Quality and Information & Security Policy

Quality and Information Security Policy

Introduction

Spherica (‘the Company’) is committed to ensuring it provides the highest quality service possible while protecting information both internally and externally, for employees and customers. In order to achieve this the Company ensures compliance with all relevant UK and EU legislation, as well as regularly reviewing overseas partners’ certification and standards. The Company has also implemented and will maintain a Quality Management System (QMS) and an Information Security Management System (ISMS) in accordance with ISO 9001:2015 and ISO 27001:2022, as well as regularly updating its systems and processes to ensure legislative compliance.

This policy is approved by management with appropriate authority and in addition is applicable to the Service Management System (SMS), all services provided by the Company, and all supporting activities, resources, and information assets that enable service delivery.

The Quality Management System (QMS) and Information Security Management System (ISMS) and Service Management System (SMS) encompass the governance and control of all Company operations and resources within the UK. This policy establishes a structured framework for defining, monitoring, reviewing, and achieving the Company’s objectives, programmes, and targets related to both quality and information security, ensuring continual improvement and compliance with applicable standards and regulatory requirements.

The Information Security Policy supports the effective operation of the Service Management System (SMS) by ensuring that information security risks to services are identified, assessed, and treated in a manner consistent with service objectives, service continuity requirements, and customer expectations.

The Company is committed to preserving the confidentiality, integrity, and availability of all information assets, management systems, and documentation to effectively manage information risk. Through this commitment, the Company aims to:

Ensure the needs of employees, customers, and corporate governance requirements are fully met.

Establish trust that partnerships involving the exchange or sharing of information comply with legal obligations and security standards.

Guarantee that all security controls, including policies and procedures, are properly implemented, effective, and regularly reviewed.

Confirm that third-party suppliers providing information security services deliver solutions that are adequate, reliable, and fit for purpose.

Ensure that information security controls support agreed service levels, service continuity, incident management, and the protection of customer and service-related information throughout the service lifecycle.

Information security requirements to establish, implement, maintain, and continually improve the management systems will remain aligned with the Company’s objectives, established practices, GDPR regulations, the Information Security Management System (ISMS), and all other applicable legislation.

Information security requirements are also aligned with the Service Management System (SMS) to ensure risks to services, customers, and interested parties are managed consistently and proportionately.

The implementation, ongoing review, and commitment to information and data security compliance empower everyone working on behalf of the Company to perform their duties efficiently, effectively, and securely. Adhering to the Company’s information security requirements ensures that all operations, data exchanges, and both customer site-based and remote working activities are conducted at an acceptable security level, while actively minimizing information-related risks to a managed level.

The Company maintains documented Quality Management System (QMS), Information Security Management System (ISMS) and Service Management System (SMS) objectives, which are reviewed at least annually to ensure ongoing progress toward their achievement. These objectives are supported by comprehensive policies, procedures, and templates designed to uphold high-quality standards and mitigate risks to the security of information within the Company’s systems.

Information security objectives are aligned with service objectives and are designed to support the effective delivery, operation, and improvement of services within the SMS.

The overarching quality and information security policy and objectives of the Company are as follows:-

Information will be protected against unauthorised access.

Procedures and policies regarding information security will be regularly reviewed to ensure confidentiality is maintained, as well as to maintain a high standard of work.

Regulatory and legislative requirements relevant to the business as a whole and information systems, including the processing of information, will be met, i.e. relevant Data Protection legislation, to ensure that the integrity of information is maintained.

Business Continuity Plans will be established, maintained and tested.

Training will be available to all staff (and any relevant third parties), as well as the provision of all necessary resources and equipment.

Business requirements for availability of information and systems will be met.

Any breaches, actual or suspected, of procedure, policy or security will be investigated and reported as necessary.

All employees are made aware of their individual obligations in respect of this policy and the Company as a whole.

Conduct ongoing risk assessments and implement appropriate controls to manage information security risks.

Ensure top management demonstrates leadership and commitment to the Information Security Management System (ISMS) and its continual improvement.

Perform regular internal audits and management reviews to monitor compliance, effectiveness, and performance of the ISMS.

Manage supplier and third-party security risks through due diligence, contractual obligations, and continuous monitoring.

Establish and maintain structured incident response and corrective action processes to promptly address information security events, breaches, and nonconformities.

Communicate information security policies, responsibilities, and updates clearly and regularly to all employees and relevant stakeholders.

Ensure that the management systems will achieve the objectives that are set and seek continual improvement in the effectiveness and performance of the Company’s management systems.

Ensure that information security incidents affecting services are managed, escalated, resolved, analysed, and reviewed in accordance with the Service Management System and applicable service requirements.

Risk Assessment

The Company’s management systems apply comprehensively across the entire business, including home workers, customer sites, and remote access environments. The Company defines the scope of its Information Security Management System (ISMS) accordingly.

Risk assessments also consider risks to services, service continuity, service availability, customer information, and obligations to interested parties within the scope of the SMS.

The Company conducts ongoing risk assessments to identify threats and vulnerabilities related to all relevant assets. Risks are evaluated against the Company’s risk appetite to determine which are intolerable and require mitigation. Residual risks are managed through the implementation of carefully designed policies, procedures, and controls.

Risk assessments focus on safeguarding the confidentiality, integrity, and availability of information assets. This is supported by robust procurement processes, enforceable contractual agreements, and comprehensive company policies that are communicated clearly to employees, third parties, and customers as applicable.

Management demonstrates leadership and commitment to maintaining and continually improving the ISMS. Policies and controls are regularly reviewed and updated to address evolving risks and business requirements. Training and awareness programmes ensure that all personnel understand their responsibilities regarding information security.

Roles and Responsibilities

All roles and responsibilities will be periodically reviewed to ensure alignment with the Company’s evolving needs and the requirements of the management systems.

All employees, contractors, and third parties with access to the Company’s systems are required to comply with this policy, applicable management system standards, and relevant legislation, as appropriate to their respective roles.

The Company will regularly assess the impact of its partners and third parties on its ability to maintain compliance with quality and information security standards. This assessment includes scheduled reviews of the services provided by third parties and their capability to uphold robust information security controls, thereby supporting the Company’s ongoing maintenance of its Quality Management System (QMS), Information Security Management System (ISMS) and Service Management System (SMS)

The importance of conforming to this Information Security Policy and its applicability to the SMS and services is communicated to:

employees and internal personnel;

customers and service users, where relevant;

external suppliers, internal suppliers, and other interested parties, as appropriate to their involvement in service delivery or information processing.

Monitoring and Review

To ensure continuous improvement, the Company’s Quality Management System (QMS) and Information Security Management System (ISMS) are regularly reviewed by Top Management to confirm their ongoing suitability, adequacy, and effectiveness in meeting business needs. This review includes evaluating audit results, reviewing risk assessments, and all other relevant requirements of the ISMS.

Reviews also consider information security performance related to services, incidents, trends, and impacts on customers and interested parties.

The QMS, ISMS and SMS undergo annual internal and external audits to verify compliance and identify opportunities for improvement.

This policy has been approved by top management and will be formally reviewed annually to ensure its continued relevance and effectiveness.

Assessment Services

WiFi Assessment Services

Network Assessment Service

Firewall Assessment Service

Cloud Cost Optimisation

Professional Services

Network Architecture & Modernisation

Identity Architecture

Cloud Architecture

Automation Strategy

Managed Services

Managed Service Desk

End User Computing

Core Infrastructure Technology

Network Operations Management

Security Operations Management

Identity and access management

ServiceHive

Transport & Logistics

RETAIL

MANUFACTURING

Financial Services

Not-for-Profit

PUBLIC SECTOR

About Us

Partners

Environment, Social & Governance

Case Studies and Testimonials

Frameworks

Certifications

Values

Case Studies and Testimonials

Blogs

Events

Newsletter Registration