Information Security Policy
1 Document Contents Page
3 Information Security Policy. 5
3.4 Managing Directors Statement of Commitment. 5
3.6 Information Security Objectives. 6
3.7 Information Security Defined. 7
3.8 Information Security Policy Framework. 8
3.9 Information Security Roles and Responsibilities. 9
3.11 Legal and Regulatory Obligations. 10
3.12 Training and awareness. 10
3.13 Continual Improvement of the Management System… 10
4.1 Compliance Measurement … 11
5 Areas of the ISO27001 Standard Addressed. 12
2 Information Security Policy
2.1 Purpose
The purpose of this policy is to set out the information security policies that apply to the organisation to protect the confidentiality, integrity, and availability of data.
2.2 Scope
All employees and third-party users.
2.3 Principle
Information security is managed based on risk, legal and regulatory requirements, and business need.
2.4 Managing Director’s Statement of Commitment
As a company, information processing is fundamental to our success and the protection and security of that information is a board level priority. Whether it is employee information or customer information we take our obligations under the GDPR and Data Protection Act 2018 seriously. We have provided the resources to develop, implement and continually improve the information security management appropriate to our business
Senior management is committed to:-
- Ensuring the confidentiality, integrity and availability of organisation information including all personal data as defined by the GDPR based on good risk management, legal regulatory and contractual obligations, and business need.
- To provide the resources required to develop, implement, and continually improve the information security management system.
- To effectively manage third party suppliers who process, store, or transmit information to reduce and manage information security risks.
- To implement a culture of information security and data protection through effective training and awareness.
Senior management will:
- Take accountability for the effectiveness and continual improvement of the
- Ensure that the resources needed for the ISMS are available; including training, support and encouragement.
Our ISMS Policy will be communicated to all employees and organisations working for or on our behalf. Employees and other organisations are expected to co-operate and assist in the implementation of this policy, whilst ensuring that their own work, so far as is reasonably practicable, is carried out without risk to themselves, others, or the environment.
This policy will be reviewed periodically by senior management and revised so that it remains appropriate to the scale and nature of the business.
Simon Young
Managing Director
April 2024
2.5 Introduction
Information security protects the information that is entrusted to us. Getting information security wrong can have significant adverse impacts on our employees, our customers, our reputation, and our finances. By having an effecting information security management system, we can
- Provide assurances for our legal, regulatory, and contractual obligations.
- Ensure the right people, have the right access to the right data at the right time.
- Provide protection of personal data as defined by the GDPR.
- Be good data citizens and custodians.
2.6 Information Security Objectives
- To ensure the confidentiality, integrity and availability of organisation information including all personal data as defined by the GDPR based on good risk management, legal regulatory and contractual obligations, and business need.
- To provide the resources required to develop, implement, and continually improve the information security management system.
- To effectively manage third party suppliers who process, store, or transmit information to reduce and manage information security risks.
- To implement a culture of information security and data protection through effective training and awareness.
2.7 Information Security Defined
Information security is defined as preserving:
| Confidentiality | Access to information is to those with appropriate authority
The right people with the right access |
| Integrity | Information is complete and accurate to the right data |
| Availability | Information is available when it is needed at the right time |
2.8 Information Security Policy Framework
The information security management system is built upon an information security policy framework. In conjunction with this policy, the following policies make up the policy framework:
- ISMS01A Information Security Policy (this policy)
- ISMS02 Data Protection Policy
- ISEQ03 Risk Management Policy
- ISEQ04 Business Continuity Policy
- ISEQ05 Change Management Policy
- ISEQ06 Continual Improvement Policy
- ISMS06 Data Retention Policy
- ISMS07 Access Control Policy
- ISMS08 Asset Management Policy
- ISMS09 Information Classification and Handling Policy
- ISMS11 Acceptable Use Policy
- ISMS12 Protection Against Malware Policy
- ISMS14 Network Security Management Policy
- ISMS17 Physical and Environmental Security Policy
- ISMS18 Significant Incident Policy and Collection of Evidence
- ISMS19 Cryptographic Control and Encryption Policy
- ISMS22 Patch Management Policy
- ISMS23 Intellectual Property Rights Policy
- HR020J Email & Internet Usage Policy
- HR020K Social Media Policy
- HR020L Mobile Phone Policy
- HR020HJ Clear Desk & Screen Policy
2.9 Information Security Roles and Responsibilities
Information security is the responsibility of everyone to understanding and adhere to the policies, follow process and report suspected or actual breaches. Specific roles and responsibilities for the running of the information security management system are defined and recorded in the document Information Security Roles and Responsibilities.
2.10 Monitoring
Compliance with the policies and procedures of the information security management system are monitored via the Management Review Team, together with independent reviews by both Internal and External Audit on a periodic basis.
2.11 Legal and Regulatory Obligations
The organisation takes its legal and regulatory obligations seriously and these requirements are recorded in the document Legal and Contractual Requirements Register.
2.12 Training and Awareness
Policies are made readily and easily available to all employees and third-party users via hard copy, or upload to employee Sage app and are available on our server datafile. Hard copies can be requested through Line management or our ISO department.
2.13 Continual Improvement of the Management System
The information security management system is continually improved. The Continual Improvement Policy sets out the company approach to continual improvement and there is continual improvement process in place.
3 Policy Compliance
3.1 Compliance Measurement
The information security management team will verify compliance to this policy through various methods, including but not limited to, business tool reports, internal and external audits, and feedback to the policy owner.
3.2 Exceptions
Any exception to the policy must be approved and recorded by the Information Security Manager in advance and reported to the Management Review Team.
3.3 Non-Compliance
An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.
3.4 Continual Improvement
The policy is updated and reviewed as part of the continual improvement process.
4 Areas of the ISO27001 Standard Addressed
Information Security Policy Mapped to ISO27001
| ISO27001:2022 | ISO27002:2022 |
| ISO27001:2022 Clause 5 Leadership
ISO27001:2022 Clause 5.1 Leadership and commitment ISO27001:2022 Clause 5.2 Policy ISO27001:2022 Clause 6.2 Information security objectives and planning to achieve them ISO27001:2022 Clause 7.3 Awareness |
ISO27002:2022 Clause 5 Organisational Controls
ISO27002:2022 Clause 5.1 Policies for information security ISO27002:2022 Clause 5.36 Compliance with policies, rules, and standards for information security ISO27002:2022 Clause 5.4 Management Responsibilities ISO27002:2022 Clause 6 People Controls ISO27002:2022 Clause 6.3 Information security awareness, education, and training ISO27002:2022 Clause 6.4 Disciplinary process |
More news from SF Tayor
SF Taylor Wins Environmental Award for Exceptional Customer Satisfaction 2024!
Our increased client base has led to an expansion in our workforce, creating new jobs within the industry.
Celebrating 40 Remarkable Years at SF Taylor
Our increased client base has led to an expansion in our workforce, creating new jobs within the industry.
A Splash of Pink and a Whole Lot of Heart: Our Day Supporting the Wear It Pink Campaign
Our increased client base has led to an expansion in our workforce, creating new jobs within the industry.