ISACA London Chapter’s E-Voting System Comes Under Scrutiny

Several members of the ISACA London Chapter have raised their concerns over the e-voting system introduced for the Chapter’s upcoming Extraordinary General Meeting (EGM) on March 13.

During the event, members of ISACA’s London Chapter will elect the next board of directors. ISACA London Chapter is the largest of 228 ISACA regional chapters, with over 5500 members. Each ISACA chapter is an independent, self-governing organization.

Members of the London Chapter unable to attend the event were allowed to appoint a representative to vote online on their behalf by 6 pm GMT on March 11, 2025.

In a LinkedIn post published on March 12, Allan Boardman, Founder of CyberAdvisor.London and Committee Member of ISACA’s Certified Data Privacy Solutions Engineer (CDPSE) certification, criticized the e-voting system.

He said it was “deployed hastily” and “without the necessary security measures and scrutiny, undermining the integrity of our governance process.”

Some of the shortcomings mentioned by Boardman include:

• A lack of authentication: Boardman claimed that the e-voting system only relies on a membership number with no secondary verification, which he said poses a significant security risk
• A lack of email confirmation: Boardman said voters receive no confirmation post-vote, removing any personal audit capabilities and exposing the system to potential fraud

He said that these shortcomings could expose the e-voting system to malicious activity.

“For instance, hypothetically, if someone with unrestricted access to the membership database, which includes ISACA IDs, were to exploit this access, it could lead to multiple unauthorized votes being cast undetected,” he said

“It’s important to note that access to this comprehensive database is available to several board members,” he added.

Additionally, Sarb Sembhi, CTO at Virtually Informed Limited, told Infosecurity that members of the ISACA London Chapter were not informed that their personal data would be shared with the firm facilitating the e-vote.

Confusion was also caused when an email sent to members on behalf of the e-voting firm appeared to be from ISACA Global, rather than the ISACA London Chapter. 

Questions Over ISACA Privacy Policy and GDPR

Additionally, Boardman believes that the e-voting system violates both the UK’s General Data Protection Regulation (UK GDPR) and ISACA London Chapter’s own Privacy Policy, which does not authorize sharing members’ data for e-voting.

“Despite having raised these concerns with the chapter leadership on multiple occasions, there has been a lack of action to address these vulnerabilities,” Boardman added.

The complainant urged all members of ISACA London Chapter to “demand a full and independent investigation and audit of the e-voting process.”

Although the deadline for e-voting has passed, he suggested members attend the EGM on March 13 and “use your voice to challenge the current practices.”

ISACA London Chapter Board Says E-Vote is Compliant

Speaking to Infosecurity, a spokesperson for ISACA’s London Chapter Board denied Boardman’s claims, stating that “the online voting platform chosen has been independently verified, secure, and extensively tested to ensure that members’ personal data is processed in full compliance with applicable data protection legislation.”

“The platform is specifically designed to protect the integrity and confidentiality of votes while minimizing data processing to only what is strictly necessary for conducting a valid and efficient vote,” the spokesperson added.

The spokesperson also noted that the London Chapter Board has a clear and legitimate interest in processing member data for governance and democratic participation purposes, as recognized under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

They explained that this includes facilitating votes on Chapter matters, which fall under the lawful basis of ‘legitimate interests’.

Finally, the spokesperson also stated that this means the processing of data for such purposes does not require consent, provided it is necessary and does not override the rights and freedoms of members.

Also peaking to Infosecurity, Julia Kanouse, Chief Membership Officer of ISACA Global, commented: “We are aware of issues raised regarding the voting process for the London Chapter’s Extraordinary General Meeting [and] we require chapters to comply with relevant regulations and governance best practices. We are expecting a fair, conclusive and secure vote so all parties can move forward confidently to carry out the chapter members’ remit.”