Information Security Management Policy

Information Security Management Policy for the Company

Purpose

The purpose of Information Security Management is to protect information assets from all threats, whether internal or external, deliberate or accidental. The implementation of this policy is important to maintain our integrity as a supplier of product/service to internal and external customers.

It is the policy of The Company to ensure:

• Information will be protected against unauthorised access.
• Confidentiality of information will be maintained.
• Information will not disclosed to unauthorised persons through deliberate or careless action.
• Integrity of information through protection from unauthorised modification.
• Availability of information to authorised users when needed.
• Regulatory and legislative requirements will be met.
• Business continuity plans will be produced, maintained and tested as far as practicable.
• Information security training will be available to all staff.
• All suspected breaches of information security will be reported and investigated.

Applicability

All personnel in The Company are responsible for implementing this policy and shall have the support of the Executive Management who has approved the policy.

Objectives

• Protection of Customer information.
• Protection of information assets belonging to The Company.
• To provide confidence to trading partners where information needs to be shared.

Goals

To identify through appropriate risk assessment, the value of information assets and to understand their vulnerabilities and the threats that may expose them to risk.

To manage the risks to an acceptable level through the design, implementation and maintenance of a formal Information Security Management System.

To comply with Legislation including:

• Companies Act 1985
• Data Protection Act 1998
• Computer Misuse Act 1990
• Copyright, Designs and Patents Act 1988
• Regulation of Investigatory Powers Act 2000

To comply with Contract conditions.

To comply with The Company corporate directives.

Commitment to compliance with BS7799:1999, now ISO27001 & ISO17799.

Commitment to achieve and maintain certification to BS7799:1999, now ISO27001 & ISO17799.

Specific Policies

Specific policies exist to support this document including:

Physical security.

Access control to systems and data.

Security education and training.

Internet and Email.

Employee code of conduct.

Data backup.

Use of portable equipment.

Storage and disposal of confidential data.

Virus prevention and detection.

Business continuity planning.

Critical Suppliers.

Trading partners.

Contractors.

Responsibilities

The executive management creates and reviews this policy.

The Information Security Manager facilities the implementation of this policy through the appropriate standards and procedures.

All personnel follow the procedures to maintain the information security policy.

All personnel have a duty to report perceived security weaknesses.

Incident Reporting

All personnel have a responsibility for reporting perceived and actual security incidents.

Review

This policy is reviewed regularly and in case of influencing changes to ensure it remains appropriate for the business and our ability to serve our customers.

Signed: ......

Title: Date:

12/03/2018Page 1 of 3