Information Security Policy

  1. Home
  2. Information Security Policy

Purpose

This document’s purpose is to describe the aims, objectives and overall structure of the Information Security Management System (ISMS), in compliance with ISO/IEC 27001:2022.

Objectives

Information Security aims to ensure business continuity and minimise business disruption by preventing and mitigating the impact of Information Security incidents.

In particular, information assets are protected to ensure:

  • Confidentiality – protection against unauthorised disclosure or loss;
  • Integrity – protection of assets against unauthorised or accidental modification;
  • Availability – of information assets to authorised users as required to achieve objectives;
  • Resilience – ensuring ICT services are prepared and can recover quickly from incidents (ISO 27001:2022 emphasis);

Document Scope

This Policy applies to all business functions within the scope of the ISMS and covers the information, information systems, networks, physical environment (including cloud-based and directly hosted services) and products and services.

The Policy applies to all employees, contractors and third parties supporting these functions.

Responsibilities

  • Managing Director/CEO: Overall responsibility for Information Security. Responsible for ensuring that the appropriate levels of resources are made available to support the Information Security function.
  • Management: Ensure their employees and contractors comply with this Policy.
    Information Security
  • Manager: Operational responsibility for the ISMS, maintain and update ISMS documentation, ensure compliance with legal, regulatory, and contractual obligations, promote awareness and training, manage incidents and lead investigations, report on ISMS performance to management.
  • Data Protection Officer: Day-to-day responsibility for data protection.
  • IT Staff: Responsible for technical matters, including technical documentation, systems monitoring, technical incident investigation and liaison with technical contacts at external organisations, manage cryptographic controls, backups, malware protection, and access management.
  • Employees and contractors: Responsibility for safeguarding assets, including locations, hardware, software, systems or information in their care, comply with all security policies and procedures, and to report any suspected breach or vulnerabilities in security.

Principles

The Information Security Policy is how the Company meets the ISO/IEC 27001:2022 requirements relating to its business risks. It specifies the requirements for implementing appropriate security controls to meet identified risks relating to the activities of the Company.

The implementation and continuing control of this system are fundamental to all work undertaken by the Company. The procedures established are adopted and practised by all employees at every level.

The Company has adopted the process approach for developing, implementing and improving the effectiveness of its ISMS. The Company, whilst adopting the process approach, is committed to:

  • Understand business, legal, regulatory, and contractual requirements for Information Security.
  • Implement and operate security controls aligned with ISO/IEC 27001:2022 Annex A (Organizational, People, Physical, Technological)
  • Applying a risk-based approach for identifying, assessing and treating risks.
  • Ensuring threat intelligence, data leakage prevention, and cloud services security are integrated into operations.
  • Monitor and review the performance and effectiveness of the ISMS.
  • Continuously improve based on objective measures.
  • Communicate throughout the Company the importance of meeting all relevant statutory and regulatory requirements specifically related to its business activities.
  • Ensure adequate resources are determined and provided to monitor and maintain the ISMS.

Information Security

Information Security aspects are considered in all daily activities, processes, plans, projects, contracts and partnerships entered into by the Company.

Awareness and compliance with Information Security procedures as set out in the various Policies and guideline documents are a requirement of employees, and a clause to this effect is set out in the Contracts of Employment.

Copies of all Information Security Policies are made available to all employees.

Employees’ breach of the Information Security Policies and procedures may result in disciplinary action, including dismissal.

Employees are advised and trained on general and specific aspects of Information Security according to the requirements of their function within the Company. The Contract of Employment includes a condition covering confidentiality regarding Company business.

A Business Continuity Plan is in place. This plan is maintained, tested and subjected to regular review.

Statutory and regulatory requirements are met and monitored for ongoing changes.

Further Policies and Directives, such as those for access, acceptable use of email and the Internet, malware protection, backups, passwords, systems monitoring, etc., are in place, maintained, and regularly reviewed.

This Information Security Policy is reviewed at least annually and may be amended to ensure its continuing viability, applicability and legal compliance and to achieve continual improvement in the ISMS.

The ISMS and Information Security operations are subject to continuous improvement through internal and external audits and risk assessments.

Non-disclosure/Confidentiality Agreements are entered into as appropriate with third-party companies.

Review and Continuous Improvement

This Policy and the ISMS are reviewed at leat annually or following significant changes to the business, risks, or regulatory requirements. Improvements are based on risk assessment, incident analysis, and performance monitoring.

Internal and external audits are conducted to ensure effectiveness and ongoing compliance with ISO/IEC 27001:2022.

Switch The Language