Information security, or “IS” as it is sometimes simply referred to as, is at the forefront of all that we do at bluesource (referred to later as the Company), not only to protect ourselves as a business but also to ensure we are providing a secure, safe environment in which to engage with our customers, partners, and employees. We aim to provide robust and secure, products and services, and consider information security by design, in all that we do.
The following information summarises our approach to information security and aims to provide confidence and instil trust in all that we do and help support our customer and partner journeys, whether existing or prospect.
bluesource protects its data in line with the requirements of applicable data protection legislation and is commensurate with the processing and level of associated risk. We are certified to ISO27001.
bluesource maintains a comprehensive information security management system (“ISMS”) and suite of information security policies based around and certified against the internationally recognised ISO27001 standard and utilising the ISO27002:2022 control set, broken down into key areas, including:
Physical and Environmental Controls
As part of our ISMS, we define management and employee responsibilities and acceptable use of information system resources. bluesource receives signed acknowledgment from employees indicating that they have read, understand, and agree to abide by its’ policies, acceptable use, and rules of behaviour upon commencement of employment and receive ongoing training and assessment on a regular basis, on topics such as data protection and information security.
bluesource’s policies and identified risks are regularly reviewed, at least annually, with revised versions published as necessary and held under version control.
bluesource’s Head of Operations, reporting to the Managing Director and Board, is responsible for the compliance and governance of the Company’s ISMS and its certification to ISO27001.
They also perform the role of Data Protection Officer (DPO), chair the security team meetings, and lead an incident response team (IRT), comprised of senior individuals, including leaders from across the business, facilitating the appropriate executive engagement for security program oversight and risk management.
Information security roles and responsibilities are further defined within the Company with clear delineation of responsibilities and segregation of duties, with all employees having their key part to play.
bluesource maintains contact with relevant authorities and with special interest groups, such as CISA and NCSC, who can assist with the Company’s threat intelligence activities.
Key operational security controls include:
People are at the very heart of our business and are necessary to maintain the bluesource’s reputation for high quality services and its standards, so getting the right people from the start is paramount.
Our employees and those working for us, on our behalf, are required to conduct themselves in a manner consistent with the Company’s guidelines, including those regarding confidentiality, business ethics, and professional standards. All employees are required to sign confidentiality agreements within their contracts of employment and where non employed workers are used, such arrangements are made contractually within supply agreements.
Employees are provided with security training at the time of hire and on an ongoing annual basis. Security training covers a broad section of topics around security awareness (ISO27001 and the Company’s ISMS), compliance (including data protection, DPA 2018 and GDPR) and privacy. In addition, Company employees are required to complete internal annual assessments based on the training.
Key people security controls to achieve this include:
Whilst bluesource utilises cloud based and SaaS services wherever possible, such as Microsoft Azure and Microsoft 365, etc., it has policies, procedures, and infrastructure in place to handle the physical and environmental security needed for its corporate office in London.
Guest access to its premise is controlled and a separate “Guest Wi-Fi” facility is in place to ensure connection to the corporate network is distinct.
The premise employs access, alarm, CCTV, and fire control systems.
Our information systems and infrastructure are hosted by world-class cloud providers, such as Microsoft, that are geographically dispersed and offer an equivalent or better level of security that we could aim to achieve ourselves.
Key physical and environmental security controls include:
Technology plays a big part in information security as well as providing tools to make it easier to apply controls that have already been discusses, and as part of its ISMS, the Company has put in place key technical security controls, which include: