Back to Guides

Guide

Maximo security and compliance: aligning with GDPR and ISO 55000 in 2026

What auditors actually ask for on a Maximo or MAS estate: identity, RBAC, audit trail, data residency, GDPR DSAR handling, ISO 55000 / 55001 alignment. The practitioner's checklist.

Published 23 April 2026

Cover image — Maximo security and compliance: aligning with GDPR and ISO 55000 in 2026
IBM MaximoMaximo securityGDPRISO 55000ISO 55001compliance

Security and compliance on a Maximo estate cuts across two very different regulatory worlds. On the data side: GDPR (and the UK GDPR), data residency, encryption, identity, audit, retention. On the asset-management side: ISO 55000 / 55001, the regulator-specific frameworks for the sector (Ofgem, ORR, CAA, Ofwat, HSE, equivalents in other jurisdictions), and increasingly the OT cybersecurity expectations that come down from NIS2 and equivalents.

A Maximo estate sits in the middle of both. This guide is for the IT lead, security lead, head of asset management, or head of audit who needs an evidence-based view of where the estate stands today and what an external auditor would say about it.

It is written from the perspective of running these conversations with auditors on customer engagements, not from a slide on what GDPR or ISO 55001 means in theory.

What an auditor will actually ask

In our experience, the questions cluster into eight areas. We work through them in this order on a security and compliance review.

1. Identity and access

The first questions are always about who has access and how that is governed.

  • Is identity centralised through SSO, against the customer’s authoritative identity provider? Are local Maximo passwords disabled or, where they exist, justified and inventoried?
  • Is multi-factor authentication enforced for the application, and for any administrative interfaces?
  • Is the joiner-mover-leaver process automated, or does it rely on a manual ticket each time?
  • When was the last access review for each Maximo security group? Is there a record of who reviewed it and what they changed?
  • For privileged access (anything equivalent to MAXADMIN, the Maximo admin group, the OS-level access on the application servers, the database admin role), is there a named, current, time-bound list of who holds it and why?

For UK-regulated estates, the regulator’s expectation is that the access review cycle is at most twelve months, and shorter for privileged accounts. Most estates we audit have an access review cycle of “we did one when we went live”.

2. Audit trail

GDPR and most sector regulators expect that material changes to data are auditable and that the audit record is itself protected.

  • What objects are audited in Maximo? Is the audit at object level (e.g. the workorder table) or only at the field level for a few fields?
  • How long is the audit trail retained? Is the retention defensible against the customer’s regulator and the customer’s data-protection policy?
  • Is the audit data protected from modification by the same accounts that can modify the underlying record?
  • Is the audit data exported off-platform to a SIEM where it is correlated with other systems’ events, or does it live only in Maximo?

A defensible position is: enable audit on every object that touches assets, work, locations, inventory, vendors, contracts, and people. Retain for a defensible period (commonly seven years for regulated estates). Forward to a SIEM or equivalent. Restrict the deletion right to a separately-governed account.

3. Data residency, encryption and key management

For GDPR and increasingly for sectoral regulators:

  • Where does the application data sit at rest? In which region of which cloud? Who has physical and logical access to that storage layer?
  • Where does it sit in transit, and is every leg of that path encrypted with current cipher suites? This includes the path from the user’s browser, the path to the database, the path to integrations, and the backup path.
  • How are encryption keys managed? Customer-managed keys (CMK) where the regulatory posture demands it, or platform-managed where it does not. Either is defensible if it is the chosen position with an explicit reason.
  • Where does backup data sit, and for how long?

On managed cloud, our default is: production and non-production data resident in the customer’s chosen jurisdiction (UK in most of our engagements), full TLS in transit at the current TLS standard, encryption at rest with a key strategy chosen explicitly per customer, and a backup plan with a tested restore — see the managed Maximo hosting page for our operating model.

4. GDPR-specific obligations

Maximo holds personal data more often than people realise: technicians’ names and contact details, vendor contacts, sometimes customer-facing service request data, sometimes timesheet detail.

The GDPR-specific questions an auditor or DPO will ask:

  • What is the lawful basis for processing each category of personal data held in the system?
  • Can the system support a Data Subject Access Request (DSAR) within statutory timescales, including export and deletion? Is the deletion respectful of the audit-trail obligation in the previous section?
  • Is there a record of processing activity for each integration that exports personal data out of Maximo (HR system, payroll, identity provider, document management, vendor portals)?
  • Where personal data is processed outside the EEA / UK, is there a lawful transfer mechanism in place — adequacy decision, Standard Contractual Clauses, equivalent?
  • For breach notification, what is the runbook? Who declares a breach, who informs the regulator, what timeline?

A defensible position is: a documented data map of where personal data lives in Maximo and integrations, a tested DSAR runbook (export and pseudonymise/delete), retention policies enforced through automation, and a breach playbook with named owners.

5. ISO 55000 / 55001 alignment

ISO 55001 is the asset management management-system standard. Maximo is most organisations’ system of record for clauses 7.5 (documented information), 9.1 (monitoring, measurement, analysis and evaluation) and 10 (improvement). It is not a certification of the platform; it is a certification of the organisation’s asset management system, of which Maximo is part.

What an ISO 55001 audit looks for in the Maximo estate:

  • The asset register is complete, accurate, and the basis for the organisation’s strategic asset management plan (SAMP).
  • Criticality assignment is methodologically defensible — see the broader piece on APM criticality scoring — and drives PM and inspection cadence in Maximo.
  • Performance is measured against documented objectives, with the data coming from Maximo.
  • Non-conformities are recorded, investigated and closed in Maximo, with evidence.
  • There is a documented change-control process for the asset management system, with a record of changes.

For organisations going for first-time ISO 55001 certification, the gap is usually not Maximo functionality. It is data quality and process discipline. The Maximo health check guide is the right starting baseline.

6. Sector-specific frameworks

Sector overlays we run into most often:

  • UK utilities (Ofgem, Ofwat, ORR for rail, CAA for airports): regulator-defined asset categories, regulatory periodic reports drawn directly from Maximo, asset-criticality definitions that have to align with the regulator’s published methodology.
  • Oil and gas (HSE in the UK, OSHA-equivalent elsewhere, sector standards including ISO 14224 for failure data): integrity-management workflows, inspection regimes, deferral approval traceable in Maximo. We cover this on the oil and gas sector page.
  • Public sector (G-Cloud, Cyber Essentials Plus, central government secure-by-design expectations): cleared personnel, UK data residency, defined separation between the customer’s environment and any shared platform.

Each of these has a Maximo-shaped checklist sitting under it, and each is a reason the security review is sector-specific, not generic.

7. Operational security and the OT boundary

For estates that have moved into MAS components (Monitor, Predict, IoT) the security envelope expands into OT. We treat this as its own conversation:

  • Where does OT data leave the OT network? Is the boundary an explicit edge gateway, a DMZ, or an unwise direct connection?
  • Who owns the boundary? OT, IT, or jointly?
  • How is asset condition data classified on the IT side once it has crossed?
  • What is the patching cadence on the edge gateway, and who patches it?

Our deeper view on this is in the insight OT cybersecurity is now an asset management problem.

8. Vulnerability and patch management

The hygiene questions:

  • What MAS / Maximo version is in production, what is the gap to current, and what is the documented plan to close it?
  • What is the OpenShift, OS and middleware patching cadence, and is it tested in non-production first?
  • Is there a CVE-monitoring practice that flags vulnerabilities in dependencies the platform uses, and a defined SLA for remediating critical CVEs?
  • Are penetration tests conducted on a scheduled basis, and the findings tracked through to closure?

This is the area an external auditor will go to first because it is the easiest to evidence and the most common source of findings.

What “compliant” actually looks like

A Maximo estate that passes a thorough security and compliance review tends to look like this:

  • SSO + MFA, no local passwords, joiner-mover-leaver automated.
  • Privileged access tightly scoped, named, time-bound, reviewed quarterly.
  • Audit on every material object, retained for a defensible period, forwarded to a SIEM.
  • Data resident in the chosen jurisdiction with documented encryption and key management.
  • A documented data map, tested DSAR runbook, and breach playbook.
  • ISO 55001-aligned data quality and process discipline backing the asset management work.
  • An OT boundary that has been designed, documented and accepted by both OT and IT.
  • A current patching cadence, with evidence.
  • A regular external test, with findings tracked.

That is the bar. Most estates we audit meet it on three or four of those, partially on three or four more, and have one or two genuine gaps. The work is to close the gaps, not to write a longer policy document.

How we engage

We run security and compliance reviews as a fixed-scope engagement: read-only access to the platform, named SMEs available, a structured set of evidence requests, two weeks of analysis, a triaged findings register and a remediation plan. The output goes to the customer’s security and audit functions in the format they need.

If you would like that conversation, talk to us. If you are weighing this against a broader Maximo health check, the security review is usually a good standalone follow-on, particularly ahead of a regulator audit or a MAS upgrade.

Talk to the people who would actually deliver it

No pitch deck, no pressure. A direct conversation with one of our senior consultants.

Start a conversation See our services