Responsible business lies at the heart of our sustainability strategy – it is our licence to operate. Grounded in our values, we’re guided by our Code of Ethics and driven by our purpose to make the digital world safer and more secure.
We embed responsible practices into our everyday operations and set a high benchmark in corporate leadership, ensuring our actions resonate positively across global operations in the work we do for our clients.
As experts in information security and risk mitigation, we understand the responsibility to promote best practice within our own business. We have dedicated teams to support our global business to exceed industry best practice and hold several internally recognised certifications and accreditations to support our service delivery and overall business processes:
- ISO 27001:2013 and ISO 9001:2015 – the list of locations these are applicable to can be found on our website. All entities within the Group are aligned to the same policies, processes and controls as those within scope of ISO 27001:2013 and ISO 9001:2015 and we are expanding the scope through a phased rollout schedule. The deadline for any company holding ISO27001:2013 to transition is the 31st October 2025 so we plan to go for it this year in order to give a nice buffer before the deadline.
- Cyber Essentials Plus – a UK government backed scheme, which helps organisations to protect their IT infrastructure against most common cyber-attacks.
Service-related certifications, accreditations and memberships:
- (UK) NCSC Check – we are listed as a green service provider – the highest attainable standard, having held this since 2001.
- ISO 17025:2017 – our NCC Group Security Services Limited entity is certified to this international standard for performing laboratory activities and testing.
- PCI Approved Scan Vendors and PCI Qualified Security Assessor.
- (UK) NCSC Cyber Incident Response – both a Level 1 and Level 2 provider.
- CREST Council of Registered Ethical Security Providers.
- TISAX (Trusted Information Security Assessment Exchange) accredited and awarded a security label to perform automotive security assessments for the German car manufacturing industry.
- FedRAMP – Recognised Third Party Assessment Organization (3PAO) able to offer consultancy and support for clients to become FedRAMP certified.
We undertake internal and external audits to measure compliance with internal controls across service delivery, internal IT, financial management, data protection and risk management. Additionally, we are regularly audited by clients to provide assurance and to support their own supply chain and vendor management programmes. Our internal audit function is embedded into our global governance function and split into two key areas:
- Financial: focused on auditing of all processes related to the integrity of our financial and accounting records and reporting.
- Global standards and support: focused on auditing adherence to the policies, processes and procedures, which support our ISO 27001:2013, ISO 9001:2015 and ISO 17025:2017 certifications.
We are externally audited by Lloyd’s Register Quality Assurance, the accreditation body for our ISO 27001:2013 and ISO 9001:2015 certifications. These surveillance audits assess the effectiveness of our ISO-certified management systems and conducted on a six month cycle.
Our NCC Group Security Services Limited entity is externally audited by the United Kingdom Accreditation Service (UKAS), the accreditation body for ISO 17025:2017. These surveillance audits assess the effectiveness of ISO 17025:2017-certified management system on an annual cycle.
Our IT infrastructure is externally assessed by Perspective Risk Ltd on an annual basis to maintain our Cyber Essentials Plus certification.
We are active members of the cyber security community, working in collaboration and in partnership with key industry players around the world.
Our network extends to ensuring that we have the relevant accreditations and certifications to assure our customers of our professional service.