Posted 22nd July 2025 by Rob Whalley

CAFM System Security: Safeguarding Your Facilities, Data, and Compliance

In today's connected world, CAFM (Computer-Aided Facilities Management) systems play a pivotal role in how organisations manage their buildings, assets, people, and compliance obligations. But with this digital capability comes a critical responsibility: security.

As CAFM systems store and process sensitive operational, financial, and personal data, they become prime targets for cyber threats. Whether you're managing a school trust, hospital estate, government property, or corporate real estate, the security of your CAFM system must be a top priority.

This blog explores the essential elements of CAFM system security—and what you should demand from your provider to keep your estate protected.

Why CAFM System Security Is Essential

A modern CAFM system holds:

• Asset registers and maintenance history
• Compliance documentation (fire safety, water hygiene, asbestos registers, etc.)
• Contractor and supplier contact data
• Room and space booking records
• Helpdesk, incident, and reactive maintenance logs
• Sensitive personal data (e.g., building access logs, visitor records, staff requests)

Without the right security measures in place, this information is vulnerable to:

• Cyber attacks and ransomware
• Data breaches and GDPR violations
• Operational disruption and reputational damage

Essential Components of a Secure CAFM System

1. Role-Based User Access Control (RBAC)

Restricting user access based on role or responsibility is fundamental. Your CAFM system should allow administrators to:

• Set precise permissions per user group (e.g. engineers, self-service users, system admins)
• Limit access to sensitive data or functionality
• Track and audit all user actions via detailed logs

This ensures only authorised personnel can access or edit particular parts of the system—minimising internal and external risks.

2. Multi-Factor Authentication (MFA)

MFA adds a vital second layer of security—requiring users to verify their identity through an additional method (e.g., mobile code, authenticator app).
This drastically reduces the risk of unauthorised access due to stolen or weak passwords—especially important with mobile engineer apps and remote logins.

3. Single Sign-On (SSO) via Microsoft Entra ID (Azure AD)

SSO integration supports streamlined but secure access across your organisation. A secure CAFM system should integrate with Microsoft Entra ID (formerly Azure Active Directory) or your chosen identity provider to:

• Improve access management
• Enforce password and security policies centrally
• Support seamless onboarding and offboarding

4. Secure Hosting & UK-Based Data Centres

Ensure your CAFM provider hosts your system in:

• ISO 27001-certified environments
• UK or EU data centres for GDPR compliance
• Resilient and redundant cloud infrastructure, with firewall protection and monitored access

Ask your provider where your data is physically stored and how it’s managed. UK data residency is increasingly vital for public sector and healthcare clients.

5. Data Encryption (At Rest & In Transit)

To protect against data interception and unauthorised access, your CAFM system should use:

• TLS (SSL) encryption for all browser and API connections
• AES 256-bit encryption (or similar) for data stored on servers
• Secure encryption of backup files and sensitive records

Encryption ensures that even if data is intercepted, it cannot be read or used.

6. Regular Security Patching & Maintenance

A secure CAFM provider should demonstrate a clear vulnerability management process, including:

• Ongoing system updates and security patches
• Proactive monitoring for threats and irregularities
• Maintenance windows with clear communication and contingency plans

This protects against evolving cyber threats and zero-day exploits.

7. Penetration Testing (Internal & Third-Party)

Your CAFM provider should subject the platform to regular penetration testing, ideally:

• Performed by independent, CREST-accredited or CHECK-accredited testers
• Covering both application and infrastructure-level vulnerabilities
• Supported by internal red team tests and development QA reviews

Request access to the latest pen test summary and evidence of issue remediation. Penetration testing validates the system’s resilience against real-world attacks.

8. Cyber Essentials & Cyber Essentials Plus Certification

A good CAFM provider should hold Cyber Essentials or ideally Cyber Essentials Plus certification, demonstrating compliance with UK government-backed cybersecurity standards.

This includes controls covering:

• Secure configuration
• Firewalls and internet gateways
• Malware protection
• Access control and patch management

These certifications provide additional reassurance, particularly for NHS, local authority, and education clients.

9. Up-to-Date Insurance & Security Policies

Always ask for:

• Professional indemnity and cyber liability insurance certificates
• A copy of the provider’s Information Security Policy
• GDPR and data protection documentation
• Evidence of incident response and disaster recovery planning

Well-documented policies are a sign of maturity and accountability.

10. Third-Party Contractor Vetting

Many CAFM providers rely on subcontractors for development, hosting, or support. Your system is only as secure as the weakest link.
Ensure the provider:

• Vets third-party contractors for compliance and security standards
• Ensures all sub-processors are under GDPR-compliant data processing agreements
• Maintains a public or client-shareable sub-processor list
• Reviews supplier risk regularly

You have a right to know who has access to your system and data, even indirectly.

11. Secure Backups & Disaster Recovery

Ask how your data is backed up:

• Daily encrypted backups with off-site replication
• Disaster recovery plans with tested restoration timelines
• Recovery point objective (RPO) and recovery time objective (RTO) standards

The best CAFM systems will offer 99.9% uptime with rapid failover in the event of outages or cyberattacks.

12. User Training & Awareness

Technology alone isn’t enough—human error is still the top cause of security breaches. CAFM providers should support:

• User training on secure login practices
• Phishing awareness and device security
• Clear escalation paths for suspicious activity

When everyone understands their role in system security, risk is reduced across the board.

Final Thoughts

In an environment where facilities, estates, and compliance functions are increasingly digitised, your CAFM system must be robust, secure, and trustworthy. From encryption and access control to penetration testing and supplier vetting, cybersecurity is no longer optional—it’s operationally critical.

Choosing a CAFM provider that puts security at the heart of its platform not only protects your data—it safeguards your staff, your reputation, and your future.

To learn more about Tabs FM's approach to CAFM system security, please contact sales@tabsfm.com