Skip to main content

ISO 27001 / 42001 Aspects Policies

This document should be read in conjunction with the IMS 27001 / 42001 Aspects Directives.

Last Modified:25/07/2025
Modifier:Deanna Sharma
Version:1.0

ISMS Aspects Policies

Purpose

The information created, processed and used by the Company, as well as information entrusted to us by our customers, are among our most valuable assets. Given the nature of our business, all necessary steps are taken to protect these assets. A compromise of these Information Assets could severely impact our customers, constitute a breach of laws and regulations and negatively affect the reputation of the Company.

This document defines our high-level Information Security Policies aligned to the International Standard for Information Security using ISO 27001:2022 and other relevant Standards. These Information Security Policies have been benchmarked against the Standard as well as industry best practice to ensure that they are comprehensive and appropriate. They take a risk-based

approach to ensure that the business has the maximum flexibility to innovate within a safe framework of controls.

Risk-based Approach

These policies all take a risk-based approach. The principles behind this approach are:

  • A baseline set of controls is defined which are applied to all Information Assets
  • More sensitive assets (e.g. commercially or contractually sensitive information) require more rigorous controls
  • The most sensitive, High Risk assets (e.g. sensitive personal data, financial data) are protected by the most rigorous controls.

Exceptions

These policies apply to all information handling, whether on IT systems or on paper. However, it is recognised that some of the controls identified may be aspirational to an extent and full implementation will be achieved on a planned basis.

Any exceptions to these Policies or associated Directives must follow the Security Exception Process which identifies non-applicable controls as such in the Statement of Applicability; these must be reviewed and re-authorised at least annually.

Acceptable Use Aspects Policy

The use of the Internet/intranet and email, as well as all stored data, may be subject to monitoring without notice for security and/or network management reasons and to ensure compliance with the Company's policies.

Hard disks and other storage media are subject to audit without notice in order to ensure compliance with the Company's policies and all relevant statutory, regulatory and similar requirements.

The distribution of any information through the Internet, computer-based services, email and messaging systems is subject to the scrutiny of the Company. The Company reserves the right to determine the suitability of this information.

By entering into their contracts of employment, employees expressly acknowledge that any personal information that they reveal by using the Company's systems may be subject to the above scrutiny. Personal information is protected by the Company's obligations and duties under the Data Protection Act 2018.

The Company provides IT facilities for business purposes, and it is the responsibility of employees to make sure that use of the Company's email or Internet access is consistent with the Company's standards of business and personal conduct. Employees must ensure that they never use these facilities in a manner that could compromise the Company.

Access Control Aspects Policy

The objective of this Policy is to protect the confidentiality, integrity and availability of the Company's information by controlling access to its IT and paper-based systems. The Data Protection Policy should be considered as integral to this Policy.

Systems, networks and applications implement logical access controls (such as User credentials, multi-factor authentication etc.), to ensure that information is only available to authorised individuals. The controls selected must be appropriate to the sensitivity of the information being accessed.

All Users, including administrators, of the Information System must be uniquely identifiable. Generic/shared accounts must be treated as an exception and implemented with additional controls.

Formal User access control procedures must be documented, implemented and kept up to date for all applications and information systems. These procedures must cover all stages of the information life-cycle from creation to decommissioning.

Procedures must be in place to ensure that all access rights of any person working for or on behalf of the Company are removed upon termination of the employment, contract or agreement on their last day of work.

Access to resources, including elevated privileges such as 'root', must be granted on the basis of least privilege and need to know, where only the minimum amount of access is assigned to meet the business objectives.

AI Design & Development Aspects Policy

This policy provides a simplified overview of how we ensure our AI systems are designed, developed and operated responsibly, ethically and securely. It applies to all staff and stakeholders involved with AI technologies within the Organisation.

The policy covers all phases of AI systems, from initial design through to deployment and ongoing use. It focuses on ensuring AI technologies are secure, fair and transparent for the benefit of Users and society.

We prioritise ethical considerations when designing AI systems and regularly assess the potential impacts of AI to prevent biases or harmful outcomes.

AI systems are developed with security in mind, ensuring that AI systems are protected from cyber threats and vulnerabilities and that data used by these systems is handled responsibly to protect privacy.

Every stage of AI development is carefully documented to ensure clarity on how decisions are made.

Once deployed, all AI systems are regularly reviewed and monitored to ensure they perform correctly and remain fair and reliable. If any issues are found, they are promptly addressed to maintain high standards.

The accuracy and quality of data used in AI systems are crucial, ensuring that the data used is of high quality, diverse, and free from bias, so the AI systems produce fair and accurate results.

When we work with external partners for AI development, they must follow the same ethical and security standards outlined in this policy. This ensures consistency and protects the integrity of our AI systems.

Asset Management & Disposal Aspects Policy

Every Information Asset (any data, device, or other components of the environment that supports information-related activities) must have an owner.

An inventory of important Information Assets (based on value to the business) must be drawn up and maintained.

Information Assets are categorised on a risk-based approach with the related control defined and implemented as required, depending on the importance to the business.

Backup & Recovery Aspects Policy

To ensure business continuity in the event of information on the Company's systems being destroyed or corrupted, it is vital that the data is backed up regularly and reliably.

Backup procedures must be created for Information Assets at a schedule designed to meet the minimum recovery time and maximum data loss targets required by the business.

Primary and backup copies of information must be stored in physically or virtually separate locations. This applies to cloud-hosted environments and local network objects, as appropriate.

The Company must ensure recovery capabilities through regular testing of backup information.

Review of the defined backup strategy is carried out at least annually by the Company Owner and the responsible IT personnel.

The Company is not responsible for the backup of personal information.

Business Continuity Aspects Policy

The Company must formally establish a Business Continuity Plan (BCP) that appropriately protects Company Information Assets during a business interruption and enables operational recovery within a timeframe accepted by the business.

The Company analyses potential business impacts and develops an appropriate business continuity strategy to prepare for business disruption.

This BCP must be reviewed and approved at least annually.

An exercising and testing plan must be established and implemented ensuring that the BCP is tested on a planned basis and when there are significant incidents, major changes to the plan and at periodic intervals.

Cloud Computing Aspects Policy

The objective of this Policy is to ensure that cloud services are used without exposing the Company to the risks associated with this type of operation. Use of cloud computing services for work purposes must be formally authorised by Senior Management.

The use of cloud services must comply with all laws and regulations governing the handling of personally identifiable information, corporate financial data or any other data owned or collected by the Company.

Cloud services that are engaged must implement the equivalent level of security as internal controls by following the Company Policies and Directives, are subject to formal agreement and monitoring.

Personal cloud services accounts may not be used for the storage, manipulation or exchange of Company-related communications or Company-owned data.

Cryptography Aspects Policy

This Policy defines the Company aims by which the confidentiality, integrity and availability of information are protected by applying an appropriate level of cryptographic control. Where required as a result of risk assessment, appropriate use will be made of cryptographic techniques to protect sensitive information in transmission and at rest, and in particular for the exchange of credentials on public networks.

The Company uses only recognised strong implementations of cryptographic methods based on industry-tested and accepted algorithms, along with strong key lengths and effective key management practices.

Keys (cryptographic, secret and private) will be protected against modification, loss and unauthorised disclosure.

Cryptographic security implemented on Company information systems must comply with local and international legislation.

Data Protection Aspects Policy

Senior Management of the Company is strongly committed to the rights of individuals whose data they collect and process and will comply with UK laws related to personal information in line with the UK General Data Protection Regulation (GDPR) and the Data Protection Act (2018).

Senior Management of the Company ensures that it meets its requirements under DPA (2018) and UK GDPR for the management of personal information, that the objectives and obligations under the law are met and ensures that controls are in place that reflect the level of risk that the Company is willing to accept. In addition, steps are taken to ensure that it is able to meet all the regulatory, statutory and contractual obligations that are applicable, including the protection of the interests of individuals and other stakeholders.

Monitoring technologies may be implemented to detect and assist in the prevention of unauthorised activities. The technologies implemented must be relevant, used appropriately, and be limited to the minimum necessary to meet the above objectives in alignment with relevant regulations.

Human Resources Aspects Policy

The employee life-cycle (prior to, during and at termination or change of employment) must be managed without providing unacceptable risk to the Company.

When commencing employment with the company, employees and contractors must be made aware of Information Security rules and their responsibilities.

All employees and contractors must sign an agreement/NDA when commencing employment.

All individuals with an administrator role must sign an agreement/NDA defining their rights and obligations when administering computer-related technologies.

All employees are required to comply with Information Security Policies and related Directives. Failure to comply may result in disciplinary action.

Privacy and protection of personally identifiable information should be secured as required in relevant legislation and regulation.

Information Classification Aspects Policy

All Company information must be assigned a classification level depending on its level of sensitivity as identified by a risk assessment.

All information must be labelled with the appropriate classification level. A default classification level must be defined that is applied in the absence of any explicit labelling.

Sensitive information or information classified as 'Internal' and above must be removed prior to the disposal or re-use of equipment/ removable media.

Malware & Vulnerability Aspects Policy

All Users and equipment must be protected from malicious code where technically feasible.

Secure Web Gateway technologies must be implemented to protect Users from web-based malware and to prevent access to inappropriate content when browsing the Internet.

Email filtering must be implemented to protect Users from email-based malware and phishing attacks.

Anti-virus technologies must be implemented on all Company servers, desktops, laptops and Company-owned phones.

Network Security & Network Systems Monitoring Aspects Policy

Network Security

Network equipment and infrastructure (wired and wireless) must implement physical and logical controls to ensure that individuals and systems can only access resources for which they are authorised.

The network must be segmented into zones based on the level of risk. Traffic that flows from a higher risk zone to a lower risk zone or from any zone to the Internet, must be limited to the minimum necessary to support business requirements. These flows must be subject to a risk analysis and authorisation process such as change control prior to implementation.

Where feasible, cryptographic controls must be implemented to protect Company information when traversing public networks.

Connections to third parties (such as VPNs and direct lines etc.) must be subject to a risk analysis and authorisation process prior to implementation.

Network Systems Monitoring

Solutions and procedures will be established to monitor all critical systems to ensure efficient operation of the Production and Operations environments.

Appropriate logging mechanisms will be established to enable the detection of unauthorised access or operational issues.

All unusual activity must be examined and addressed in a timely manner appropriate to the business risk.

The Company has implemented Data Leakage Prevention (DLP) infrastructure on network, endpoint and cloud including monitoring and vulnerability identification systems.

Physical Security Aspects Policy

Building perimeters must be established with appropriate measures to protect Company assets from unauthorised access and Environmental Impact.

Access to facilities by guests and visitors must be managed and logged.

Access to sensitive/restricted areas must be limited to specific individuals for business purposes only. The list of individuals granted access must be reviewed regularly.

All Company equipment and supporting utilities (such as UPS, air conditioning, and power/ data cabling) are monitored and must have suitable safeguards implemented to protect from unauthorised access, whether in a Company facility or elsewhere, and to minimise Environmental Impact. These safeguards must be commensurate with the sensitivity of the information involved.

The Company adopts Clear Desk/Clear Screen procedures for all staff as defined within the Physical Security Aspects Directive and Acceptable Use Aspects Directive.

The CCTV Policy, as defined within the Physical Security Aspects Directive, sets out the aims and objectives that must be followed to comply with the Data Protection Act and EU GDPR regulations regarding the use of CCTV (closed-circuit television) surveillance systems.

Remote Working (Teleworking) Aspects Policy

All individuals (employees, contractors, vendors and clients) connecting from outside of the Company network perimeter must be uniquely authenticated and authorised.

All systems that establish VPNs (or any other similar technology) that result in a direct connection to internal Company networks must use multi-factor authentication.

Equipment supplied/used for Remote Working, including laptops, must respect Company Policies as if supplied/used inside a Company office. Personal equipment used for business use (BYOD) must follow the same procedures and achieve the same level of protection as Company equipment. Company information must not be transferred to personal equipment.

Information containing Company business information must not be saved to the device, e.g. email attachments.

Secure IT Systems & Development Aspects Policy

All systems (Laptops, Desktops and Servers) must be built to standards that implement all appropriate security controls for the type of device.

All changes to Local, Sandbox, QA/UAT and Production environments must be subject to a Change Control Process.

Technologies and applications must be developed in accordance with a secure development methodology that includes a security risk assessment and requirements to protect the confidentiality, integrity and availability of information.

All technologies must implement additional controls, be regularly tested (using appropriate data masking techniques) for vulnerabilities and be fully documented.

Internet-facing technologies must implement additional controls, be regularly tested for vulnerabilities and be fully documented.

Source code must be protected from unauthorised access or modification with appropriate measures determined by the sensitivity of the technology.

Local, Sandbox, QA/UAT and Production environments must be adequately separated.

Security Incident Management Aspects Policy

The aim of the Security Incident Management Aspects Policy is to protect the Company's information by ensuring that:

  • Security incidents are reported and resolved in the minimum amount of time
  • Potential security incidents are prevented from happening
  • The Company's security is continually improved by the application of corrective action.

Individuals must report any observed or suspected information security breaches or weaknesses in systems or services.

Incidents must be reported to the Directors and appropriate operational teams.

Incidents must be investigated and actions taken in a timely manner dependent on the severity, following the Security Incident Management Aspects Directive.

Incidents involving regulatory information must be reported to the appropriate authorities.

External information owners must be informed of any incidents relating to their information in alignment with contractual or legal obligations.

Social Networking Aspects Policy

The Policy has been developed to ensure that the use of social media is appropriate and does not negatively impact the Company's reputation or that of its customers.

Social networking applications include, but are not limited to:

  • Blogs
  • Online discussion forums
  • Media sharing services
  • Networking sites.

Employees must remember that information they publish via social networking applications is subject to copyright and Data Protection/GDPR legislation regardless of privacy settings.

Employees must also operate in accordance with the Company's Equal Opportunities Policy when publishing any information online.

Supplier Relationship Aspects Policy

Suppliers and subcontractors must formally agree (either contractually or by the use of Confidentiality/Non-disclosure Agreements) to respect policies and directives that protect Company Information Systems.

Suppliers and subcontractors handling Company information must adhere to at least the equivalent level of information protection as applied by the Company.

Information exchanged between the Company and suppliers must be secured in a manner commensurate with the classification of the information being exchanged.

A risk assessment of an external service, including Cloud-based services, must be conducted prior to contracting. The acceptance of associated risks and authorisation must be formally documented.

Threat Intelligence Aspects Policy

The Company collates information relating to information security threats and analyses it to produce threat intelligence. This prevents threats from causing harm to the Company and reduces the impact of threats.

Threat intelligence is categorised and appropriate measures to manage the threats and documents are implemented as detailed in the Aspects Directive.

Threat intelligence is shared both internally and externally where required to improve overall threat intelligence effectiveness.