What is the scope of an audit?
The scope of an audit refers to the specific areas, processes, or financials under review. It can include financial statements, compliance with laws and regulations, internal controls, or operational performance. The scope is typically defined during the initial stages of the audit to meet regulatory or business requirements.
How does Zayo ensure compliance with industry regulations?
To ensure consistency and compliance, Zayo follows the Unified Compliance Framework (UCF), which outlines a set of common control criteria that align with global standards, laws, regulations, directives, guidelines, and best practices (“requirements”). As new requirements emerge that impact our products and services, Zayo is committed to continuously improving our control environment to drive security maturity. Our compliance team continuously monitors changes in regulatory requirements and ensures our practices align with the latest standards. Regular internal audits, employee training, and external audits also play a key role in this process.
What happens if Zayo fails an audit or compliance check?
If an audit or compliance check reveals issues, Zayo logs them as issues for remediation as part of our Risk Management program. Corrective actions are assigned to appropriate operational teams as the 1st line of defense for remediation.
How do you handle sensitive data during an audit?
We take data privacy and security very seriously. All sensitive data is handled with the utmost care, in compliance with data protection regulations such as GDPR or HIPAA. Auditors are required to sign non-disclosure agreements (NDAs), and data is stored in secure environments with restricted access.
What are the key benefits of performing regular compliance audits?
Regular compliance audits help identify risks early, ensure legal compliance, improve operational efficiency and security, and provide confidence to stakeholders. They also allow Zayo to address issues before they escalate into costly problems or legal issues.
How does Zayo prepare for an audit?
To prepare for an audit, Zayo ensures that all relevant documents, records, and policies are up to date and easily accessible. We conduct internal reviews to identify and address any gaps in compliance, train key employees on audit processes, and ensure our internal controls are functioning.
What is the difference between internal and external audits?
An internal audit is conducted by employees within the Organization to assess risk management, compliance, and internal controls. External audits are carried out by third-party firms to provide an unbiased review of financial statements and compliance with legal or regulatory standards. External audits tend to be more formal and may be required by law, investors, or other stakeholders.
What is the Unified Compliance Framework (UCF)?
The UCF is one of the largest frameworks for aggregating Authority Documents into a collective whole. It then aligns and harmonizes the requirements within set of de-duplicated common controls. For more information about the UCF, refer to https://www.unifiedcompliance.com/home.
What authoritative sources does Zayo consider in its common controls framework?
Zayo’s compliance team continuously monitors for new global regulations and requirements and incorporates authoritative sources as needed. Today, Zayo considers the following sources within its common controls framework:
- Regulation (EU) 2024/1689 of the European Parliament and of the Council – on Artificial Intelligence
- Cybersecurity Maturity Model Certification (CMMC) Level 1
- Colorado Revised Statutes, Title 6, Article 1 – Artificial Intelligence Act
- Directive (EU) 2022/2555 of the European Parliament and of the Council – on measures for a high common level of cybersecurity across the Union
- Regulation (EU) 2022/2554 of the European Parliament and of the Council – on digital operational resilience for the financial sector
- Regulation (EU) 2016/679 of the European Parliament and of the Council – General Data Protection Regulation (GDPR)
- FIPS Publication 140-2 – Security Requirements for Cryptographic Modules
- FedRAMP Security Controls – Moderate Baseline
- ISO 22301:2019 – Security and resilience – Business continuity management systems – Requirements
- ISO 45001:2018 – Occupational health and safety management systems – Requirements with guidance for use
- ISO 9001:2015 – Quality management systems – Requirements
- ISO/IEC 27002:2022 – Information security, cybersecurity and privacy protection – Information security controls
- ISO/IEC 27001:2022 – Information security, cybersecurity and privacy protection – Information security management systems – Requirements
- ISO/IEC 28394:2023 – Information technology – Information security management – Security requirements for service providers
- ISO/IEC 38507:2022 – Information technology – Governance of AI and autonomous systems – Overview of principles and practices
- NIST Special Publication 800-171 Revision 3 – Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations
- NIST AI 100-1 – Artificial Intelligence Risk Management Framework
- NIST Cybersecurity Framework (CSF) 2.0 – Framework for Improving Critical Infrastructure Cybersecurity
- NIST Special Publication 800-161 Revision 1 – Cybersecurity Supply Chain Risk Management Practices for Federal Information Systems and Organizations
- NIST Special Publication (SP) 800-53 Revision 5.1.1 – Security and Privacy Controls for Information Systems and Organizations
- NIST Special Publication 800-171 Revision 3 – Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations
- Payment Card Industry Data Security Standard (PCI DSS)
- Personal Information Protection and Electronic Documents Act (PIPEDA)
- Public Company Accounting Reform and Investor Protection Act of 2002
- Statement on Standards for Attestation Engagements (SSAE) No. 18 – Attestation Standards: Clarification and Recodification
- SOC 2® – Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy
- Web Content Accessibility Guidelines (WCAG) 2.1
Is Zayo in scope for the Digital Operations Resilience Act (DORA)?
DORA places significant responsibility on financial entities to manage and oversee their third party ICT providers. It emphasizes thorough due diligence, continuous monitoring, clear contracts, and incident management, all aimed at ensuring operational resilience in the face of disruptions or cyber risks. Financial institutions must be proactive in managing these risks to comply with DORA’s standards. DORA requirements for third-party ICT focus on managing risks arising from outsourcing critical ICT services, which could impact operational resilience.
Zayo is not a financial services entity and has not been designated as a critical Information and Communications Technology (ICT) third party service provider, but Zayo acknowledges and appreciates the impact of DORA on financial services entities and includes DORA in its common controls framework as outlined by the Unified Compliance Framework (UCF). Our Organizational programs address DORA regulations as they apply to ICT third party service providers in the following areas:
- Risk Management
- Incident Reporting
- Resilience Testing
- Compliance with Security Standards
- Contractual Obligations
- Monitoring and Oversight
For more information, refer to International Regulatory Compliance.
What is Zayo’s approach to Europe’s new Network and Information Security 2.0 Directive (NiS2)?
NiS2 aims to enhance the cybersecurity landscape by introducing a Cyber Crisis Management Structure through the European Cyber Crisis Liaison Organization Network (EU-CyCLONe). It promotes harmonization of security requirements, encourages national strategies to address new areas such as supply chain and vulnerability management, and expands the sectors covered, thereby increasing the number of entities responsible for cybersecurity.
NiS2 significantly broadens the scope of compliance to include mid-sized and large companies across 18 critical sectors, such as energy, transport, and healthcare. Organizations classified as essential or important must establish incident-reporting processes for significant security breaches, guided by criteria related to location, size, and industry.
Zayo is proactively aligning its operations with NiS2 as an Essential Entity and includes NiS2 in its common controls framework as outlined by the Unified Compliance Framework (UCF). Under the guidance of the Chief Security Officer (CSO), Zayo is implementing safeguards as part of its security program to meet NiS2 requirements while ensuring compliance with other global regulations.
For more information, refer to International Regulatory Compliance.
Is Zayo compliant with the UK Telecommunications Security Act (TSA)?
The Telecommunications Security Act (TSA), effective March 31, 2025, introduces new security regulations for telecom providers in the United Kingdom (UK), responding to evolving geopolitical threats and increasing cybercriminal activity. The Act establishes a ‘Three Layer Framework’ and a tiering system that categorizes providers based on size and annual revenue, determining compliance requirements and timelines. The UK Office of Communications (Ofcom) is a regulatory body supervising the communications industry for the UK – TSA, passed into law on October 1, 2022, ushering in a number of new security requirements for public telecom providers.
Zayo, classified as a Tier 2 provider, is proactively aligning its operations with TSA requirements through its governance framework of common controls. Currently, the TSA authoritative source is not available in the UCF, however, Zayo has performed a gap analysis and an internal audit to determine the safeguards required within our common controls to meet initial compliance measures and continues to enhance its Security program with guidance from its Chief Security Officer (CSO).
For more information, refer to International Regulatory Compliance.
Is Zayo in scope for PCI?
With regards to PCI, Zayo is both a Merchant and a Service Provider. In both instances, the scope of responsibilities the Organization shares in protecting PCI is limited, as Zayo does not store, transmit, process, or dispose of cardholder data or maintain a Cardholder Data Environment (CDE).
- Merchant: Zayo accepts credit card payments from customers through customer account management portals and an Integrated Voice Response (IVR) system. These mechanisms provide a branded interface (wrapper) and coded calls to redirect customers to engage directly with third-party payment processors. Third-party payment processors use tokenized authorization methods to confirm identity and access before accepting, storing, or processing cardholder data on behalf of Zayo. Zayo complies with its PCI requirements and completes an SAQ-A-ER on an annual basis.
- Service Provider: Zayo provides some services that may impact the security of customers who store, transmit, process, or dispose of cardholder data. As a Service Provider, Zayo and its customers have shared PCI responsibilities. Customers are responsible for protecting its cardholder data and CDE, and Zayo is responsible for protecting the network and service components of the customer CDE. Zayo complies with its PCI requirements completes Attestations of Compliance (AOCs) for its relevant service provider services annually. For more information about shared PCI responsibilities, refer to the PCI-DSS v4.0 Service Provider Responsibility Matrix.
Does Zayo hold a valid information security/cybersecurity third-party attestation or certification? (e.g., ISO 27001, SOC 2 Type 2, CMMC Level 3-5, Cybersecurity Maturity Assessment, etc.)?
Zayo does not hold security certifications for its network transport products, as we do not collect, store, or process customer data. Beginning in 2025, Zayo has embarked on a strategic company-wide effort to achieve certifications for its other products and services across SOX, SOC 1, SOC 2, FedRAMP, ISOs 9001, 14001, 20243, 27001, and 45001, and Capability Maturity Model Integration (CMMI) accreditation programs beginning in 2025. We are also exploring additional certifications, to expand compliance capabilities in the US, Canada, European markets.
Zayo Europe is certified in ISO27001, ISO9001, ISO14001, and ISO45001. SOC 2 certification applies only to voice services in Canada.
