Skip to main content [Accesskey 'S'] Go to home page [Accesskey '1'] Are you a business customer?

Cyber Security Management at The AA

Group Security June 2025

Cyber security is the collection of measures that protects everyone against the criminal use of electronic data.

This page gives an overview of the cyber security practices employed by The AA (Automobile Association) to protect its digital assets, safeguard confidential information, and ensure the integrity and high availability of its operations.

The AA recognises the significance of cyber security in maintaining trust with its members and stakeholders. Consequently, it has implemented robust measures to mitigate risks and respond effectively to cyber incidents.

Our business partners come from various sectors, including the public sector, banking, automotive, finance and insurance, among others.

We also maintain multiple independently audited security certifications.


Governance, risk and compliance

The AA operates an ISO 27001:2022 certified Information Security Management System (ISMS). Our governance, risk and compliance (GRC) framework is aligned with regulations and industry best practices, and enables the standardisation of cyber security capabilities. It's designed to embed security governance at the heart of the organisation.

Performance evaluations of the ISMS occur regularly through monthly, quarterly and annual meetings conducted by the governance boards and steering committee.

The Chief Information Security Officer and the Executive Committee members are responsible for managing the risks associated with cyber threats and information security.

Our policies are published on The AA's intranet Hub Page and are accessible to all employees. These policies are regularly reviewed, and our Cyber Security Policy Framework is approved by the policy committee.


Risk management

The AA has a security risk management framework and employs a risk-based approach to cyber security, conducting regular risk assessments to identify, evaluate, and prioritise potential threats. This process informs the development of mitigation strategies tailored to the organisation's unique risk profile.


Operations security

The AA maintains a Group Security function, with distinct Information Security and Security Operations responsibilities, ensuring comprehensive protection.

The Information Security function oversees GRC, while the Security Operations team manages enterprise cyber security. The AA has implemented advanced Security Information and Event Management (SIEM) systems to detect and analyse potential security incidents in real time.

Continuous monitoring and threat intelligence feeds enhance the organisation's ability to identify emerging threats.

In the event of a security incident, The AA follows well-defined crisis and/or incident response plans to contain and eradicate any threat promptly. This includes isolating affected systems, forensic analysis and collaboration with relevant authorities.

Additionally, The AA collaborates with third-party experts to maintain specialised skills and knowledge, and to help us identify and manage emerging and evolving risks.


People and process security

HR security employee screening and vetting

All employees are subject to a process of pre-employment screening that includes (but isn't limited to):

  • Identity checks

  • Right to work

  • DBS (Disclosure and Barring Service)

  • Credit checks (where applicable).

Employment contracts include relevant clauses to protect the confidentiality and intellectual property of The AA and its customers.

Security awareness program

The AA has a comprehensive initiative designed to educate and empower employees about the importance of cyber security. This includes annual security awareness training, regular simulated phishing exercises and information campaigns throughout the year.

Information classification standard

The AA classification scheme employs the following levels with guidelines on how to manage information at each level:

  • AA Public

  • AA General

  • AA Confidential

  • AA Highly Confidential

All customer-related information is classified as AA Confidential or AA Highly Confidential.

Access Control

The AA adheres to the following basic principles to keep systems secure from unauthorised access:

  • Defence in depth – Multi-layered controls to detect and prevent rather than a single control.

  • Least privilege – All access follows the principle of least privilege and is role based.

  • Strong user authentication – Strong password requirements with mandatory multi-factor authentication across all users and administrators.

Infrastructure security

Networks

The AA employs robust network security protocols, including encrypted communication, secure data transfer mechanisms, and intrusion detection and/or intrusion prevention systems to protect our networks and information exchanged internally and externally.

The networks are monitored by a 24/7 Security Operations Centre.

The AA has also deployed Zero Trust networking technologies to complement our Identity Access Management and Device Access Management models.

Endpoint protection

All end-user devices are managed using a centralised secure configuration management system. Endpoint controls include:

  • Endpoint threat intelligence

  • Local firewall

  • Endpoint detection and response

  • USB port blocking for storage devices

  • Drive encryption

  • Conditional access control

Servers and databases

The AA employs industry-leading practices for securing its server infrastructure, including regular security patches, access controls and encryption. Servers are regularly scanned using enterprise class tools, and vulnerability assessments are conducted to identify and address potential risks. Zero Trust technologies are deployed across our critical infrastructure systems.

Data centres

To optimise service availability and security, we leverage a hybrid data centre model, incorporating on-premises, co-location and cloud infrastructure tailored to our requirements. Our data centres meet at least tier 3 standard and follow enterprise security procedures.

To comply with legal and contractual requirements we do not store data outside of UK and European territories. Geographical resilience is considered when deploying critical business systems.

Technology resilience

The AA conducts disaster recovery tests, backup tests and tabletop exercises to ensure the resilience of our IT infrastructure. The IT estate has live data replication between data centres, ensuring minimal disruption in the case of an incident.

Our critical systems are designed for high availability and hosted across multiple data centres, aligning with industry-standard frameworks for resilience.


Third-party supplier security

The AA employs robust supplier management practices, encompassing due diligence, vendor risk assessment, regular performance evaluation, security audits and collaborative efforts to align suppliers with cyber security standards.

The AA incorporates the use of a supplier management tool, which streamlines communication, facilitates security document exchange and provides a centralised repository of supplier contracts and supplier due diligence reports.


Data protection and legal

The AA has a dedicated Privacy team and an appointed Data Protection Officer (DPO). The Group Security team works closely with the DPO and the Legal team to ensure that applicable legislative and regulatory requirements are met.

Privacy Impact Assessments (PIAs) are conducted to evaluate and mitigate privacy-associated risks related to handling data, processes and systems.

You can find out how The AA looks after your personal data in the AA Group privacy notice.

About our website