Risk Management

Implement appropriate and proportionate technical, operational and organisational measures to manage risks.

Incident Reporting

Report significant incidents to competent authorities within 24 hours of becoming aware.

Supply Chain Security

Assess and address security risks in the supply chain and service provider relationships.

Business Continuity

Ensure continuity of essential services including backup management and disaster recovery.

Layer 1 physical air gap eliminates network-based attack vectors entirely

Dedicated hardware removes supply chain and multi-tenant risks

Identity-locked access with full audit trails for incident evidence

RAID 1 mirrored resilience ensures business continuity of critical data

Physical disconnection provides verifiable, auditable security posture

ICT Risk Management

Maintain a sound, comprehensive and well-documented ICT risk management framework.

Resilience Testing

Conduct regular threat-led penetration testing and advanced testing of ICT tools and systems.

Third-Party Risk

Monitor and manage risks from ICT third-party service providers with contractual arrangements.

Information Sharing

Establish arrangements to exchange cyber threat intelligence with other financial entities.

Physical disconnection removes ICT risk at the infrastructure level

No third-party cloud dependencies to monitor or manage

Hardware encryption with Quantum Key Exchange exceeds cryptographic requirements

Zero standing privileges and time-limited access windows support least-privilege mandates

Complete audit trails provide evidence for regulatory examinations

Data Protection by Design

Implement appropriate technical measures at the time of design and processing (Article 25).

Security of Processing

Ensure confidentiality, integrity, availability and resilience of processing systems (Article 32).

Breach Notification

Notify the ICO within 72 hours of becoming aware of a personal data breach (Article 33).

Data Minimisation

Ensure personal data is adequate, relevant, and limited to what is necessary.

Physical disconnection is the strongest possible 'appropriate technical measure' under Article 32

Data stored offline cannot be subject to a reportable breach via network compromise

Identity-locked access ensures only authorised individuals can reach personal data

Hardware encryption at rest satisfies pseudonymisation and encryption requirements

Dedicated hardware ensures no data co-mingling with other organisations

A.8 Asset Management

Classify information assets and apply appropriate protection levels based on their value and sensitivity.

A.9 Access Control

Restrict access to information and processing facilities based on business and security requirements.

A.10 Cryptography

Ensure proper and effective use of cryptography to protect the confidentiality, integrity, and authenticity of information.

A.12 Operations Security

Ensure correct and secure operations of information processing facilities including backup and logging.

Physical disconnection provides the strongest asset protection classification measure

Identity-locked access with KYC and MFA satisfies Annex A.9 access control requirements

AES-256 hardware encryption with Quantum Key Exchange exceeds A.10 cryptography standards

RAID 1 mirrored storage and full audit trails support A.12 operations security controls

Zero standing privileges align with least-privilege access principles

Security (CC)

Protect information and systems against unauthorised access, disclosure, and damage.

Availability

Ensure information and systems are available for operation and use as committed.

Confidentiality

Protect information designated as confidential throughout its lifecycle.

Processing Integrity

Ensure system processing is complete, valid, accurate, timely, and authorised.

Physical air gap eliminates unauthorised access vectors: the strongest security control evidence

RAID 1 mirrored drives ensure availability even in single-drive failure scenarios

Dedicated single-tenant hardware guarantees confidentiality with zero data co-mingling

Complete audit trails and identity-locked access provide processing integrity evidence

Time-limited connectivity windows demonstrate controlled, authorised access patterns

A: Managing Security Risk

Appropriate organisational structures, policies, and processes to understand, assess and manage security risks.

B: Protecting Against Cyber Attack

Proportionate security measures to protect systems and data from cyber attack.

C: Detecting Cyber Security Events

Capabilities to detect cyber security events affecting essential functions.

D: Minimising the Impact

Capabilities to minimise the impact of a cyber security incident on essential functions.

Physical disconnection is the most proportionate security measure for crown jewel data (Objective B)

Zero network attack surface means zero events to detect on disconnected assets (Objective C)

Offline storage ensures critical data survives total network compromise, minimising impact (Objective D)

Full audit trails and identity governance demonstrate mature risk management (Objective A)

Out-of-band control plane removes admin interface as an attack vector

Requirement 3

Protect stored account data with strong cryptography and access controls.

Requirement 7

Restrict access to system components and cardholder data by business need-to-know.

Requirement 9

Restrict physical access to cardholder data and systems.

Requirement 12

Support information security with organisational policies and programs.

AES-256 hardware encryption exceeds Requirement 3 cryptographic standards

Identity-locked KYC/MFA access enforces need-to-know principles (Requirement 7)

Physical air gap and CNI-grade bunker locations satisfy Requirement 9 physical access controls

Full audit trails and zero standing privileges support Requirement 12 governance

Dedicated hardware eliminates shared infrastructure risks inherent in cloud PCI scope

Important Business Services

Identify and map services that, if disrupted, could cause intolerable harm to consumers or market integrity.

Impact Tolerances

Set maximum tolerable levels of disruption for each important business service.

Scenario Testing

Test ability to remain within impact tolerances during severe but plausible disruption scenarios.

Self-Assessment

Document and regularly review operational resilience arrangements and third-party dependencies.

Crown jewel data protected offline ensures critical services can recover from total network compromise

Zero third-party cloud dependencies eliminate single points of failure in the supply chain

Physical disconnection provides demonstrable resilience against severe cyber attack scenarios

6-second access recovery supports tight impact tolerance windows

Dedicated hardware and RAID 1 mirroring ensure data availability under disruption

Firewalls & Gateways

Ensure boundary firewalls and internet gateways are configured to prevent unauthorised access.

Secure Configuration

Ensure computers and network devices are configured to reduce vulnerabilities.

Access Control

Ensure only authorised individuals have access to systems and data, with appropriate privilege levels.

Malware Protection

Ensure protection against malware using anti-malware software or application whitelisting.

Physical disconnection is the ultimate firewall: no network path means no unauthorised access

Dedicated hardware with hardened configuration removes misconfiguration risks entirely

Identity-locked access with KYC/MFA exceeds standard access control requirements

Offline storage is immune to malware, as ransomware cannot encrypt what is not connected

No patch dependency for disconnected storage reduces operational maintenance burden

Standard 7: Data Security

Ensure confidentiality, integrity and availability of data through access controls and encryption.

Standard 8: Unsupported Systems

Ensure unsupported systems are segregated and do not expose data to risk.

Standard 9: IT Protection

Implement effective IT security measures including network controls and monitoring.

Standard 10: Accountable Suppliers

Ensure third-party suppliers meet the same data security standards.

Hardware encryption and physical isolation exceed Standard 7 data security requirements

Dedicated, maintained hardware eliminates unsupported system risks (Standard 8)

Zero network exposure means zero IT protection gaps to monitor (Standard 9)

No third-party cloud suppliers in the data path removes supply chain accountability risks (Standard 10)

Patient data stored offline cannot be subject to network-based breach or ransomware

Client Confidentiality

Keep the affairs of current and former clients confidential with effective information barriers.

Information Security

Implement and maintain appropriate systems for managing risks to information security.

Third-Party Risk

Ensure outsourced services maintain equivalent standards of data protection.

Incident Response

Have effective systems for detecting and responding to cyber security incidents.

Physical disconnection ensures client matter data is unreachable by cyber attack

Identity-locked access with full audit trails satisfies client confidentiality obligations

Zero third-party cloud dependencies eliminate outsourced service risks entirely

Offline storage survives ransomware, ensuring firm data remains intact for incident response

Dedicated hardware prevents any co-mingling of client data between organisations