Annex 3 - Technical and Organizational Security Measures

Last updated: 2026-01-30

ANNEX 3 – TECHNICAL & ORGANISATIONAL SECURITY MEASURES

────────────────────────────────────────

  1. Information-Security Programme aligned to ISO 27001: policies, risk assessment, asset management, incident response.
  2. Encryption:
  • TLS 1.2+ for data in transit.
  • AES-256 at rest for all new databases; legacy servers migrating by 31 Aug 2025.
  1. Access Control:
  • Role-based access (least privilege).
  • Multi-factor authentication for privileged accounts; full MFA rollout by 31 Aug 2025.
  • Centralised identity & log-in monitoring.
  1. Physical Security: AWS data-centres (SOC 1/2/3; ISO 27001), secured office, restricted hardware access.
  2. Operational Security:
  • Annual external penetration testing; quarterly vulnerability scanning.
  • Change-management and code-review procedures; CI/CD with automated security checks.
  • Backup & recovery: encrypted backups retained ≤ 15 days; tested quarterly.
  • DDoS protection & Web-Application Firewall via Cloudflare.
  1. Audit Logging & Monitoring: Centralised log aggregation, tamper-evident storage, alerting for anomalies.
  2. Incident Response: Documented plan; 24×7 alerting; post-incident review.
  3. Vendor Management: Written contracts with Sub-processors; due-diligence, security questionnaire, periodic review.
  4. Employee Controls: Background checks (where lawful), confidentiality agreements, initial & annual security/privacy training.
  5. Data Minimisation & Pseudonymisation: Only necessary data processed; test/staging use anonymised datasets.