Purpose 

The information created, processed and used by the Company, as well as information entrusted to us by our customers, are among our most valuable assets. Given the nature of our business, all necessary steps are taken to protect these assets. A compromise of these Information Assets could severely impact our customers, constitute a breach of laws and regulations and negatively affect the reputation of the Company. 

This document defines our high-level Information Security Policies aligned to the International Standard for Information Security using ISO 27001:2022 and other relevant Standards. These Information Security Policies have been benchmarked against the Standard as well as industry best practice to ensure that they are comprehensive and appropriate. They take a risk-based 

approach to ensure that the business has the maximum flexibility to innovate within a safe framework of controls. 

Risk-based Approach 

These policies all take a risk-based approach. The principles behind this approach are: 

∙ A baseline set of controls is defined which are applied to all Information Assets 

∙ More sensitive assets (e.g. commercially or contractually sensitive information) require more rigorous controls 

∙ The most sensitive, High Risk assets (e.g. sensitive personal data, financial data) are protected by the most rigorous controls. 

Exceptions 

These policies apply to all information handling, whether on IT systems or on paper. However, it is recognised that some of the controls identified may be aspirational to an extent and full implementation will be achieved on a planned basis. 

Any exceptions to these Policies or associated Directives must follow the Security Exception Process which identifies non-applicable controls as such in the Statement of Applicability; these must be reviewed and re-authorised at least annually.

Download ISMS Aspects Policies.