This document sets out the aims, objectives and overall structure of the Information Security Management System (ISMS), in accordance with ISO/IEC 27001:2022.
Information Security aims to ensure business continuity and minimise disruption by preventing and reducing the impact of Information Security incidents.
In particular, information assets are protected to ensure:
This Policy applies to all business functions within the scope of the ISMS. It covers information, information systems, networks, the physical environment (including cloud-based and directly hosted services), as well as the Company’s products and services.
The Policy applies to all employees, contractors and third parties supporting these functions.
This Information Security Policy defines how the Company addresses business risks in line with ISO/IEC 27001:2022. It establishes the requirements for implementing appropriate security controls to manage risks associated with the Company’s activities.
The implementation and ongoing management of this system are fundamental to all work carried out by the Company. The procedures established are adopted and followed by employees at every level of the organisation.
The Company has adopted a process-based approach to develop, implement and continually improve the effectiveness of its ISMS. In doing so, the Company commits to:
Information Security considerations are integrated into all daily activities, processes, plans, projects, contracts and partnerships undertaken by the Company.
Employees are required to be aware of and comply with Information Security procedures set out in relevant Policies and guidance documents. Compliance requirements are also included within Contracts of Employment.
Copies of all Information Security Policies are available to all employees.
Any breach of Information Security Policies or procedures may result in disciplinary action, including dismissal.
Employees receive training and guidance on both general and role-specific Information Security requirements. Contracts of Employment also include confidentiality provisions relating to Company business.
The Company maintains a Business Continuity Plan. This plan is regularly tested, reviewed and updated.
Statutory and regulatory requirements are monitored and complied with, including any relevant updates or changes.
Additional Policies and Directives — including those relating to access control, acceptable use of email and the Internet, malware protection, backups, password management and systems monitoring — are implemented, maintained and regularly reviewed.
This Information Security Policy is reviewed at least annually and updated where necessary to ensure ongoing relevance, legal compliance and continual improvement of the ISMS.
The ISMS and associated Information Security activities are subject to continuous improvement through internal and external audits and ongoing risk assessments.
Non-disclosure and confidentiality agreements are established with third-party organisations where appropriate.
This Policy and the ISMS are reviewed at least annually, or whenever significant changes occur to the business, risk landscape or regulatory requirements. Improvements are informed by risk assessments, incident analysis and performance monitoring.
Internal and external audits are conducted to ensure the effectiveness of the ISMS and continued compliance with ISO/IEC 27001:2022.
