Security Controls

Framework Alignment & Certifications

Our security program is designed in alignment with recognized frameworks and standards, including the NIST Cybersecurity Framework (CSF). Our controls support compliance with applicable certifications and regulations such as SOC 2, ISO/IEC 27001, PCI DSS, FedRAMP, and GDPR where applicable.

We maintain a consistent control framework across the organization, with additional requirements applied based on product, system, and regulatory requirements.

Certifications, authorizations, and compliance attestations are system, product, and business specific. Detailed information regarding applicable certifications or assessment results may be provided upon request and subject to appropriate review and approval.

1. Access Control 

Identity & Access Control

We manage user identities through centralized authentication systems and enforce access controls based on defined roles and responsibilities. Access to systems and data is granted through formal approval processes to ensure only authorized users are provisioned.

FedRAMP/ ISO /SOC 2/ NIST CSF/ PCI DSS

Least Privilege

We follow the principle of least privilege to ensure users are granted only the minimum level of access necessary to perform their job functions, where applicable.

FedRAMP/ SOC 2/ ISO/ NIST CSF/ PCI DSS

MFA

Multi-factor authentication is implemented for access to internal systems and privileged accounts with ongoing efforts to expand coverage more broadly across the environment.

FedRAMP/ SOC 2/ NIST CSF/ PCI DSS

Access reviews

User access reviews are performed periodically for key systems to help validate that permissions remain appropriate. Processes are being expanded to improve consistency and coverage across the environment.

FedRAMP/ SOC 2/ ISO/ NIST CSF/ PCI DSS

2. Data Protection and Encryption

Encryption at rest and in transit

We use industry-standard encryption to protect data both at rest and in transit. Encryption mechanisms are implemented to safeguard sensitive information from unauthorized access or disclosure.

FedRAMP/ ISO/ SOC 2/ NIST CSF/ GDPR/ PCI DSS

Key Management 

Cryptographic keys are securely generated, stored, and managed in accordance with established security practices where applicable. Access to keys is restricted and monitored to prevent unauthorized use.

FedRAMP/ SOC 2/ NIST CSF/ISO/ GDPR/ PCI DSS

Data classification

Data classification practices are defined based on data sensitivity, with guidance available for handling data in accordance with its classification. This ensures appropriate safeguards are applied based on the level of risk associated with data.

FedRAMP/ SOC 2/ NIST CSF/ ISO/ GDPR/ PCI DSS

Secure data handling practices

Access to sensitive data is restricted based on business need. Monitoring capabilities are in place in key environments to help detect unauthorized activity.

FedRAMP/ SOC 2/ NIST CSF/ISO/ GDPR

3. Security Monitoring & Detection

Logging

System and application activities are logged across key environments to support monitoring, investigation, and auditing. Log retention is managed in accordance with defined policies where implemented.

FedRAMP/ ISO 27001/ SOC 2 / NIST CSF/ PCI DSS

Threat detection

We use automated tools and monitoring processes to identify potential security threats and anomalous behavior across our environment.

FedRAMP/ SOC 2/ NIST CSF/ ISO 27001 PCI DSS

Continuous monitoring

Monitoring capabilities are in place in supported environments to provide visibility into security posture and help detect potential risks.

FedRAMP/ SOC 2/ NIST CSF/ ISO 27001/ PCI DSS

Alerting and response workflow

Security alerts are generated for suspicious activities and routed to appropriate teams for timely investigation and responses.

FedRAMP/ SOC 2/ NIST CSF/ ISO 27001/ PCI DSS

4. Vulnerability Management

Vulnerability Scanning and Security Testing

We perform regular vulnerability scanning and security testing activities, including automated scans and manual assessments, in supported environments to help identify potential security weaknesses.

FedRAMP/ SOC 2/ NIST CSF/ ISO 27001/ PCI DSS

Patch management

Security patches and updates are applied based on system criticality and operational priorities to help address known vulnerabilities and reduce exposure.

FedRAMP/ SOC 2/ NIST CSF/ ISO 27001/ PCI DSS

Remediation processes

Identified vulnerabilities are assessed, prioritized based on risk, and remediated through defined processes.

FedRAMP/ SOC 2/ NIST CSF/ ISO 27001/ PCI DSS

External Vulnerability Reports and Ratings

We continuously monitor our security posture using internal tools and centralized vulnerability management processes. From time to time, customers or third parties may share independent vulnerability reports or security ratings. While such information may be reviewed in context, mitigation and remediation activities are prioritized and managed through Pearson’s internal processes rather than customer‑specific tracking or reporting.

FedRAMP/ ISO 27001/ SOC 2/ NIST CSF/ PCI DSS

5. Incident Response

Incident handling process

We maintain procedures to detect, contain, and remediate security incidents in a structured and timely manner.

FedRAMP/ SOC 2/ NIST CSF/ ISO 27001/ PCI DSS

Investigation and containment

Security incidents are investigated to determine scope and impact, and appropriate containment measures are implemented.

FedRAMP/ SOC 2/ NIST CSF/ ISO 27001/ PCI DSS

Notification approach

We follow established communication processes to notify relevant stakeholders in accordance with contractual and regulatory obligations.

FedRAMP/ SOC 2/ NIST CSF/ ISO 27001/ GDPR/ PCI DSS

Testing and Improvement

Testing of Incident response processes is required across Pearson assets. Lessons learned are incorporated to enhance response capabilities.

FedRAMP/ ISO 27001/ SOC 2/ NIST CSF/ PCI DSS

6. Business Continuity and Disaster Recovery

Back up strategy

We perform regular backups of critical data to support recovery in the event of system failure or disruption.

FedRAMP/ ISO 27001/ SOC 2/ NIST CSF/ PCI DSS

High availability design

We monitor system availability and implement measures to maintain consistent service performance.

FedRAMP/ ISO 27001/ SOC 2

System Resilience

Systems are designed with resilience in mind, including redundancy and failover capabilities to minimize downtime.

FedRAMP/ ISO 27001/ SOC 2/ NIST CSF/ PCI DSS

Recovery planning and testing

Recovery plans are defined using a standardized approach across systems, with testing performed where conducted to validate effectiveness.

FedRAMP/ ISO 27001/ SOC 2/ NIST CSF

7. Governance, Risk, and Compliance 

Risk Assessments and ongoing evaluation

We conduct risk assessments to identify and evaluate threats to our systems and data. Risk is periodically monitored and reassessed to reflect changes in the threat landscape and business environment, where processes are in place.

ISO 27001/ SOC 2/ NIST CSF/ GDPR/ PCI DSS

Risk treatments and governance oversight

Identified risks are addressed through appropriate controls and remediation strategies. Risk management activities are tracked and reported to appropriate governance functions to support accountability.

FedRAMP/ SOC 2/ NIST CSF/ ISO 27001/ PCI DSS

Policies, standards, and internal oversight

We maintain security policies and standards aligned with recognized frameworks and best practices. Our security program is supported by governance structures that provide oversight and accountability.

ISO 27001/ SOC 2/ NIST CSF/ PCI DSS

Alignment with Frameworks, audit, and certification management

Certifications and compliance coverage vary by product and business unit. Additional details are available upon request. We undergo assessments and audits to validate the effectiveness of our security and compliance program.

FedRAMP, ISO 27001/ SOC 2/ NIST CSF/ PCI DSS

8. Third Party Risk Management

Vendor assessment

Third party providers are evaluated as part of onboarding and ongoing risk management processes to assess their security and privacy posture, based on business and risk considerations. 

FedRAMP/ ISO 27001/ SOC 2/ NIST CSF/ GDPR/ PCI DSS

Sub processor management

Sub processors are identified and required to meet defined security and privacy standards consistent with our program.

ISO 27001/ SOC 2/ GDPR/ NIST CSF/ PCI DSS

Ongoing monitoring

Vendors are subject to periodic reviews and monitoring to ensure continued compliance with expectations.

FedRAMP, ISO 27001/ SOC 2/ NIST CSF/ PCI DSS

Contractual controls

Contracts include security and data protection requirements that vendors must adhere to.

ISO 27001/ SOC 2/ GDPR/ PCI DSS

9. Secure Development (SDLC)

Secure coding practices

We follow secure coding standards to reduce the risk of vulnerabilities in our applications.

FedRAMP/ ISO 27001/ SOC 2/ NIST CSF/ PCI DSS

Change management

Changes to systems are managed through controlled processes in supported environments to help ensure appropriate authorization and validation.

FedRAMP/ ISO 27001/ SOC 2/ NIST CSF/ PCI DSS

Code Review and testing

Code changes may be reviewed and tested, including security testing, as part of development practices in supported environments.

ISO 27001/ SOC 2/ FedRAMP/ NIST CSF/ PCI DSS

Environment separation

Development, testing, and production environments are separated to reduce risk and maintain system integrity.

FedRAMP/ ISO 27001/ SOC 2/NIST CSF/ PCI DSS