Code of Ethical Cyber Defence
Our formal commitment to responsible, lawful, and ethical cyber defence. This document defines the principles that govern how our capabilities are used and the types of engagements we will not accept.
Compliance Portal
Key information about how Cyber Defence handles data, security, and the use of this website and our services.
Transparency, assurance, and trust in highly regulated environments
Cyber Defence provides services to organisations operating in highly regulated sectors and critical environments. We take our own compliance and security as seriously as we expect our clients to take theirs.
This Compliance Portal brings together our core public-facing policies, including our Privacy Policy, Terms of Use, and Security Policy. These documents explain how we collect and use personal data, how our website and services may be used, and how we protect the confidentiality, integrity, and availability of information.
Code of Ethical Cyber Defence
Cyber Defence exists to protect organisations, individuals, and critical infrastructure from harm. Our services are delivered within a strict ethical framework that prioritises privacy, legality, proportionality, and accountability. We are privacy advocates by design. We do not treat personal data as a commodity, nor do we support business models that rely on intrusive data collection, profiling, resale, or exploitation. As such, we do not engage with data brokers or organisations that intentionally circumvent or undermine data protection law.
We will not provide services to organisations whose activities enable repression, unlawful surveillance, censorship, or the violation of fundamental human rights, regardless of jurisdiction.
We do not support cybercrime, cyber-enabled fraud, ransomware ecosystems, or any business model that profits directly or indirectly from stolen data, compromised systems, or criminal activity.
We do not provide offensive cyber capabilities outside of a lawful, explicitly authorised, and contractually defined defensive testing or assurance context.
We will not engage with organisations seeking to evade lawful oversight, regulatory accountability, or auditability through technical means.
All prospective clients and partners are subject to ethical review and due diligence. Where an engagement no longer aligns with our ethical standards, we reserve the right to refuse, suspend, or terminate services in accordance with legal and contractual obligations.
This Code of Ethical Cyber Defence underpins our approach to trust, responsibility, and long-term cyber resilience.
Ethical Cyber Defence as a Governance Control
The Code of Ethical Cyber Defence forms part of Cyber Defence’s governance and risk management framework and is embedded within our ISO/IEC 27001-aligned Information Security Management System.
Ethical risk, misuse risk, and reputational risk are assessed during client onboarding and throughout the lifecycle of an engagement. Where an activity conflicts with our ethical, legal, or regulatory obligations, we reserve the right to refuse, suspend, or terminate services.
This approach ensures that our technical capabilities are applied responsibly, proportionately, and in a manner consistent with recognised information security governance standards.
Documents
Compliance Pack
Our Compliance Pack provides clear, transparent assurance of how Cyber Defence governs security, privacy, resilience, and regulatory alignment. These documents are designed to support client due diligence, regulatory scrutiny, and supplier assurance processes.
Privacy Policy
Explains how personal data is collected, processed, stored, and protected, including individual rights under UK and EU data protection legislation.
Data Protection & GDPR Statement
Outlines our approach to GDPR compliance, data minimisation, retention, lawful processing, and cross-border data handling.
Terms of Use
Defines the terms governing use of this website, client portals, and associated online services.
Information Security Policy
A high-level statement of our information security objectives, management commitment, and alignment with ISO/IEC 27001.
Incident Response & Breach Management Policy
Describes how security incidents are detected, escalated, contained, and managed, including regulatory and client notification principles.
Business Continuity & Disaster Recovery Policy
Summarises how service continuity, resilience, and recovery are planned, tested, and maintained.
Acceptable Use Policy
Defines acceptable and prohibited use of systems, networks, and information assets.
Supplier & Third-Party Security Policy
Sets out how third parties and subcontractors are assessed, governed, and monitored for security and data protection compliance.
Insurance Coverage
Details our professional indemnity, cyber liability, and public liability insurance arrangements.
ISO Certifications
Copies of our current ISO/IEC 27001, ISO 9001, and related management system certifications.
Cyber Essentials & Cyber Essentials Plus
Evidence of UK Government-backed certification demonstrating baseline and advanced cyber security controls.
Defence Cyber Certification
Confirmation of our Ministry of Defence cyber security accreditation.
Certificates & Accreditations
Download our compliance certificates
Access our insurance documents, ISO certifications, and cyber security accreditations. Enter your details below and we will send these documents to your email address.
Request Documents
Security & compliance – frequently asked questions
Yes. Under appropriate confidentiality arrangements, we can provide extended security and compliance documentation to support due diligence, supplier onboarding, and regulatory reviews. This includes policy summaries, control mappings, questionnaire responses, and supporting evidence aligned to recognised standards such as ISO/IEC 27001, ISO 9001, and NIST.
Our governance and operational controls are aligned with ISO/IEC 27001 and ISO 9001, supported by Cyber Essentials Plus and relevant industry accreditations. Where appropriate, we also align our services to support client obligations under NIS2, DORA, and sector-specific regulatory frameworks.
Our core infrastructure is hosted within Iron Mountain data centres in the United Kingdom, with our racks located at their Slough facility. Iron Mountain is a globally recognised provider of highly secure, resilient data centre services.
Physical security is provided and managed by Iron Mountain and includes layered perimeter controls, access management, monitoring, and on-site security operations. Iron Mountain maintains independent third-party certifications and assurance reports, including SOC 2, which underpin the physical and environmental security of the facilities we operate within.
Cyber Defence does not currently hold a standalone SOC 2 report. However, the data centre facilities hosting our infrastructure are operated by Iron Mountain, which maintains SOC 2 certification. This assurance forms part of our overall risk and supplier management approach for physical and environmental controls.
Yes. Further information on Iron Mountain’s certifications, compliance posture, and assurance reports, including SOC 2, is available via the Iron Mountain compliance portal. Access to certain reports may require registration or acceptance of Iron Mountain’s terms.
We act as a data controller for our own corporate data, including information relating to clients, prospects, partners, and website visitors. When delivering managed security services on behalf of clients, we operate as a data processor and process personal data strictly in accordance with the client’s documented instructions and contractual terms.
We apply layered technical and organisational controls, including strong access control, encryption where appropriate, continuous monitoring, logging, and segregation of client environments. Access to sensitive systems and data is restricted to authorised personnel based on role and operational need.
We operate continuous monitoring and 24/7 coverage through our SOC365 capability. Potential incidents are triaged promptly and escalated according to defined severity criteria, with structured response, containment, and recovery processes in place.
If an incident is identified that may impact a client, we follow agreed notification and escalation procedures, including timely communication and provision of information required to support the client’s own operational and regulatory obligations.
Yes. We conduct ongoing security testing of our infrastructure and platforms, including vulnerability scanning, configuration reviews, and periodic penetration testing. Findings are tracked and remediated through our internal risk management processes.
Third parties, including infrastructure and service providers, are subject to supplier risk assessment and contractual security obligations. Certifications and assurance reports, such as those provided by Iron Mountain, form part of our ongoing supplier governance.
Yes. We maintain documented business continuity and disaster recovery arrangements designed to support service resilience and availability. These arrangements are reviewed and tested regularly to ensure continued effectiveness.
All personnel undergo appropriate pre-employment screening and are required to complete regular security awareness and role-specific training. This ensures continued alignment with security best practice and regulatory expectations.
Security and compliance enquiries can be directed to hello@cyber-defence.io or raised via the contact form on our website. Existing clients may also raise matters through their assigned account or service delivery contacts.
Questions about compliance or security?
If you have questions about our policies, require additional documentation for due diligence, or need specific answers for regulatory or contractual purposes, please contact us.
Email: hello@cyber-defence.io
Contact form: /contact