AI-27001Map one TSA evidence workflow

Telecoms guide

Telecoms Security Act checklist for UK operators

A Telecoms Security Act checklist for UK operators should cover duties, evidence ownership, supplier oversight, access control, reviews, and the operating trail behind the next request for proof.

7 min readUK telecoms, broadband, ISP, altnet, and connectivity teams2026-04-23

Start with the direct answer.

A Telecoms Security Act checklist for UK operators should cover the duties that apply, the controls and reviews that support those duties, the owners responsible for the work, the supplier and third-party follow-up behind it, and the evidence trail that proves the work is current.

That matters because a checklist that names obligations without showing ownership and evidence is only half useful. The operational question is always the same: who owns this, what supports it, what changed, and what still needs action before the next request for proof lands?

The checklist needs to be evidence-first.

For many teams, the hardest part is not identifying the topic area. It is keeping the underlying records current enough to defend. Access reviews, supplier oversight, security testing, risk management, asset evidence, and approvals can all exist in different places unless the workflow is deliberate.

That is why TSA work often starts to look like spreadsheet theatre. The document exists, but the supporting operating trail is hard to show cleanly.

What to include in a practical checklist.

The exact shape will vary by operator, but the checklist should make the key operating themes visible and assignable rather than abstract.

  • Applicable duties and implementation areas
  • Named owners for each evidence or control area
  • Supplier and third-party review points
  • Access control and identity-management review cadence
  • Security testing, resilience, and incident-readiness records
  • Linked policies, approvals, and management-review outputs

Keep TSA and ISO 27001 joined up.

The cleanest operating model is usually the one where Telecoms Security Act work and ISO 27001 evidence stay connected instead of living in parallel systems. Controls, risks, policies, suppliers, and approvals are easier to explain when they are not duplicated into separate admin tracks.

That does not mean the regimes are identical. It means the evidence workflow is easier to run if it is structured in one place.

Free review

Not ready to book? Get a practical evidence next step instead.

Pick the lower-friction option that fits where you are. We’ll use your page and campaign context to understand the request without adding tracking clutter to the visible URL.

Share your current TSA or ISO evidence process and we’ll compare it with a cleaner operating model.

12
Choose an offer

Send this short request now, or add optional sales context first if it helps route the reply.

Prefer to talk it through?

If TSA evidence still feels scattered, compare notes.

A lot of TSA difficulty is not the existence of the duty. It is the work needed to keep the evidence live. If you are in that position, I’m happy to compare notes.

See the Telecoms Security Act compliance page

Related reading

More ISO/IEC 27001 explainers.

These pieces are meant to help technical teams, advisers, and internal owners make sense of the 2022 edition, Annex A, and how older material should be reviewed.

Telecoms insight

What Ofcom's Telecoms Access Review 2026-31 means for ISP compliance evidence

The Telecoms Access Review is not an ISO 27001 rule, but it changes the operating environment for ISPs, altnets, wholesale buyers, and infrastructure users. That makes clean evidence ownership more important.

7 min readISP, altnet, wholesale telecoms, and TSA compliance teams
Read What Ofcom's Telecoms Access Review 2026-31 means for ISP compliance evidence

Incident evidence insight

Palo Alto zero-days are an ISO 27001 evidence problem, not just a patching problem

When a perimeter firewall zero-day is exploited before every team has patched, the compliance question becomes practical: can you prove exposure, ownership, mitigation, customer impact, and management review quickly enough?

7 min readMSPs, ISPs, SaaS security teams, and ISO 27001 owners
Read Palo Alto zero-days are an ISO 27001 evidence problem, not just a patching problem

AI-27001 is a product of SW DIGITAL SERVICES LIMITED, registered in England and Wales. Company number 17178287.