Internal Governance Discipline

Trust Centre

We apply the same governance discipline to our own operations that we mandate for clients. This page documents the security architecture, operational practices, and compliance posture that govern StremarControl's internal environment - maintained to the same standard we hold our clients accountable to.

ISO 27001 Aligned

ISMS aligned to ISO/IEC 27001:2022. Applicable Annex A controls mapped and technically enforced across our M365 E5 tenant.

Active
Microsoft Partner

We implement and operate controls directly within Microsoft 365 across Entra ID, Intune, Defender, and Purview.

Active
UK Data Protection

UK GDPR-aligned controls with defined onboarding steps for lawful processing, registration, and data handling responsibilities.

Active

Security Architecture

StremarControl operates from a hardened Microsoft 365 E5 tenant. We enforce the same control architecture we design for our most stringently governed clients. Every control listed below is technically enforced, not merely documented.

Phishing-Resistant Authentication

All StremarControl staff authenticate exclusively via FIDO2 hardware security keys or Windows Hello for Business. Push-based MFA, SMS OTP, and TOTP are disabled tenant-wide. Every authentication is cryptographically bound to origin, eliminating adversary-in-the-middle (AiTM) attack vectors.

Supporting EvidenceAuthentication Methods Policy export showing only phishing-resistant methods enabled.

Zero Standing Privilege

No permanent Global Administrator assignments exist in our tenant. All elevated access requires Entra ID Privileged Identity Management (PIM) activation with MFA re-authentication, written justification, and peer approval. Maximum activation window: 2 hours for Tier 0 roles.

Supporting EvidencePIM role assignment report confirming zero permanent privileged assignments.

Conditional Access Architecture

18 Conditional Access policies enforce comprehensive controls: device compliance, sign-in risk, user risk, phishing-resistant MFA, and approved client apps. Continuous Access Evaluation (CAE) is enabled to support near-real-time enforcement for supported critical events and location policy changes.

Supporting EvidenceFull CA policy export detailing conditions, grant controls, and session controls.

Endpoint Compliance

All devices are corporate-owned, Intune-enrolled, and subject to 47 compliance checks including BitLocker encryption, Defender real-time protection, OS patch currency, and firewall state. Non-compliant devices are immediately blocked from all M365 resources.

Supporting EvidenceIntune device compliance dashboard export with per-device status.

Data Sovereignty & Encryption

Core Microsoft 365 customer data is hosted within UK regions. Certain telemetry and service-side processing may occur in other regions within the UK or EEA in line with Microsoft and service provider terms and safeguards. Data at rest is encrypted with Microsoft-managed keys (AES-256). Data in transit is protected by TLS 1.2 or higher. Access by UK and Norway (EEA) engineers is controlled through Conditional Access, device compliance, and contractual safeguards.

Supporting EvidenceTenant data location report, Multi-Geo configuration audit, TLS enforcement policy.

Data Loss Prevention

Purview DLP policies prevent sensitive data from being shared externally, copied to USB devices, uploaded to personal cloud storage, or pasted into non-corporate applications. Sensitivity labels are mandatory on all documents and emails. External sharing requires explicit approval.

Supporting EvidenceDLP policy configuration export, Sensitivity Label usage analytics, DLP incident summary.

Security Monitoring & Detection

Microsoft Sentinel (SIEM) ingests logs from Entra ID, M365 workloads, Defender XDR, and Intune. Custom analytics rules detect credential compromise, anomalous data access, privilege escalation, and configuration drift. Mean time to detect (MTTD) target: under 15 minutes.

Supporting EvidenceSentinel analytics rule inventory, incident response SLA metrics, monthly detection summary.

Supply Chain Security

All third-party application integrations undergo security review before consent is granted. OAuth application consent is restricted to administrators only. Service principals are subject to Workload Identity Conditional Access, binding them to known IP ranges with certificate-only authentication.

Supporting EvidenceEnterprise application inventory, consent policy configuration, workload identity CA policies.

Operational Governance

Security controls are only as strong as the governance discipline behind them. These practices ensure our posture remains current, tested, and audit-ready at all times.

Quarterly Access Reviews

Every staff member's access to internal systems, client tenants, and privileged roles is reviewed quarterly via Entra ID Access Reviews. Unacknowledged reviews result in automatic access revocation.

Incident Response

Documented incident response procedures aligned to ISO 27001 Annex A.5.24–5.28. Severity classification, escalation chains, forensic evidence preservation, and post-incident review within 48 hours. All incidents are logged in an immutable audit trail.

Security Awareness

All staff complete annual security awareness training tailored to our threat landscape. Monthly phishing simulations via Defender for Office 365 Attack Simulation Training. Repeat offenders are assigned to a higher-risk Conditional Access policy tier.

Continuous Compliance Monitoring

Purview Compliance Manager continuously assesses our tenant against ISO 27001, UK GDPR, and SOC 2 benchmarks. Configuration drift from baseline is detected within 1 hour and triggers automated remediation or engineer alert.

Business Continuity

Documented BCDR plans tested annually. M365 workload resilience leverages Microsoft's 99.9% SLA with geo-redundant data centres. Break-glass emergency access accounts are tested quarterly with tamper-evident physical credential storage.

Responsible Disclosure

We maintain a responsible disclosure process for reporting security vulnerabilities. Contact security@stremarcontrol.com with any findings. We acknowledge receipt within 24 hours and aim to resolve confirmed vulnerabilities within 30 days.

Due Diligence Materials

Auditors, procurement teams, and compliance officers can request our full evidence package under NDA. Materials are refreshed quarterly.

  • Standardised Information Gathering (SIG) Questionnaire
  • Penetration Testing Executive Summary
  • Business Continuity & Disaster Recovery Plans
  • Incident Response Playbook
  • Data Processing Impact Assessment (DPIA) Register
  • Risk Treatment Plan & Risk Register
  • Sub-Processor List
  • Annual Management Review Minutes
Request Due Diligence Pack

Published Policies

The following policies are published and govern how we operate, handle data, and engage with clients.

Privacy Policy
How we collect, process, and protect personal data under UK GDPR.
Terms of Service
The contractual framework governing all client engagements.
Information Security Policy
Our ISMS policy statement aligned to ISO 27001:2022.
Quality Policy
Our commitment to continuous improvement and client satisfaction.
Cookie Policy
How this website uses cookies and tracking technologies.
Complaints Procedure
How to raise concerns and our resolution process.
0
Standing Global Admins
UK Tenant
Data Storage Region
E5
Microsoft 365 Licence Tier

Questions about our governance posture

We welcome security due diligence from prospective and existing clients. A senior member of our team is available to discuss any aspect of our security architecture and governance discipline in detail.

Get in touch