INFORMATION SECURITY POLICY
1.1 General Policy
Spherica (‘the Company’) is committed to protecting information both internally and externally, for employees and customers. In order to achieve this, the Company ensures compliance with all relevant UK and EU legislation, as well as regularly reviewing overseas partners’ certification and standards. The Company has also implemented and will maintain an Information Security Management System (ISMS) in accordance with ISO 27001:2013, as well as regularly updating its systems and processes to ensure legislative compliance.
The ISMS applies to the control of the entire Company, premises and resources in the UK and as such this policy provides a framework for; setting, monitoring, reviewing and achieving the Company’s objectives, programmes and targets with regards to information security.
The Company is committed to preserving the confidentiality, integrity and availability of all information security management systems and documentation, in order to ensure that the Company manages information risk. As a result of this the Company is then able to:-
- Ensure that the needs of employees, customers and the requirements of corporate governance are met.
- Establish confidence that partnership arrangements, involving the exchange and sharing of information, are legal and secure.
- Ensure that all security features, e.g. procedures and policies, are fully implemented, effective and correct.
- Be sure that the services and products offered by third party suppliers of information security assurance are adequate and fit for purpose.
Information security requirements to; establish, implement, maintain and continually improve information security, within a management system, will continue to be aligned with; the Company’s objectives, the Company’s general practices, GDPR regulations, the ISMS and other applicable legislation.
The implementation, review and commitment to information and data security compliance will enable all who work on behalf of the Company to work efficiently, effectively and securely. Commitment to the Company’s information security requirements will ensure that all electronic operations, exchange of documentation/data, office and remote working is all carried out to an acceptable level, whilst still committing to reducing any information-related risks to an acceptable level.
The Company has documented ISMS objectives which are reviewed at least annually to ensure that the objectives set are being furthered. These objectives are supported by documented policies, procedures and templates to reduce any risk to information security within the Company’s systems.
The overarching information security policy and objectives of the Company are as follows:-
- Information will be protected against unauthorised access.
- Procedures and policies regarding information security will be regularly reviewed to ensure confidentiality is maintained.
- Regulatory and legislative requirements relevant to information systems and the processing of information will be met, i.e. relevant Data Protection legislation, to ensure that the integrity of information is maintained.
- Business Continuity Plans will be established, maintained and tested.
- Information Security Training will be available to all staff (and any relevant third parties), as well as the provision of all necessary resources and equipment.
- Business requirements for availability of information and systems will be met.
- Any breaches, actual or suspected, of information security will be investigated and reported as necessary.
- To maintain compliance with all applicable legislation.
- All employees are made aware of their individual obligations in respect of this policy.
- Ensure that the management system will achieve objectives set and seek continual improvement in the effectiveness and performance of the Company’s management system.
1.2 Risk Assessment
The Company’s ISMS is applicable to the entire business, thus covering; at home workers, customer sites and remote access working. Therefore, the Company will identify any risk to information assets, make decisions about which risks are intolerable and therefore need to be mitigated, as well as manage the residual risks through carefully considered policies, procedures, and controls.
Further to the ISO 27001 standard the focus of all risk assessments carried out is to successfully evaluate any risk and ensure that confidentiality, integrity and availability of information which is held is sufficiently safeguarded. This is achieved by ensuring robust procurement processes, contractual agreements and relevant company polices are in place and communicated to both employees and, where relevant, to third parties or customers.
1.3 Roles and Responsibilities
All roles and responsibilities will be reviewed in line with company needs and the ISMS requirements.
All employees, contractors and third parties with access to the Company’s information systems are expected to comply with this policy, any information security standard that is achieved and the relevant information security legislation, as is appropriate to their role.
The Company will regularly review the impact of its partners and third parties on the Company’s ability to comply with the ISMS standard. This will be done by regular reviews of the services offered/provided by third parties and their ability to ensure they uphold the best information security standards they can, in order to support the Company in maintaining its ISMS.
1.4 Monitoring and Review
To ensure the company maintains its awareness for continuous improvement, the ISMS is regularly reviewed by “Top Management” to ensure it remains appropriate and suitable to our business. The ISMS is subject to both internal and external annual audits.