Identity and access
Review authentication, authorisation, least privilege, administrative access, joiner-mover-leaver processes, and access evidence.
Loading
The public content is loading. You can keep this page open while the route becomes available.
Use this overview to frame a diligence conversation, then request the current evidence and deployment details relevant to your organisation.
Control areas
Review authentication, authorisation, least privilege, administrative access, joiner-mover-leaver processes, and access evidence.
Confirm encryption, key management, processing locations, segregation, backups, retention, deletion, and export for each data class.
Ask about secure development, dependency management, testing, change control, vulnerability handling, and production separation.
Review logging, alerting, triage, containment, recovery, customer notification, exercises, and post-incident learning.
Understand availability design, backup restoration, recovery objectives, supplier dependencies, and degraded-mode procedures.
Identify sub-processors and confirm how their access, locations, contracts, changes, and control evidence are managed.
Evidence pack
A current description of boundaries, components, processing paths, storage, suppliers, and administrative access.
Relevant policies, vulnerability-management information, independent test summaries, remediation status, and change dates.
Security terms, incident obligations, audit provisions, deletion commitments, named escalation routes, and responsibility boundaries.
Continue exploring
These pages add the operational, documentation, and trust context around this topic.
Next step
Tell us the intended use, organisation type, and evidence your review requires so the response can be scoped accurately.