ISO27001 Certified Security

Here at Axis12 we are proud to have been ISO 27001 certified (certification no. 598644) since 2013. We are independently verified by a dedicated CLAS certified consultant. They ensure our processes continue to meet a high level of data security standards. 

Our team have experience of systems classified as 'Official' (IL2/IL3) for Security under the HMG Security Policy Framework (Cabinet Office, October 2013). This certification and experience covers design, development, hosting and support. 

Our high level data security processes and procedures incorporate Physical, Human and Digital security capability. We use these processes to ensure we keep client data and system secure on a continuous basis. Protecting against potential threats to Confidentiality, Integrity and Availability. 

All our employees undergo security screening. They also have CRB checks and BPSS security clearance. Our key staff members are also vetted to Security Clearance (SC). 

High level data security is very important to us.  We train each member of the Axis12 team in Cyber Essentials and ISO 27001 security processes. Some levels of access (e.g. server-level access) are also only provided to those staff members qualified to our highest level of data security. 

Asset protection and resilience 
The security of your data is very important to us. As such, we store all consumer data in two highly secure ex-military facilities. Find out more about the physical security at these data centres.  

We ensure that Customer data is not accessible by local unauthorised parties. Protecting data from being inadvertently disclosed, discarded, lost or stolen. 
 

External interface protection 
We subject our data centres to independent security testing on an annual basis. Two layers of authentication protect access to the service and management console. We can also restrict access to specific IP addresses if required. 

To protect our cloud boundaries, we use Snort Intrusion Detection System (IDS) monitoring. Alerting at the along with hardened server builds if required to disable unused ports.  

Our management systems continually analyse data. Removing any traffic that matches known attack or unusual traffic patterns. Passing only clean traffic on to our server. 

In the event of a Distributed Denial of Service (DDoS) attack, our data centres have the capability to divert all data through a scrubbing service. When a DDoS attack is detected, traffic is automatically redirected for 'Scrubbing'. 

We manage smaller scale DDoS attacks through IP blacklisting at the edge. Keeping our customers informed of progress from discovery through to resolution. 

In the event of a targeted, volumetric and distributed attack we identify the target and null route the associated IP ranges. This action enables us to protect all other customers on the service. 
 

Data at rest 
Data at rest is not encrypted by default but can be, if required by the customer. With every customer we discuss the levels of protection required by their circumstances. Implementing a cost effective and appropriate level of protection suiting their individual needs. 
 

Data in transit protection 
We use TLS version 1.2 and 256bit SHA to encrypt data in transit outside of our network. Connecting to the network via IPsec VPN. The connection between our primary and secondary data centres is over IPsec. We also protect our network at the boundary by Snort Intrusion Detection System (IDS). 
 

Assured data destruction 
Our processes for the destruction and deletion of data are strict. Documented in our Information Security Management System (ISMS). These processes also align with IAS 5 Secure Sanitisation and ISO 27002:2013. 
 

Secure service administration 
When our administrators are managing the service, we follow a set of procedures. This is to protect against interception between our office and the service. These include the use of role-based access permissions, strong password, two-layer authentication, IP whitelisting and IPsec VPN. 

We maintain an Information Security Management System (ISMS). Used to document all processes and procedures used to manage our service operations. We subject our ISMS to quarterly and annual internal reviews. ISO 27001 recertification also takes place on an annual base. Completed by the British Standards Institution.  
 

Operational security 
We follow strict processes and procedures for operational security: 

• Configuration and change management 
  We use controlled code repositories, automated deployment processes and a Change Management System. To ensure that changes to the system do not unexpectedly alter security properties. We only deploy when changes have been thoroughly tested and authorised.  

• Vulnerability management 
  Our internal security team are responsible for controlling security for our customers. This includes monitoring security notifications, identifying potential security vulnerabilities, conducting impact assessment and scheduling security patching. Our team adhere to timeframes for security patching as appropriate for the criticality level. We document these timeframes in our Information Security Management System (ISMS).     

• Protective monitoring 
  We use an Intrusion Detection System (IDS) at both of our data centres. This is to detect attacks and alert on unauthorised activity on the service.  

• Incident management 
  We log all security incidents in our ISMS. Using Corrective and Improvement Action Plans to manage any required resolutions. We share Incident Report, Corrective and Improvement Action Plans with customers were relevant.  

• Personnel security 
  Our key staff are all security vetted and hold Security Clearance (SC). We also conduct UK BPSS screening on all our personnel. All staff receive induction, annual refresher and ad-hoc security training and testing.  

• Secure development 
  We follow industry good practice for all development. This includes reference to security advisory sources such as Open Web Application Security Project (OWASP) Top 10.  Our good practice approach covers all secure design, coding, testing and deployment. To ensure integrity of the solution through development, testing and deployment we use a code repository. Bitbucket is our code repository of choice.  
   
  Our internal security team review all newly identified threats. Patches for critical vulnerabilities are deployed to production within 24hrs of impact assessment. Less critical vulnerability patches are deployed in the first week of the following month. 

• Secure consumer management 
  Each customer receives an Operation Agreement. In it we identify authorised personnel and their permitted actions. Only authorised named personnel with valid logins are able to report faults and instruct changes to the service. Any requests are completed via our ticketing system (Jira). We keep each customer's management console separate. So, customers can only access, modify and otherwise affect their own service.  

• Identity and authentication 
  Two layers of authentication protect access to management consoles. We will also restrict access to specific IP addresses if required. Granular permissioning controls are also available. If required, we will assign user roles appropriate to the level of access required. We encrypt service traffic outside of the protected network using Transport Layer Security (TLS). 
   
  Our stand setup consists of a series of layers that provide granular control and restriction to data and services. Our first line of defence are Primary firewalls. These lock down all unnecessary ports, so we can ban malicious traffic either automatically (using an IDS) or manually.  
   
  Our second layer of defence is a reverse proxy inside a Demilitarized Zone (DMZ). This can route either using layer 7 or layer 4 (depending on requirements). It also allows for additional security controls including IP or API key based filtering if required. 

Security is at the heart of all of our projects. View Our Work to discover more.  

Contact Us to discover how our team can help keep your data secure.