Information Security Policy

Contents

1.      Purpose, scope and users                                                                                                               3

1.1.       Processes and services                                                                                                          3

1.2.       Departments                                                                                                                               3

1.3.       Locations                                                                                                                                     3

1.4.       Networks and IT infrastructure                                                                                         3

1.5.       Exclusions                                                                                                                                   3

2.      Basic information security terminology                                                                                   3

3.      Policy Statement                                                                                                                               4

4.      Interested Parties (Internal and External)                                                                            4

5.      Managing information security                                                                                                    4

5.1.       Objectives and measurement                                                                                                 4

5.2.       Information security requirements                                                                                    4

5.3.       Information security controls                                                                                            5

5.4.       Business continuity                                                                                                                  5

5.5.       Responsibilities                                                                                                                          5

5.6.       Policy communication                                                                                                              5

6.      Support for ISMS implementation                                                                                               5

7.      Document management                                                                                                                     5

8.      Version History                                                                                                                                  6

1.    Purpose, scope and users

The aim of this top-level Policy is to define the purpose, direction, principles and basic rules for information security management.

This Policy is applied to the entire Information Security Management System (ISMS), as defined below.

Users of this document are all employees of Accellier, as well as relevant external parties.

1.1.         Processes and services

All Accellier services and/or business processes are within the scope of the ISMS.

1.2.         Departments

All Accellier departments are within the scope of the ISMS, including Development, Support, Sales, Finance, and the Board of Directors

1.3.         Locations

All Accellier office locations are within the scope of the ISMS, including remote workers.

1.4.         Networks and IT infrastructure

All Accellier networks and related IT infrastructure are within the scope, including cloud environments.

1.5.         Exclusions

No areas of Accellier are excluded.

2.    Basic information security terminology

Confidentiality – confidential and/or sensitive information should only be available to authorised individuals and systems.

Integrity – confidential and/or sensitive information should be consistent, accurate and trustworthy over its entire lifecycle.

Availability – confidential and/or sensitive information should be consistently and readily accessible for authorised individuals and systems.

Information security – preservation of the confidentiality, integrity, and availability of information.

Information Security Management System – management process that takes care of planning, implementing, maintaining, reviewing, and improving the information security.

3.    Policy Statement

It is the policy of Accellier to maintain an ISMS designed to meet the requirements of ISO 27001 in pursuit of its security objectives, the purpose and the context of the organisation.

4.    Interested Parties (Internal and External)

The key interested parties for Accelliers ISMS are identified as: The Board of Directors, shareholders and investors, clients, service providers, and users whose personal data is stored and processed by Accellier applications.

5.    Managing information security

5.1.         Objectives and measurement

General objectives for the ISMS are to:

●       Provide a secure service to our customers and users.

●       Create a better market image.

●       Reduce the damage caused by potential incidents.

●       Ensure goals are in line with the organisation's business objectives, strategy, and business plans.

Objectives for individual security controls or groups of controls may be proposed by information asset owners, users, and stakeholders. All objectives must be reviewed at least once a year.

Accellier will measure the fulfilment of all the objectives. Mark Hutchinson is responsible for setting the method for measuring the achievement of the objectives – the measurement will be performed at least once as part of an annual review.

5.2.         Information security requirements

This Policy and the entire ISMS must be compliant with legal and regulatory requirements relevant to the organisation in the field of information security, as well as with contractual obligations.

5.3.         Information security controls

The process of selecting the controls (safeguards) is defined in the Risk Assessment and Risk Treatment Methodology.

5.4.         Business continuity

Remote working enables the business to have a very high level continuity plan, with no reliance on offices or physical data centres; our requirement is that employees, contractors and Board of Directors have access to a laptop and internet connection.

Therefore to mitigate the risk of an internet connection failing all individuals are able to hotspot to their mobile phone. This will minimise any business disruption.

In the event of a laptop failing, spare laptops are held in stock and either a user can collect a spare laptop from the office or a laptop can be couriered to the user. The user should experience minimal downtime.

5.5.         Responsibilities

Responsibilities for the ISMS are the following:

●       The Board of Directors is responsible for ensuring that the ISMS is implemented and maintained according to this Policy, and for ensuring all necessary resources are available.

●       Mark Hutchinson is responsible for operational coordination of the ISMS as well as for reporting about the performance of the ISMS.

●       Accellier must review the ISMS at least once a year or each time a significant change occurs and prepare minutes from that meeting. The purpose of the management review is to establish the suitability, adequacy, and effectiveness of the ISMS.

●       Accellier will implement information security training and awareness programs for all employees including the Board of Directors.

●       Compliance with ISMS policies and procedures is the responsibility of all Accellier employees, as well as reporting all incidents or weaknesses.

5.6.         Policy communication

Accellier must ensure that all employees, as well as appropriate external parties are familiar with this Policy.

6.    Support for ISMS implementation

The Board of Directors declares that ISMS implementation and continual improvement will be supported with adequate resources in order to achieve all objectives set in this Policy, as well as satisfy all identified requirements.

7.    Document management

The owner of this document is Mark Hutchinson, who must check and, if necessary, update the document at least once a year.

8.    Version History