CloudM implements various technical and organizational measures to protect the confidentiality, integrity and availability of information (including personal data) in-line with the assessed risk and requirements of UK GDPR Art. 5.1(f) the ‘Security Principle’ and Art. 32 Security of Processing, primarily through controls adopted from ISO27001 and ISO27701 including, but not limited to:
-
A dedicated Security Lead and Data Protection Manager - responsible for the operational delivery of information security and data protection in the business
-
A high-level review forum - including Board level members to oversee security and data protection
-
CloudM is presently ISO27001 and Cyber Essentials certified - these certifications are renewed annually, the last third-party penetration test/cybersecurity assessment was in 2024.
- A range of regularly reviewed and management approved policies are in-place as required or recommended by ISO27001:
- Information Security Policy
- Information Classification Scheme
- Information Transfer Policy
- Acceptable Use Policy
- Remote Working Policy
- Data Retention Schedule
- Backup Policy
- Access Control Policy
- Incident Management Policy
- Media Disposal Policy
- Removable Media Policy
-
Compliance with relevant Data Processing Addendum/Master Service Agreement - to ensure that only required processing activities are performed
-
Encryption of information - including customer personal data where in-scope and subject to contract, at rest and in transit
-
Regular backups of information - including personal data where in-scope and subject to contract
-
Regular assurance testing of security measures - through third-party audits and technical vulnerability testing
-
Minimal to zero use of paper records/documentation - containing personal data, including customer personal data where in-scope and subject to contract
-
Information Security and Data Protection training - as part of induction and refresher training for all employees
-
Business continuity and disaster recovery - relevant measures considering the nature, size and complexity of the business, i.e. exclusive use of Cloud infrastructure. No on-premise infrastructure is in-use
-
Project Management and service delivery - measures to ensure only the relevant employees are allowed access to customer information (including personal data) and/or systems/applications
-
IT hardware device security - including hard-drive encryption, password protection, antivirus, auto-updates and mobile device management apps where applicable
-
Networks - Use of segregated networks (guest and corporate) in office locations
-
IDM - 2FA, SSO and platform integrated DLP/IRM tools (Google)
- ICO and NCSC - proactive monitoring
If you have any further questions around security please get in touch.