Information Security Framework

The Chief Executive Officer is accountable for information security governance.
A designated Information Security Lead oversees implementation and compliance.
All employees and associates and contractors are responsible for adhering to security policies and reporting incidents.

Information Security Policy: Defines the company’s commitment to safeguarding data and outlines roles, responsibilities, and controls.
Access Control Policy: Ensures that only authorised personnel can access sensitive data, using role-based permissions and multi-factor authentication.
Data Protection Policy: Aligns with UK GDPR principles, covering lawful processing, data minimisation, subject rights, and breach notification.
Asset Management: Maintains an inventory of information assets and classifies them based on sensitivity.
Incident Response Plan: Provides procedures for identifying, reporting, and responding to security incidents or data breaches.
Business Continuity & Backup: Ensures data resilience through regular backups and continuity planning.
Training & Awareness: All staff receive induction and annual refresher training on data protection and cyber hygiene.

Personal data is processed lawfully, fairly, and transparently.
Data is collected for specified, legitimate purposes and not further processed in a manner incompatible with those purposes.
Data is kept accurate, up to date, and retained only as long as necessary.
Appropriate technical and organisational measures are in place to protect against unauthorised access, loss, or damage.
Data Subject Access Requests (DSARs) are handled within statutory timeframes.

Policies are reviewed annually or following significant changes in operations or legislation.
Internal audits are conducted to assess compliance and identify areas for improvement.

Jonathan Michael

Chief Executive Office

5^th January 2025