Document Summary

An overview of the technical and operational measures (‘TOMs’) that help safeguard our information assets, and those of our customers, against misuse, abuse or compromise.

Download PDF
Our approach to security and privacyOur approach to security and privacy
Back to Trust Center

Last updated: 27 November 2023

Our safeguarding measures

Below is an overview of the technical and operational measures (‘TOMs’) that help safeguard our information assets, and those of our customers, against misuse, abuse or compromise. For additional security and privacy resources, please refer to our Trust Center.

1.1 Information Security Policies and Organization
A set of policies for information security is defined, approved by management, published, and communicated to employees and relevant external parties. ISO 27001/27002 - 5.1.1
The policies for information security are reviewed at planned intervals, or if significant changes occur, to ensure their continuing suitability, adequacy, and effectiveness. ISO 27001/27002 - 5.1.2
All information security responsibilities are defined and allocated. ISO 27001/27002 - 6.1.1
Conflicting duties and areas of responsibility are segregated to reduce opportunities for unauthorized or unintentional modification or misuse of Provider’s assets. ISO 27001/27002 - 6.1.2
Appropriate contacts with relevant authorities are maintained. ISO 27001/27002 - 6.1.3
Appropriate contacts with special interest groups or other specialist security forums and professional associations are maintained. ISO 27001/27002 - 6.1.4
Information security is addressed in project management, regardless of the type of project. ISO 27001/27002 - 6.1.5
Management responsibilities and procedures are established to ensure a quick, effective, and orderly response to information security incidents. ISO 27001/27002 - 16.1.1
Information security events are reported through appropriate management channels as quickly as possible. ISO 27001/27002 - 16.1.2
Employees and contractors using the Provider’s information systems and services are required to note and report any observed or suspected information security weaknesses in systems or services. ISO 27001/27002 - 16.1.3
Information security events are assessed and it is decided if they are to be classified as information security incidents. ISO 27001/27002 - 16.1.4
Information security incidents are responded to in accordance with the documented procedures. ISO 27001/27002 - 16.1.5
Knowledge gained from analyzing and resolving information security incidents is used to reduce the likelihood or impact of future incidents. ISO 27001/27002 - 16.1.6
Information security and its implementation shall be reviewed independently at planned intervals or when significant changes occur. ISO 27001/27002 - 18.2.1
Information systems are regularly reviewed for compliance. ISO 27001/27002 - 18.2.3
Managers regularly review the compliance of information processing and procedures within their area of responsibility with the appropriate security policies, standards, and any other security requirements. ISO 27001/27002 - 18.2.2
Appropriate procedures are implemented to ensure compliance with legislative, regulatory, and contractual requirements related to intellectual property rights and use of proprietary software products. ISO 27001/27002 - A.18.1.2
Privacy and protection of personally identifiable information are ensured as required in relevant legislation and regulation where applicable. ISO 27001/27002 - A.18.1.4
Security perimeters are defined and used to protect areas that contain personal data and processing facilities. ISO 27001/27002 - 11.1.1
Secure areas are protected by appropriate entry controls to ensure that only authorised personnel are allowed access. ISO 27001/27002 - 11.2.1
Physical security for offices, rooms, and facilities is designed and applied. ISO 27001/27002 - 11.3.1
Physical protection against natural disasters, malicious attacks, or accidents is designed and applied. ISO 27001/27002 - 11.4.1
Procedures for working in secure areas are designed and applied. ISO 27001/27002 - 11.5.1
Access points such as delivery and loading areas, and other points where unauthorized persons could enter the premises, are controlled and, if possible, isolated from information processing facilities to avoid unauthorized access. ISO 27001/27002 - 11.6.1
3.1 General Aspects of Access Control and Authentication
An access control policy is established, documented and reviewed based on business and information security requirements. ISO 27001/27002 - 9.1.1
The allocation of secret authentication information is controlled through a formal management process. ISO 27001/27002 - 9.2.4
Where required by the access control policy, access to systems and applications is controlled by a secure log-on procedure. ISO 27001/27002 - 9.4.1
Password management systems are interactive and shall ensure quality passwords. ISO 27001/27002 - 9.4.2
A policy and supporting security measures are adopted to manage the risks introduced by using mobile devices. ISO 27001/27002 - 6.2.1
A policy and supporting security measures are implemented to protect information accessed, processed, or stored at teleworking sites. ISO 27001/27002 - 6.2.2
Users ensure that unattended equipment has appropriate protection. ISO 27001/27002 - 11.2.8
A clear desk policy for papers and removable storage media and a clear screen policy for information processing facilities are adopted. ISO 27001/27002 - 11.2.9
4.1 Authorization
A formal user registration and de-registration process is implemented to enable assignment of access rights. ISO 27001/27002 - 9.2.1
A formal user access provisioning process is implemented to assign or revoke access rights for all user types to all systems and services. ISO 27001/27002 - 9.2.2
Asset owners review users’ access rights at regular intervals. ISO 27001/27002 - 9.2.5
The access rights of all employees and external party users to information and information processing facilities are removed upon termination of their employment, contract or agreement, or adjusted upon change. ISO 27001/27002 - 9.2.6
The allocation and use of privileged access rights is restricted and controlled. ISO 27001/27002 - 9.2.3
Information involved in application service transactions is protected to prevent incomplete transmission, misrouting, unauthorised message alteration, unauthorised disclosure, unauthorised message duplication, or replay. ISO 27001/27002 - 14.1.3
4.2 Use of Cryptography
A policy on the use of cryptographic controls for protection of information shall be developed and implemented. ISO 27001/27002 - 10.1.1
A policy on the use, protection, and lifetime of cryptographic keys is developed and implemented through their whole lifecycle. ISO 27001/27002 - 8.1.2
Cryptographic controls are used in compliance with all relevant agreements, legislation and regulations. ISO 27001/27002 - 8.1.3
Security is applied to off-site assets, taking into account the different risks of working outside Provider’s premises. ISO 27001/27002 - 11.2.6
All items of equipment containing storage media are verified to ensure that any sensitive data and licensed software has been removed or securely overwritten prior to disposal or re-use. ISO 27001/27002 - 11.2.7
4.3 Information Classification, Asset Management & Disposal
Assets associated with information and information processing facilities are identified and an inventory of these assets is drawn up and maintained. ISO 27001/27002 - 8.1.1
Assets maintained in the inventory are owned. ISO 27001/27002 - 8.1.2
Rules for the acceptable use of information and of assets associated with information and information processing facilities are identified, documented, and implemented. ISO 27001/27002 - 8.1.3
All employees and external party users return all Provider-owned assets in their possession upon termination of their employment, contract or agreement, or adjusted upon change. ISO 27001/27002 - 8.14
Information is classified in terms of legal requirements, value, criticality, and sensitivity to unauthorized disclosure or modification. ISO 27001/27002 - 8.2.1
An appropriate set of procedures for information labelling is developed and implemented in accordance with the information classification scheme adopted by Provider. ISO 27001/27002 - 8.2.2
Procedures for handling assets are developed and implemented in accordance with the information classification scheme adopted by Provider. ISO 27001/27002 - 8.2.3
Procedures are implemented for the management of removable media in accordance with the classification scheme adopted by Provider. ISO 27001/27002 - 8.3.1
Media is disposed of securely when no longer required, using formal procedures. ISO 27001/27002 - 8.3.2
Formal transfer policies, procedures, and controls are in place to protect the transfer of information through the use of all types of communication facilities. ISO 27001/27002 - 13.2.1
Information involved in electronic messaging is appropriately protected. ISO 27001/27002 - 13.2.3
Media containing information is protected against unauthorised access, misuse, or corruption during transportation. ISO 27001/27002 - 8.3.3
All relevant information security requirements are established and agreed upon with each supplier that may access, process, store, communicate, or provide IT infrastructure components for the Provider’s information. ISO 27001/27002 - 15.1.2
Agreements with suppliers include requirements to address the information security risks associated with information and communications technology services and product supply chain. ISO 27001/27002 - 15.1.3
Changes to the provision of services by suppliers, including maintaining and improving existing information security policies, procedures, and controls, are managed, taking account of the criticality of business information, systems, and processes involved and re-assessment of risks. ISO 27001/27002 - 15.2.2
7.1 Backup
Backup copies of information, software, and system images are taken and tested regularly in accordance with an agreed backup policy. ISO 27001/27002 - 12.3.1
Records are protected from loss, destruction, falsification, unauthorised access, and unauthorised release in accordance with applicable laws, regulatory, contractual, and business requirements. ISO 27001/27002 – 18.1.3
7.2 Change Control
Operating procedures shall be documented and made available to all users who need them. ISO 27001/27002 - 12.1.2
Changes to systems within the development lifecycle are controlled by the use of formal change control procedures. ISO 27001/27002 - 14.2.2
When operating platforms are changed, business-critical applications are reviewed and tested to ensure there is no adverse impact on operations or security. ISO 27001/27002 - 14.2.3
Modifications to software packages are discouraged, limited to necessary changes, and all changes shall be strictly controlled. ISO 27001/27002 - 14.2.4
Testing of security functionality is carried out during development. ISO 27001/27002 - 14.2.8
Acceptance testing programs and related criteria are established for new information systems, upgrades, and new versions. ISO 27001/27002 - 14.2.9
Procedures are implemented to control the installation of software on operational systems. ISO 27001/27002 - 12.1.2
Rules governing the installation of software by users are established and implemented. ISO 27001/27002 - 12.6.2
7.3 Business Continuity and Disaster Recovery
Requirements for information security and the continuity of information security management in adverse situations shall be determined, e.g. during a crisis or disaster. ISO 27001/27002 - 17.1.1
Processes, procedures and controls shall be established, documented, implemented, and maintained to ensure the required level of continuity for information security during an adverse situation. ISO 27001/27002 - 17.1.2
7.4 Operational Aspects
The use of utility programs that might be capable of overriding system and application controls is restricted and tightly controlled. ISO 27001/27002 – 9.4.4
The use of resources is monitored, tuned and projections made of future capacity requirements to ensure the required system performance. ISO 27001/27002 - 12.1.3
The clocks of all relevant information processing systems within a security domain are synchronized to a single reference time source. ISO 27001/27002 - 12.4.4
Audit requirements and activities involving verification of operational systems are carefully planned and agreed to minimize disruptions to business processes. ISO 27001/27002 - 12.7.1
Operating procedures are documented and made available to all users who need them. ISO 27001/27002 - 12.1.1
Access to information and application system functions is restricted in accordance with the access control policy. This includes the isolation of Personal Data in multi-tenant systems. ISO 27001/27002 - 9.4.1
Development, testing, and operational environments are separated to reduce the risks of unauthorized access or changes to the operational environment. ISO 27001/27002 - 12.1.4
Test data is selected carefully, protected, and controlled. Personal Data is not utilized for testing purposes during the software development lifecycle. ISO 27001/27002 – 14.3.1
9.1 Collection and Processing
The organisation shall ensure, where relevant, that the contract to process PII addresses the organisation’s role in providing assistance with the customer’s obligations, (taking into account the nature of processing and the information available to the organisation). ISO 27701 - 8.2.1
The organisation shall ensure that PII processed on behalf of a customer are only processed for the purposes expressed in the documented instructions of the customer. ISO 27701 - 8.2.2
The organisation shall not use PII processed under a contract for the purposes of marketing and advertising without establishing that prior consent was obtained from the appropriate PII principal. The organisation shall not make providing such consent a condition for receiving the service. ISO 27701 - 8.2.3
The organisation shall inform the customer if, in its opinion, a processing instruction infringes applicable legislation and/or regulation. ISO 27701 - 8.2.4
The organisation shall provide the customer with the appropriate information such that the customer can demonstrate compliance with their obligations. ISO 27701 - 8.2.5
The organisation shall determine and maintain the necessary records in support of demonstrating compliance with its obligations (as specified in the applicable contract) for the processing of PII carried out on behalf of a customer. ISO 27701 - 8.2.6
9.2 Obligations to PII Principals
The organisation shall provide the customer with the means to comply with its obligations related to PII principals. ISO 27701 - 8.3.1
9.3 Privacy by Design and Privacy by Default
The organisation shall ensure that temporary files created as a result of the processing of PII are disposed of (e.g. erased or destroyed) following documented procedures within a specified, documented period. ISO 27701 - 8.4.1
The organisation shall provide the ability to return, transfer and/or disposal of PII in a secure manner. It shall also make its policy available to the customer. ISO 27701 - 8.4.2
The organisation shall subject PII transmitted over a data-transmission network to appropriate controls designed to ensure that the data reaches its intended destination. ISO 27701 - 8.4.3
9.4 PII Sharing, Transfer and Disclosure
The organisation shall inform the customer in a timely manner of the basis for PII transfers between jurisdictions and of any intended changes in this regard, so that the customer has the ability to object to such changes or to terminate the contract. ISO 27701 - 8.5.1
The organisation shall specify and document the countries and international organisations to which PII can possibly be transferred. ISO 27701 - 8.5.2
The organisation shall record disclosures of PII to third parties, including what PII has been disclosed, to whom and when. ISO 27701 - 8.5.3
The organisation shall notify the customer of any legally binding requests for disclosure of PII. ISO 27701 - 8.5.4
The organisation shall reject any requests for PII disclosures that are not legally binding, consult the corresponding customer before making any PII disclosures and accepting any contractually agreed requests for PII disclosures that are authorised by the corresponding customer. ISO 27701 - 8.5.5
The organisation shall disclose any use of subcontractors to process PII to the customer before use. ISO 27701 - 8.5.6
The organisation shall only engage a subcontractor to process PII according to the customer contract. ISO 27701 - 8.5.7
The organisation shall, in the case of having general written authorisation, inform the customer of any intended changes concerning the addition or replacement of subcontractors to process PII, thereby giving the customer the opportunity to object to such changes. ISO 27701 - 8.5.8
Looking for something else?

Our approach to security and privacy

Visit our Trust Center to learn more about the security and privacy practices that safeguard our information assets, and those of our customers, against misuse, abuse or compromise.

Trust Center