Security Policy

Security is built into how Orangebox operates.

Updated: 2025

We maintain a structured, risk-based information security framework designed to protect client data, business systems, and operational continuity.

As part of our ongoing commitment to continuous improvement, we strengthened and consolidated our security programme in 2025 to align with modern best-practice standards.

Data Security

Our infrastructure operates within Microsoft Azure using a segmented, security-first architecture.

Secure Architecture

We protect our environment through:

  • Azure Firewall with intrusion detection and threat intelligence
  • Segmented networks with dedicated DMZ environments
  • Secure remote access via Cloudflare Zero Trust
  • Site-to-site VPN connectivity
  • Role-based access controls with quarterly reviews
  • Device compliance enforcement through Microsoft Intune
  • Full disk encryption across endpoints and Azure virtual machines

Access to systems and data is restricted to authorised personnel under least-privilege principles.

24/7 Monitoring, Testing & Threat Protection

Security at Orangebox is actively monitored and continuously tested.

Our programme includes:

  • Centralised logging and alerting via Microsoft Sentinel
  • 24/7 NSOC (Network Security Operations Centre) monitoring
  • Monthly security posture and vulnerability reporting
  • Active vulnerability hunting across infrastructure and applications
  • Monthly vulnerability scanning and structured patch management
  • Annual independent penetration testing
  • Dark web credential monitoring
  • Quarterly phishing simulations for staff

Security alerts are investigated, documented, and actioned through a formal incident response framework with defined escalation procedures and annual simulation testing.

Backup & Business Continuity

Resilience is embedded into our operations.

We maintain:

  • Azure virtual machine backups with geographically diverse storage

  • Microsoft 365 backups stored in New Zealand datacentres
  • Monthly cold storage backups
  • Annual business continuity simulations
  • Quarterly recovery component testing<

Our Business Continuity & Disaster Recovery framework ensures we can respond quickly and restore critical services in the event of disruption.

Security Governance

In 2025, Orangebox consolidated and strengthened its information security framework into seven structured policy domains:

  • Access & Authentication
  • Information Handling & Protection
  • Data Governance
  • Incident & Risk Management
  • Application & Development Security
  • Third-Party Security
  • Business Continuity & Disaster Recovery

We operate a documented risk management and risk acceptance process with executive oversight and defined review cycles.

Security controls are reviewed annually and continuously improved as our technology and threat landscape evolve.

1. Commitment to ISO 27001

Orangebox recognises ISO/IEC 27001 as the international benchmark for information security management. Our objective is to align our information security framework with ISO 27001 principles and progress toward formal certification in a structured and sustainable manner. In 2025, we consolidated and strengthened our security framework to better align with ISO’s risk-based governance model.

2. Why ISO 27001 Matters

ISO 27001 provides a formal structure for:
  • Risk-based security management
  • Executive accountability
  • Systematic control implementation
  • Independent validation
  • Continuous improvement
Certification demonstrates that information security is embedded into governance, operations, and decision-making — not treated as a one-time technical exercise.

3. Current Security Position

Orangebox operates a mature security environment supported by: Governance & Risk Management
  • Seven consolidated master security policy domains
  • Executive oversight of information security risks
  • Documented risk assessment and risk acceptance processes
  • Quarterly review of accepted risks
  • Annual policy review cycle
Technical & Operational Controls
  • Multi-Factor Authentication (MFA) for all accounts
  • Role-based access control with quarterly access reviews
  • Secure Azure-based segmented architecture
  • Azure Firewall with intrusion detection and threat intelligence
  • Encryption (AES-256 at rest, TLS 1.2+ in transit)
  • Microsoft Sentinel SIEM monitoring
  • Monthly vulnerability scanning and structured patch management
  • Data Loss Prevention controls
  • Formal third-party security governance
Continuous Monitoring & Validation
  • 24/7 NSOC monitoring and alert response
  • Monthly security posture reporting
  • Active vulnerability hunting across vendors and platforms
  • Annual independent penetration testing
  • Dark web monitoring
  • Annual incident simulation testing
Business Continuity & Resilience
  • Documented BCP/DR framework
  • Annual continuity simulations
  • Quarterly recovery component testing
  • Azure and Microsoft 365 backup controls
These controls align strongly with the core control domains of ISO/IEC 27001.

4. What Remains Prior to Certification Audit

While operational controls are well established, the following activities are required prior to entering a formal ISO 27001 audit process:
  1. Formal ISMS scope definition
  2. Consolidated enterprise risk register finalisation
  3. Development of a formal Statement of Applicability (Annex A control mapping)
  4. Structured internal ISO-aligned audit programme
  5. Documented executive management review of ISMS performance
  6. External pre-audit readiness assessment
    7. These remaining steps focus primarily on documentation formalisation and audit readiness rather than foundational control implementation.

5. Position Summary

Orangebox has established a mature operational security environment with continuous monitoring, independent validation, and structured governance. Our remaining ISO pathway activities relate to formal ISMS documentation alignment and certification audit preparation. We are committed to progressing toward ISO 27001 certification in a measured, sustainable manner.

Data Security FAQs

Are you ISO 27001 certified?
Orangebox is not currently ISO 27001 certified. We are aligning our information security framework with ISO 27001 principles and progressing toward formal certification. This work focuses on strengthening governance, documenting security processes, and preparing for independent audit as part of the pathway to certification.

Orangebox takes the protection of client data seriously. Our systems and processes are designed to keep sensitive information secure and ensure it is handled responsibly.

Security measures include strict access controls, encrypted data storage and transmission, secure Microsoft Azure cloud infrastructure, continuous security monitoring, and regular security testing.

Orangebox operates its core systems within secure Microsoft Azure cloud infrastructure.

Access to systems and data is carefully controlled, and security monitoring, vulnerability management, and regular testing help ensure client information remains protected.

Many of the security controls expected under ISO 27001 are already in place at Orangebox.

Our ISO 27001 programme focuses on strengthening governance, documentation, and audit processes around these existing controls as part of our pathway toward certification.

get in touch