Pisys Security approach

Data security & hosting

Pisys provides secure, resilient hosted services designed around the principles of confidentiality, integrity, and availability, aligned with our ISO/IEC 27001 and CyberEssentials + accreditations Our ISO27001  and CE+ certificates can be viewed using the links at the bottom of this page.

All hosted systems are deployed on secure cloud infrastructure (AWS) with segregated environments, protected by firewalls, intrusion detection, encryption, and controlled access. Data is encrypted in transit and at rest, with strict access controls applied on a least-privilege basis. Our hosted systems currently include:

• Permit to Work
• Action Tracking
• ESG reporting

Pisys operates a comprehensive Information Security Management System (ISMS), supported by regular risk assessments, internal audits, staff security training, and annual external ISO 27001 audits. Security controls are continuously reviewed and improved.

To ensure availability and resilience, Pisys uses multiple servers across separate data centres, supported by regular off-site backups and point-in-time recovery. Business Continuity and Disaster Recovery plans are in place and tested, enabling rapid restoration of services following incidents or outages.

Pisys maintains clear procedures for incident response, data breach management, and vulnerability disclosure, encouraging responsible reporting and timely remediation. Backup integrity is verified through regular recovery testing.

Data is retained and disposed of securely in line with defined Data Retention policies, ensuring compliance with legal and regulatory requirements while minimising risk.

Together, these measures ensure that customer data hosted by Pisys is securely protected, highly available, and responsibly managed throughout its lifecycle.

Access control & permissions

Pisys applies strict access controls to ensure that systems and data are accessed only by authorised individuals, in line with ISO/IEC 27001 principles.

Access to hosted services, systems, and data is granted on a least-privilege, need-to-know basis, ensuring users have only the permissions required to perform their role. Access rights are defined, approved, and regularly reviewed to reduce the risk of unauthorised access.

Strong authentication controls are enforced, including secure credential management and, where appropriate, multi-factor authentication. Administrative and privileged access is tightly restricted and monitored.

Pisys maintains clear role-based access controls (RBAC) across its infrastructure, separating environments and responsibilities to prevent inappropriate access or privilege escalation. Network segmentation is used to further isolate systems and limit lateral movement.

Access is removed or amended promptly when roles change or when employment or contractual relationships end, reducing residual access risk.

Our production systems support Hybrid Identity Authorisation as described Here

All access control measures are supported by security monitoring, logging, and incident response procedures, allowing suspicious activity to be detected and investigated quickly. Controls are reviewed regularly as part of ongoing risk management, internal audits, and ISO 27001 compliance activities.

These controls ensure that customer data and systems hosted by Pisys remain secure, accountable, and protected throughout their lifecycle

Audit trails & traceability

Pisys maintains robust audit trails and traceability controls to ensure accountability, transparency, and effective security monitoring, aligned with ISO/IEC 27001 requirements.

Security-relevant events across hosted systems and infrastructure are logged and monitored, enabling Pisys to track access, system activity, and security events. Logging supports the detection of unauthorised access, misuse of privileges, and anomalous behaviour.

Audit logs are protected against unauthorised access or modification and are retained in line with Pisys data retention and security policies, ensuring their integrity and reliability. Logs are reviewed as part of ongoing security monitoring, incident detection, and investigation processes.

Traceability is embedded through role-based access controls, defined responsibilities, and documented procedures, ensuring that actions can be attributed to authorised users or system processes. This supports effective incident response, root cause analysis, and post-incident reviews.

Pisys conducts regular internal audits, management reviews, and external ISO 27001 audits to verify that logging emphasises effectiveness, completeness, and compliance with legal, regulatory, and contractual obligations.

Together, these measures ensure that Pisys-hosted services provide clear visibility, reliable accountability, and strong evidential support for security operations and compliance

Compliance

Pisys operates a formal Information Security Management System (ISMS) aligned with ISO/IEC 27001, demonstrating a structured and independently audited approach to information security, risk management, and operational resilience.

Pisys holds ISO/IEC 27001 certification, supported by annual external audits, regular internal audits, and formal management reviews. This ensures ongoing compliance with the standard and continuous improvement of security controls, policies, and processes. The company also holds CyberEssentials Plus accreditation.

The ISMS covers key compliance domains including:

• Risk assessment and treatment
• Access control and authentication
• Data protection and retention
• Incident and vulnerability management
• Business continuity and disaster recovery
• Supplier and vendor management
• Staff security awareness and training

Pisys also maintains compliance with relevant legal, regulatory, and contractual requirements, reviewing applicable UK and international obligations as part of its governance processes.

Together, these measures provide customers with confidence that Pisys services are delivered within a well-governed, auditable, and internationally recognised security framework

Security governance & responsibility

Pisys maintains a clear and structured security governance framework to ensure accountability, oversight, and effective management of information security, aligned with ISO/IEC 27001.

Overall responsibility for information security rests with Pisys senior management, who are accountable for maintaining the Information Security Management System (ISMS), ensuring compliance with applicable standards, and supporting continuous improvement. Governance is reinforced through defined policies, documented procedures, and regular reviews.

Day-to-day security responsibilities are assigned to designated roles, including the Information Security Manager (ISM) and supporting teams, who oversee risk management, policy implementation, incident response, and compliance activities. Employees, contractors, and third parties are required to comply with Pisys security policies and report any security concerns or incidents promptly.

Security governance covers all aspects of hosted services and operations, including:

• Risk assessment and treatment
• Access control and user responsibilities
• Incident, vulnerability, and breach management
• Business continuity and disaster recovery
• Supplier and vendor security obligations

Pisys supports governance through regular internal audits, management reviews, and external ISO 27001 /CE+ audits, ensuring that responsibilities remain clear, controls remain effective, and risks are appropriately managed.

Security awareness and training form part of staff induction and ongoing development, reinforcing individual responsibility for protecting Pisys and customer information assets.

This governance structure ensures that information security at Pisys is clearly owned, actively managed, and consistently enforced across the organisation.