Last Modified: 07/11/2023
Modifier:
Version: 1.0
Document URL: ISO 27001:2022 – Information Security Policy

INFORMATION SECURITY POLICY
Introduction
The Organisation’s Information Security Policy applies to all business functions within the scope of
the Information Security Management System and covers the information, information systems,
networks, physical environment and people supporting these business functions. This document
states the Information Security objectives and summarises the main points of the Information
Security Policy.

Objective
The objective of Information Security is to ensure business continuity and minimise business
damage by preventing and minimising the impact of security incidents. In particular, information
assets must be protected in order to ensure:
1. Confidentiality, i.e. protection against unauthorised disclosure
2. Integrity, i.e. protection against unauthorised or accidental modification
3. Availability as and when required in pursuance of the Organisation’s business objectives.

Responsibilities
 The ISMS Manager has approved the Information Security Policy.
 Overall responsibility for Information Security rests with the ISMS Manager.
 Day-to-day responsibility for procedural matters, legal compliance, maintenance and
updating of documentation, promotion of security awareness, liaison with external
organisations, incident investigation and management reporting etc., rests with the
ISMS Manager.
 Day-to-day responsibility for data protection rests with the Data Protection Officer
(DPO).
 Day-to-day responsibility for technical matters, including technical documentation,
systems monitoring, technical incident investigation and liaison with technical contacts
at external organisations, rests with the ISMS Manager.
 All employees or agents acting on the Organisation’s behalf have a duty to safeguard
assets, including locations, hardware, software, systems or information, in their care and
to report any suspected security breach without delay directly to the ISMS
representative. Employees attending sites that are not occupied by the Organisation
must ensure the security of the Organisation’s data and access their systems by taking
particular care of laptops and similar computers and of any information on paper or
other media that they have in their possession.
 The ISMS Manager is responsible for drafting, maintaining and implementing this
Security Policy and similarly related documents.
 As with other considerations, including Quality and Health & Safety, Information Security
aspects are considered in all daily activities, processes, plans, projects, contracts and
partnerships entered into by the Organisation.
 The Organisation’s employees are advised and trained on general and specific aspects of
Information Security according to the requirements of their function within the
Organisation. The Contract of Employment includes a condition covering confidentiality
regarding the Organisation’s business.
 Adherence to Information Security procedures as set out in the Organisation’s various
policies and guideline documents is the contractual duty of all employees, and a clause
to this effect is set out in the Organisation’s Contracts of Employment.
 Copies of this Management System, including the Risk Assessment (Statement of
Applicability), are made available to all of the Organisation’s employees.
 Breach of the Information Security policies and procedures by the Organisation’s
employees may result in disciplinary action, including dismissal.
 In view of the Organisation’s position as a trusted provider of The provision of managed
IT services, including consultancy, hardware purchasing and installations, particular care
is taken in all procedures and by all employees to safeguard the Information Security of
its service users and/or clients.
 Agreements of Mutual Non-disclosure/Confidentiality are entered into as appropriate
with third-party companies.
 All statutory and regulatory requirements are met and regularly monitored for changes.
 A Disaster Recovery/Business Continuity Plan is in place. This is maintained, tested and
regularly reviewed by the ISMS Manager.
 Further policies and procedures, such as those for access, acceptable use of email and
the Internet, virus protection, backups, passwords, systems monitoring etc., are in
place, maintained and are regularly reviewed by the ISMS Manager or an appointed
representative, as appropriate.
 This Information Security Policy is regularly reviewed and may be amended by the ISMS
Manager to ensure its continuing viability, applicability and legal compliance and to
achieve continual improvement in the Information Security Systems.