Built Secure.
Governed Responsibly.
We build identity security software. Our own house has to be in order first. Here is exactly how we govern our systems, protect your data, and operate with the transparency that security buyers deserve.
Security Governance
Certifications obtained or in progress. We only claim certification where an external body has actually granted it.
NCSC-backed scheme covering firewalls, secure configuration, access control, malware protection, and patch management. Externally verified.
Information Security Management System implementation underway, covering risk management, access control, vulnerability management, incident response, supplier assurance, and business continuity.
Independent technical verification of CE controls via external audit. Planned following ISO 27001 ISMS completion.
Security Framework Alignment
IdentityFirst's security architecture and internal governance practices are designed in alignment with these widely recognised frameworks. Alignment means our policies and architecture reasonably reflect each framework's principles — it does not imply external certification.
Identify, Protect, Detect, Respond, Recover — applied across platform architecture and internal security operations.
Prioritised control baseline covering asset inventory, access control, audit logging, and vulnerability management.
Verify explicitly, use least privilege, assume breach — principles reflected in platform design and IdentityFirst's own operational access model.
Secure development lifecycle practices embedded throughout platform engineering, including threat modelling and dependency management.
OWASP Top 10 risks addressed in platform development and code review: injection prevention, authentication controls, input validation throughout.
Identity Security Standards
As an identity security platform, IdentityFirst is designed in alignment with the standards that govern digital identity assurance and authentication. These inform both platform architecture and how IdentityFirst helps customers meet their own obligations.
Identity assurance levels, authenticator types, and federation requirements inform IdentityFirst's risk assessment methodology and finding classification.
FIDO2/WebAuthn phishing-resistant authentication principles referenced in MFA coverage assessment and privileged account security recommendations.
Regulatory Alignment
IdentityFirst operates in accordance with applicable UK and EU regulations. References below describe regulatory alignment, not external certification unless specifically stated.
Data protection and privacy principles embedded throughout product design and operations. ICO registered · ZC031428. Privacy by design. Read-only by architecture.
Security governance aligned with NIS2 cybersecurity risk management principles. IdentityFirst is designed to help customers evidence NIS2 identity governance and access control obligations.
Relevant to FCA-regulated customers. IdentityFirst supports DORA ICT risk management by surfacing identity risk, privilege exposure, and access control gaps.
Security governance informed by CAF principles, particularly identity and access management objectives relevant to UK public sector and regulated industries.
AI Governance
IdentityFirst incorporates AI capabilities in its assessment and analysis pipeline. Governance of those capabilities is aligned with the following frameworks to ensure appropriate transparency, human oversight, and security.
AI governance aligned with EU AI Act risk classification and prohibited use principles. Human oversight is a design requirement, not an option.
Govern, Map, Measure, Manage — structured AI risk lifecycle applied across platform components using AI-assisted analysis or recommendations.
Prompt injection, training data exposure, and insecure output handling addressed in the design and security testing of AI-assisted features.
Operational Governance
Operational risk management and resilience practices aligned with internationally recognised principles.
Risk identification, assessment, treatment, and monitoring practices applied across internal operations and platform risk governance.
Business continuity and operational resilience principles inform incident response planning, recovery objectives, and service continuity commitments.
Cross-Framework Identity Governance Evidence
Most security tools align with one framework. IdentityFirst provides identity governance evidence across multiple regulatory frameworks simultaneously — from the same assessment, the same connectors, the same telemetry.
A single IdentityMRI™ assessment surfaces the privileged access, stale account, delegation, and MFA coverage evidence that auditors require across ISO 27001, NIS2, DORA, CIS Controls, NIST CSF, and Zero Trust simultaneously. One scan. Multiple evidence packs.
Data Protection Practices
Architecture-level commitments that cannot be configured away.
Data minimisation and purpose limitation built into every connector and report output.
All connectors operate in discovery mode. No writes to customer systems. An architectural constraint, not a configuration option.
All customer data processed and stored within UK jurisdiction.
Registered with the Information Commissioner's Office. Reference: ZC031428.
The Read-Only Guarantee
During any assessment, demo, or POC, IdentityFirst never writes to your systems. All connectors operate in discovery mode only. This is not a configuration option — it is an architectural constraint enforced at the connector level. You see the findings. You decide what to act on.