For customers and stakeholders

Security Statement

UKAS Security Statement

UKAS is committed to using systems, equipment and services that are secure and regularly updated and aligned to industry best practice and standards in the areas of security and data protection.

UKAS’ third party partners will not use UKAS customer data or derive information from customer data for marketing or advertising purposes.

See UKAS’s privacy notice for details on UKAS handling of private data.

UKAS Policies

UKAS has policies on information security, document handling/retention, and data protection that clearly define responsibilities, security protocols and acceptable use of its information technology systems and assets. Policies are reviewed at least annually and updated as necessary.

UKAS policies detail the security protocols and standards that employees must follow, including in relation to access controls, confidentiality, business and private data protection, physical security, appropriate usage and code of conduct.

UKAS Workforce

UKAS receives signed acknowledgement from employees indicating that they have read, understand, and agree to abide by UKAS’ security and data protection protocols.

All employees and/or contractors are required to sign confidentiality agreements.

Critical Suppliers

All critical suppliers are reviewed and are required to provide evidence of:

• ISO 27001 accredited certification from a UKAS accredited certification body if providing hosting, data, or information services

• Any other accredited certification as applicable to the service they are providing

• Compliance to regulatory requirements including General Data Protection Regulation (GDPR), Payment Card Industry Data Security Standard (PCI)

• A security statement covering how they manage and maintain security, including prevention, detection and ongoing maintenance of services

Our IT hosting provider has achieved numerous internationally recognised certifications and accreditations, demonstrating compliance with rigorous international standards, including:

• ISO 27017 for cloud security

• ISO 27701 for privacy information management

• ISO 27018 for cloud privacy

For cloud-based services, data is hosted in the UK and/or in the European Economic Area, specifically:

• UKAS’ current IT services and hosting partner is ISO 27001, ISO 14001, ISO 20000 and ISO 9001 certified by an accredited certification body and are an HM Government G-Cloud supplier. All their staff undergo security checks. Within their datacentres they run server monitoring tools across their hosted environment plus Advanced Threat Analytics (ATA) which monitors and reports on internal security events and external threats.

• All current cloud hosting providers use datacentres that have ISO27001 certification from an accredited certification body, with data located in either the UK or Ireland.

• UKAS engage an independent CREST, CHECK certified organisation to carry out penetration testing on an annual basis, covering all internal and external facing services and infrastructure, including 3rd party provided services and applications.

• In March 2021 UKAS attained the Cyber Essentials Certificate of Assurance (Certificate number: IASME-CE-014450).

UKAS cloud hosting providers process customer data only in line with UKAS’ documented instructions and do not access, use, or share UKAS customer data without agreement, except as required to prevent fraud and abuse, or to comply with law.

UKAS and its IT partners will not use UKAS customer data or derive information from customer data for marketing or advertising purposes.

Infrastructure, Hardware and Applications

All servers, email services and end user devices run anti-virus and anti-malware software amongst its defence in depth design.

All infrastructure, end user devices and applications are security patched on a monthly basis with zero-day patches applied when appropriate.

Data at rest and in transit is encrypted.

UKAS devices can be remotely locked and removed from our domain.

Mobile phones are centrally managed and monitored and can be remotely wiped.

Cloud-based applications are security checked prior to release.

WEEE disposal and data deletion is undertaken by an organisation certified to ISO 27001, ISO 14001, ISO 22301 and ISO 9001. Our cloud hosting provider’s datacentre equipment will be securely disposed of in line with their ISO 27001 certification.

Our datacentre provider’s ISO 27001 certification specifies that physical and network controls are in place and cloud computing technology is designed with resilience as one of its core strengths.

Fine-grain identity and access controls, combined with continuous monitoring for near real-time security information, ensures that the right resources have the right access at all times. Risk is reduced by using security automation and activity monitoring services to detect suspicious security events, like configuration changes, across the cloud hosting provider’s environment.

Change control and incident management are via ISO 20000 compliant process.

All UKAS services undergo regular vulnerability scanning as well as annual external health checks. Where appropriate, security vulnerability testing will be undertaken prior to changes and updates being released into the application.

While designing the remote assessment services, the NCSC cloud service principles were utilised, risks were evaluated and, working with 3rd party providers, mitigated as required.

Our cloud hosting providers have carefully selected suppliers with deep expertise and proven success securing every stage of cloud adoption, from initial migration through ongoing day-to-day management.

Role-Based Access

For internal users, role-based access controls are implemented for access to UKAS services and application. Processes and procedures are in place to address the removal of users. Access control lists define the behaviour of any user within our information systems, and security policies limit them to authorised behaviours.

For external users, Record Level Permissions/Row Level Permissions are applied so that only relevant and authorised users have access to the data they are allowed to view and manipulate. This adds an additional layer of security to the data that is exposed externally via the portals.

Authentication and Authorisation

UKAS services require that authorised users be provisioned with unique account IDs. The password policy enforces the use of complex passwords, which are deployed to protect against unauthorised use of passwords. Multi-Factor Authentication is utilised to further protect against unauthorised access to the services.

File-Sharing

For file sharing UKAS uses Microsoft SharePoint and, upon a request by a Customer, DropBox for Business.

UKAS holds business licenses for these applications, to ensure maximum security.

Further information on Sharepoint security can be found at https://docs.microsoft.com/en-us/sharepoint/safeguarding-your-data.

Web-Conferencing and Collaboration

For web-conferencing, UKAS’s preferred application is Microsoft Teams.

Where customers are unable to access Microsoft Teams, UKAS also has business licences for GoToMeeting and Zoom.

Further Queries

If you have any further queries regarding UKAS IT security, please contact [email protected] using “IT security” as the subject.