Information Security Policy
Version: 3
Last update: 2023-02-07
Document classification: Public
Purpose
The purpose of this document is to provide a description of the aims, objectives, and overall structure of the Information Security Management System (ISMS).
Introduction
Information Security can be defined as the protection of information and information systems from unauthorised access, use, disclosure, disruption, modification, or destruction.
Directors, employees, contractors, and any other workers employed and or engaged by us are referred to our Data Protection Policy and Data Breach Policy for further information. These policies are also designed to protect personal data and can be accessed by making a request to our Data Protection Officer and/or Managing Director.
For the avoidance of doubt, the term ‘mobile devices’ used in this policy refers to any removable media or mobile device that can store data. This includes, but is not limited to, laptops, tablets, digital cameras, memory sticks and smartphones.
Objectives
The objective of Information Security is to ensure business continuity and minimise business disruption by preventing and mitigating the impact of Information Security incidents.
Information assets are protected to ensure:
- Confidentiality – protection against unauthorised disclosure and loss.
- Integrity – protection of assets against unauthorised or accidental modification.
- Availability – of information assets to authorised users as required to achieve objectives.
Scope
This Policy applies to all business functions within the scope of the ISMS and covers the information, information systems, networks, physical environment (including cloud based and directly hosted services) and products and services. The policy also applies in relation to paper records and information transmitted orally.
The Policy applies to all employees, contractors, and third parties supporting these business functions.
Responsibilities
| Role | Description |
|---|---|
| Managing Director | Overall responsibility for Information Security. Responsible for ensuring that the appropriate levels of resources are made available to support the Information Security function. |
| Management | Ensure their employees and contractors comply with this policy. |
| Information Security Manager | Operational responsibility for procedural matters, legal compliance, maintenance and updating of documentation, promotion of security awareness, liaison with external organisations, incident investigation and management reporting. |
| Data Protection Officer | Day-to-day responsibility for data protection. |
| IT Staff | Responsibility for technical matters, including technical documentation, systems monitoring, technical incident investigation and liaison with technical contacts at external organisations. |
| Employees and Contractors | Responsibility for safeguarding assets, including locations, hardware, software, systems, or information in their care and to report any suspected breach in security. |
Principles
The Information Security Policy is how the Company meets the requirements of ISO/IEC 27001:2013 relating to its business risks. It specifies the requirements for the implementation of appropriate security controls to meet identified risks relating to the activities of the Company.
The implementation and continuing control of this system are fundamental to all work undertaken by the Company. The procedures established are adopted and practised by all employees at every level.
The Company has adopted the process approach for developing, implementing, and improving the effectiveness of its ISMS.
The Company, in adopting the process approach is committed to:
- Understanding business information Security requirements and the need to establish Policies and Objectives for Information Security.
- Implementing and operating controls in the context of managing the Company’s overall business risk.
- Monitoring and reviewing the performance and effectiveness of the ISMS.
- Continual improvement based on objective measures.
- Communicating throughout the Company the importance of meeting all relevant statutory and regulatory requirements specifically related to its business activities.
- Ensuring that adequate resources are determined and provided to monitor and maintain the ISMS.
Information Security
Information Security aspects are considered in all daily activities, processes, plans, projects, contracts, and partnerships agreed by the Company.
Awareness and compliance to Information Security procedures as set out in the various policy and guideline documents are a requirement of employees and a clause to this effect is set out in the Contracts of Employment.
Copies of all Information Security Policies are made available to all employees.
Breach of the Information Security Policies and procedures by employees may result in disciplinary action, including dismissal.
Employees are advised and trained on general and specific aspects of Information Security, according to the requirements of their function within the Company. The Contract of Employment includes a condition covering confidentiality regarding Company business.
A Business Continuity Plan is in place. This is maintained, tested, and subjected to regular review.
Statutory and regulatory requirements are met and monitored for ongoing changes.
Further Policies and Directives such as those for access, acceptable use of email and the Internet, malware protection, backups, passwords, systems monitoring etc. are in place, maintained and are regularly reviewed.
This Information Security Policy is reviewed at least annually and may be amended to ensure its continuing viability, applicability, and legal compliance and with a view to achieving continual improvement in the ISMS.
The ISMS and Information Security operations are subject to continuous improvement through a program of internal and external audits and risk assessments.
Non-disclosure/Confidentiality Agreements are entered into as appropriate with third-party companies.