligible Data Breaches are assessed in line with statutory requirements and applicable customer obligations.

Endpoint, Network and Cloud Security

Jonas Leisure applies layered controls across endpoints, networks and cloud services to reduce the risk of unauthorised access, malware, credential compromise and service disruption.

Controls include secure configuration standards, authentication controls, network segmentation where appropriate, monitoring and logging, vulnerability management, anti-malware protection and defined processes for remote access.

Secure Configuration Standards

Jonas Leisure systems are built and maintained using secure configuration practices designed to align security controls with industry best practice. These practices support endpoint, server and cloud security and help ensure systems are hardened appropriately for their operating environment.

Network Security

Networks are critical to Jonas Leisure operations. Jonas Leisure applies network security controls including access control rules using the least-privilege principle, network segregation where appropriate, monitoring and logging to support the ongoing security of network environments.

Remote access into Jonas Leisure network environments is controlled through secure remote access methods with strong authentication controls, such as MFA

Anti-Malware Protection

Jonas Leisure deploys malware protection controls (Extended Threat Detection and Response (XDR) across relevant entry points and enterprise assets to detect, prevent and respond to malicious software or code execution. Logging and alerting are integrated into operational monitoring processes.

Mobile Device Security

Jonas Leisure applies mobile device security controls to reduce the risk of data loss or unauthorised access. Controls via Mobile Device Management (MDM) may include device encryption, strong authentication, mobile device policies and remote wipe capability where appropriate.

Operational Security

Change Management

Jonas Leisure maintains change management practices to support consistent, controlled and auditable changes across systems, applications and infrastructure.

Vulnerability Management

Jonas Leisure maintains vulnerability and patch managementprocesses to identify, assess and remediate security weaknesses. Identified vulnerabilitiesare tracked and followed through to remediation, with follow-up reviewperformed where required.  Generalvulnerability assessments are done on a maintained scheduled basis outside ofcritical vulnerability events (CVEs)

Jonas Leisure monitors relevant security advisories,vendor notifications and industry sources to assess emerging vulnerabilitiesand cyber threats.

Monitoring and Logging

Jonas Leisure’s security monitoring and logging activities focus on collecting and reviewing key events from relevant systems, network connections and user activity where appropriate.

Important logs are monitored to identify abnormal events, support incident response and assist with operational security investigations.

Physical Security

Jonas Leisure operates without physical company offices and uses commercial data centre, hosting and cloud service providers for critical and customer-facing systems where applicable. Physical security controls for those environments are managed by the relevant provider and may include access controls, alarms, surveillance, perimeter controls and environmental safeguards.

Access to hosting environments, data centre facilities and cloud administration functions is restricted to authorised personnel and governed by provider and Jonas Leisure access control requirements.

Hosting and data centre environments are expected to include resilience controls such as redundant power, environmental monitoring, fire detection and suppression, and other safeguards appropriate to the criticality of the services supported.

For remote and flexible work arrangements, Jonas Leisure applies security expectations via formal policy relating to device protection, authentication, secure connectivity, confidentiality and appropriate handling of customer information outside a traditional office environment.

Cryptography

Cryptography is used to support the confidentiality,integrity and authenticity of Jonas Leisure information. A risk-based approachis used to determine appropriate cryptographic controls, including encryptionfor data in transit and at rest where appropriate.

Key management processes and cryptographic standards are usedto support the effectiveness of cryptographic controls and reduce operational risk.

System Acquisition, Development and Maintenance

Security requirements for new systems, applications and infrastructure are considered during planning and design. Appropriate controls, audit trails and activity logging are incorporated into application systems and integrations where required.

Proposed system changes, including new applications and material configuration changes, are reviewed to confirm they do not introduce unacceptable security risk. Development and test environments are separated from production, and critical systems are tested before production use.

Supplier and Third-Party Risk

Third-Party Suppliers

Jonas Leisure may engage third-party suppliers to support hosting, infrastructure, support, compliance, professional services or business operations.

Suppliers are assessed based on the nature of the service provided, their access to customer or sensitive information, and the level of operational dependency involved.

Where supplier access to sensitive information is required, Jonas Leisure applies due diligence, contractual obligations and security expectations appropriate to the risk profile of the engagement.

Before onboarding third-party suppliers, Jonas Leisure assesses their security and privacy practices where appropriate to ensure controls are suitable for the nature of the service, level of access and data involved.

Business Continuity and Disaster Recovery

Jonas Leisure maintains business continuity and disaster recovery practices designed to reduce disruption to acceptable levels through preventative, detective and recovery controls.

Continuity and recovery planning includes consideration of backups, recovery procedures, incident response, hosting resilience, service restoration and communication requirements. Plans are reviewed and tested on a scheduled basis.

Compliance and Assurance

Jonas Leisure staff are expected to understand and comply with relevant obligations relating to privacy, software licensing, information security, customer confidentiality and applicable legislation.

Exceptions to security policies, standards or contractual requirements are assessed case by case. Where an exception is approved, compensating controls and review timeframes are defined so that risk remains visible and actively managed.

Get in Touch

Level 13
348 Edward Street
Brisbane
QLD 4000
Melbourne
Sydney
Brisbane
Perth
Auckland
Wellington
Thank you.
Your submission has been received. Our team will be in touch soon.
Something went wrong while submitting the form. Please complete all mandatory fields.