ISO 27001 Certified: How Azets safeguards your data
Azets is an ISO 27001 accredited company, which means we meet the highest international standards in relation to managing our information and data security management systems. This accreditation is awarded by a recognised and accredited certification company on successful completion of an external audit of all our systems and processes.
This underscores our commitment to safeguarding client data with industry-leading security practices.
What the certification means
- Data Protection: We employ rigorous protocols to keep your data secure against risks and threats.
- International Standards: Our ISO 27001 certification reflects our adherence to global best practices, providing confidence in our processes.
- Ongoing Commitment: We continually update our security measures to stay ahead of emerging cyber risks.
Security Governance
At Azets we understand the importance of ensuring we adopt industry-leading security practices and technology needed to protect our customers data. Security is embedded across all out technology, process and programs.
Security Awareness Training
Our employees are an important line of defence when it comes to securing our customers data. At Azets all colleagues receive comprehensive induction training which includes security and data protection modules. This also includes acceptance of the acceptable use policy and undertaking core security training topics.
Our comprehensive security training and awareness program includes quarterly training on the newest attack vectors and attack trends, monthly simulated phishing emails, role-based security .
In addition to the training platform, security/awareness related information is included in staff bulletins and emails and is also contained on the Intranet.
All staff are required to sign an acceptable use policy.
Mandatory data protection training is also undertaken annually.
Regardless of where the member of staff works (office, home), all users receive the same training. The training also reflects the changed working environment and the measures that staff must take when working from home.
Information Security and Data Protection
Azets has a dedicated Cyber Security team covering all cyber technical, procedural and governance processes. Working across the business to ensure that all processes incorporate adequate security measures, appropriate technical controls in place and configuration is robust.
Data privacy is included within the Risk & Compliance team where the Group’s Data Protection Officer resides. The Privacy and Cyber team work very closely to ensure that both of these aspects are fully addressed across the business. This includes day-to-day operation, projects, third-party suppliers/vendors and regulatory requirements.
Security Policies
Security policies are in place along with an Information Governance Framework. These documents are reviewed at least annually and are available to all staff. Supplementary policies and supporting procedures are created on a country basis where necessary. A suite of security policy documents are in place to support our ISO 27001 certification.
Risk Management
An Enterprise Risk Management framework has been defined across the business. Risk assessments are undertaken at the start of a project, prior to any major upgrade and as part of our wider supplier due diligence approach and on a continual basis. Any residual risk is managed and tracked. A GRC tool is in place which is used for capturing, tracking and managing all risks. Risks are regularly reviewed for status, accuracy and change in impact. Major/significant risks are reported to the Exco and the risk & audit committee.
Incident Management
A detailed incident management process is in place which is followed in the event of a security incident. This incorporates a lessons learned activity which captures any remedial activity/recommendations. The process includes details of communications with clients in the event that their data may be affected.
Scenario based tests are regularly undertaken.
Business Continuity and Disaster Recovery
Business Continuity Plans (BCP) and Disaster Recovery Plans (DRP) are in place. Simulated testing is performed to cover a range of potential scenarios.
Data Protection
How is Data Secured?
Data, systems and applications are hosted in public cloud services. The native facilities within the cloud platforms are used to encrypt all data at rest and in transit. Key management is undertaken using the in-built platform functionality.
As part of our comprehensive supplier due diligence process, the location and protection of our data which the supplier is storing/processing is addressed. In all cases, data is encrypted in transit, at rest and when backed up. Where data is stored on an external system (e.g., SaaS provider), we ensure that this is encrypted. The majority of external applications that we use store and process data within the UK and/or EU. Should data reside in a different jurisdiction, confirmation is obtained that appropriate and approved agreements are in place and that these meet UK Data Protection laws.
Data Protection Controls
Data transmitted between Azets UK and any external party use one of the following mechanisms:
Email – our email system is configured to send all emails encrypted by default where supported by the receiving party. Where the email contains sensitive information, we have a secure email facility that is used. This results in the recipient receiving a notification that a secure email is waiting for them and they will need to log in to a secure portal to retrieve it. The same facility can be used by the external party to send and/or reply to emails to/from Azets UK.
We have a secure file exchange facility that can be used to exchange data between an external party and Azets UK. All data is encrypted in transit and when stored on the file exchange server. A dedicated repository is created for the external party to ensure that no unauthorised user can gain access to their data. The external party’s users are added to the file exchange solution on an individual basis and only the necessary access rights are assigned to each user.
Removeable media. This is an option that is rarely used but should it prove necessary, then the following applies:
- Only IT approved and issued encrypted USB devices can be used. This is controlled via the device control application within our endpoint management software;
- If we were to receive a USB device from an external party, the recipient’s device is configured to permit access to the USB device such that they can download the content and then their access to the device is disabled. Our A/V software automatically scans the device before any data is read from it.
IT Security Controls
Access Control
A role-based access control model has been implemented and access is provided on a need-to-know basis based on the user’s role requirements; users are only provided with the minimum level of access required to undertake their job. All application and IT system administration is undertaken by the IT team – users cannot administrate for business applications.
There is an internal service desk system where access requests are made which requires approval by the line manager and/or the system/ business owner.
Authentication
Users are forced to use complex passwords (via system configuration settings) with a minimum length of 14 characters. As detailed below, this is supplemented with multi-factor authentication.
Where externally provided Software as a Service providers cannot support federation with Microsoft Entra, an SSO proxy solution has been implemented. This requires the user to authenticate to the application daily – and requires the use of MFA. The user can then access the target application without having knowledge of the required credentials. When the users Entra account is disabled, access to the SSO solution is also disabled.
This same solution also functions as a personal password manager for users.
System Maintenance and Vulnerability Management
A patching policy and process is in use within the business which includes patching timescales based on severity. This is supplemented with a vulnerability management application which scans devices on a continual basis (dependent on the device type). The security team proactively works with IT to ensure that patches are applied to the devices in a suitable timeframe (in accordance with our policy) and based on the severity. Patching progress/mitigation measures are closely monitored by the security team.
Additionally, vendor websites are monitored and/or we receive notifications when vulnerabilities have been identified with their product and their recommended actions are followed. The managed XDR service also provides threat information which supplements the vulnerability management measures in place.
Patches are tested on a sample number of systems to ensure that there are no adverse impacts before being rolled out to the rest of the estate. A system management tool is used to push software and/or configuration updates to all systems.
Infrastructure Security Controls
The following measures are in place:
All end user devices (EUD) and servers have a hardened build applied to them;
Firewalls are enabled on all EUDs and within our server/cloud environment. Additionally, network security groups are also in place;
Anti-virus software is installed on all EUDs and servers. These are updated as soon as an update is issued by the vendor and we proactively check for currency of the installed A/V products;
With the exception of Microsoft Office, minimal software is installed on the EUD. As Remote Desktop Service (RDS) or Citrix is used to access the servers/line of business applications, any additional software is installed within the respective environment;
Whitelisting is applied on all devices to define which applications users are permitted to run;
Users do not have local admin rights to their machines so are limited as to the changes that they can make;
An email gateway scans all inbound and outbound email. If an email fails any of the checks, it is quarantined. In most cases, the email would need to be released by the IT support team (only emails identified as potentially spam can be released by the user);
URL filtering is in place. Certain website categories are blocked unless there is a specific business requirement to access these. The following are some of the categories that are blocked: gambling, adult themes, internet file storage services, web-based email. Where exceptions are made, these are on a per-user basis;
We have a managed Extended Detection and Response (XDR) service which monitors all activity within our network, EUDs and servers. If a significant event is identified, this is investigated by the XDR provider and following investigation, is sent to Azets UK to undertake remedial activity if applicable. Logs from all our systems are ingested into the XDR service which also includes integration with AWS, Office365, firewalls and our secure email gateway;
Access to our line of business applications is via our RDS or Citrix solutions. Authentication is via the user’s network credentials and if accessing from outside an office, multi-factor authentication (MFA) is required. All data remains within this environment and there is no access to the user’s local hard drive when using a RDS/Citrix session;
Every user has their own network account. MFA is also required when accessing externally provided services. To minimise the number of accounts users must use, single sign-on is implemented where this is supported by the vendor;
Posture checking is performed against devices.
Access to Azets UK systems is only possible from a corporate issued EUD.
Network Controls
The following measures are in place:
Network management of each office is undertaken by the IT department;
Firewalls are implemented in all offices;
Minimal IT infrastructure resides within each office, typically just network devices;
The Guest wireless network has no connectivity to the corporate network;
Personal devices (e.g. mobile phones) cannot connect to the corporate wireless network;
Within our AWS deployment, extensive use is made of Network Access Control;
Test environments are segregated from the production environment.
Backup/Resilience Measures
The following measures are in place:
All data within our environment is encrypted at rest and in transit. Various backup methods are in place depending on the system being backed up. This includes traditional daily/weekly/monthly backups, snapshots taken at 30-minute intervals and log file shipping;
Immutable backups are in place and are stored in a different location to our production systems;
Our cloud hosting provider has various resilience facilities in place (i.e. availability zones);
Cloud native backup solutions are in use;
All backed-up data is encrypted;
The backup solutions are automated and an alert is generated if there is a failure in any of these automated processes. Processes/scripts are in place to restore data should there be a system failure, loss of data or data corruption;
Restore testing is undertaken to ensure that the business Recovery Time/Point Objective can be achieved.
Third Party Access
There are very few instances whereby third parties have access to our systems. Where this is in place, it is to provide support services. Access is provided only as and when required and is disabled when no longer needed. Confirmation is obtained from the third party as to the actions to be undertaken before access is granted. They do not have access to any client data.