Vodafone are committed to providing world-class security. We deliver some of the most secure telecommunications services in the world and have a proven record for delivering trusted mission-critical services to a wide range of customers, including government, utility, finance, and retail sectors.
We have developed an embedded security culture through awareness, education and empowerment to ensure we deliver a great customer experience. Appropriate security controls are in place and operating effectively to deliver assurance in line with contractual agreements.
Vodafone operates an Information Security Management System (ISMS) based on the recommendations of ISO27001:2013, including risk management, business continuity, incident management, physical security, security awareness training and much more.
All ISMS and certification management is overseen by our Security Risk and Compliance Committee who meet on a monthly basis and includes senior stakeholders from Group Technology Security and Group Corporate Security. The Security Risk and Compliance Committee report into the Group Security Steering Committee who are accountable for all aspects of physical, personnel, technical and operational security. Stakeholders from the wider business act as representatives for their respective areas in order to manage risks and incidents and to continually improve the ISMS.
Vodafone’s security certifications strategy defines three tiers of certification to cover all Enterprise customer services, end-to-end:
Tier 1: The umbrella certification is the Vodafone Group Enterprise (VGE) ISO 27001 certificate, which covers Group Services and Group internal operation activities;
Tier 2: The Group Functions certificate covers our Operation Teams, their physical locations, and our Shared Service Centres in Hungary and India; and
Tier 3: Services provided from Local Markets (e.g. voice/data services) are covered by certificates specific to that market’s business requirements which generally include ISO27001 and ISO 9001 certifications.
We have a robust enterprise risk management process that is subject to regular reviews and continuous improvement. This ensures that risks are identified, recorded, managed and mitigated as appropriate throughout our business and including customer specific operational risks. Major risks are reported and escalated to the board.
Our risk management process methodically addresses risks that may pose a threat to Vodafone, its infrastructure and services (both internal and external), its customers, staff, brand and assets. The risk management strategy provides a framework for the proactive management of risks to eliminate or minimize any impact. Our risk management framework consists of an intranet site for the reporting of risks, a secure on-line database for storing all risk information and a common methodology for the assessment of risks.
We keep our information safe. All of our information is classified and protected. Our classification scheme uses a “C1” (Public) to “C4” (Vodafone Secret) identification and rules of how to handle and manage information at each level is enforced through our Information Classification and Handling Policy. These levels relate to information which is appropriate for public consumption (C1) through to Vodafone Secret (C4). Furthermore, other Vodafone security polices detail what controls we implement to manage both Vodafone and Customer data, including data retention and disposal
Vodafone ensures that we provide a secure environment for all of our colleagues and customers. We use live site monitoring and electronic protection systems to safeguard the integrity and security of Vodafone’s assets and our customer’s infrastructure, applications and data. A 24x7 physical security control centre (PSCC) provide this live monitoring as well as management of all site access, management of 3rd party access, travel security briefs and much more.
We make sure that our suppliers comply with our policies. As well as assessing or auditing their internal security controls, we carefully consider and control their physical and logical access to our sites, networks, systems, information and customers.
The following security relevant standards and certifications are in place to help protect Vodafone and our customers:
GLOBAL ENTERPRISE ISO/IEC 27001:2013
GROUP FUNCTIONS ISO/IEC 27001:2013
UK SECURE HOSTING ISO/IEC 27001:2013
UK MOBILE NETWORK ISO/IEC 27001:2013
UK CERTIFIED CYBER SECURITY CONSULTANCY – SECURITY ARCHITECTURE
UK CYBER ESSENTIALS PLUS
UK FLEXIBLE COMPUTING AND COMMERCIAL SHARED STORAGE ISO/IEC 27001:2013
UK MPLS CAS(T)
UK NICC ND 1643 MINIMUM SECURITY STANDARD
UK PSN COMPLIANCE (MULTIPLE SERVICES)
UK Vodafone One Net Enterprise Cloud (VONE-C) & Vodafone Contact Centre Cloud (VCCC) CAS(T)
UK ISO/IEC 20000-1: 2011
UK ISO/IEC 22301:2012
UK ISO/IEC9001: 2015