Information Security
Stannp is committed to robust Information Security Management ensuring confidentiality, integrity, and availability of all information in accordance with UK GDPR, Data Protection Act 2018, and ISO 27001 standards. All customer data is classified as confidential with access based on least privilege and need-to-know principles. We implement comprehensive technical and organizational measures including encryption, regular audits, penetration testing, and strict access controls, with immediate breach response and ICO notification within 72 hours as required.
Data Breach Response
Our comprehensive Data Breach Response Plan ensures prompt, transparent handling of any security incidents through a structured five-step process: immediate identification and assessment, containment and recovery, comprehensive risk assessment, notification to the ICO within 72 hours where required, and post-incident evaluation. We conduct thorough risk assessments to determine appropriate notifications and implement continuous improvement through incident pattern analysis and lessons learned processes.
Incident Management
We maintain a comprehensive incident management framework with incidents classified by severity (Critical, Major, Minor) and logged within 15 minutes of detection. Recovery Time Objectives of 30 minutes for critical services ensure rapid restoration with minimal business impact. Our structured response includes detection, classification, containment, investigation, eradication, recovery, and post-incident review, with backups encrypted and tested every 6 months, annual plan testing, and continuous improvement through ISO 27001 alignment.
Education and Security Awareness
All employees receive comprehensive annual security awareness training covering information security policies, UK GDPR requirements, threat recognition (phishing, social engineering), and incident reporting procedures. Role-specific training provides developers with OWASP Top 10 guidelines and secure coding practices, while compliance personnel receive risk management and incident response training. Training commences during induction with ongoing refreshers, delivered through multiple methods including courses, workshops, and our centralized SharePoint repository.
Physical and Environmental Security
Our facilities implement multi-layered security including 24/7 alarm monitoring and CCTV surveillance, access control systems with restricted entry, and visitor registration with staff escort requirements. We operate a clean desk policy with confidential documents stored in locked cabinets, all IT equipment tracked throughout its lifecycle, and off-site equipment requiring encryption and password protection. Environmental protections guard against fire, water damage, power surges, and temperature fluctuations, with the policy reviewed annually.
Asset Management
All IT equipment is tracked from acquisition to secure disposal with detailed records maintained and independently verified annually. Physical security includes controlled access with CCTV monitoring, locked storage for portable devices, and access restricted to background-checked personnel. End-of-life procedures include physical destruction of all hard drives before equipment leaves our facility, compliance with WEEE legislation, and full documentation of disposal activities, supporting our ISO 27001, ISO 9001, ISO 14001, Cyber Essentials, and PCI-DSS certifications.
Vulnerability Assessment and Patching
Mandatory vulnerability scans cover all systems processing confidential information, with monthly assessments using Qualys and Security Scorecard, annual external penetration testing, and continuous SIEM monitoring. Discovered vulnerabilities are patched according to Microsoft's severity ratings: critical within 7 days, important within 14 days, and moderate within 30 days. Automated patching is deployed where appropriate with monthly compliance verification checking all endpoint devices and production systems every 30 days.