Information Security Policy
A-GRC is a firm of management consultants that provides a variety of business based consultancy services.
It owes its success, and its excellent reputation, to its high-quality and professional service.
A-GRC’s ability to maintain this reputation, and the levels of service to their clients, depends on the highest standards of professionalism and integrity. It is paramount that these standards include the way in which A-GRC uses and protects information and information systems. Any loss of confidence in A-GRC’s ability to provide these services could cause the business to suffer. New technology exposes A-GRC to new and potentially greater risks because much greater reliance is placed on automated systems, and because of the extensive use of networked computers. A-GRC wants to reap the benefits of the new technology but we will not take unacceptable risks to do so.
It is the A-GRC policy to secure information and systems in a manner which meets or exceeds accepted best practice. A-GRC will ensure the continuity of their business operations and manage business damage by the implementation of controls to minimise the impact of any adverse event.
It is A-GRC’s policy to ensure that:
- a business continuity plan shall be devised, tested and maintained
- access to A-GRC data and personal data shall be appropriately controlled;
- all Client data shall be appropriately protected and shall not be divulged to any third party without authorisation.
- all employees shall be made aware of their responsibility to adhere to this policy and ensure that all breaches of information security, actual or suspected are reported to, and investigated by, the Information Security Manager.
- all employees shall be provided with training in information security awareness and individual responsibilities defined.
- all in house systems development shall be appropriately controlled and tested before live implementation.
- confidentiality and integrity of all information shall be maintained at all times.
- contractual, regulatory and legislative requirements shall all be met.
- information shall be made accessible to all employees and third parties according to business need and shall be protected against unauthorised access.
- the premises shall be protected by suitable physical security and environmental controls, and where appropriate, access shall be restricted to authorised employees.
- all of its operations, including policies and procedures, are subject to continuous review and improvement where necessary.
This policy provides a clear statement of A-GRC’s commitment to protect all information assets from threats internal and external, intentional or accidental.
An information security management system (ISMS) based on ISO 27001 provides the framework for the implementation of this policy within A-GRC and is supported by a comprehensive set of procedures. The ISMS shall be regularly reviewed via a risk management process to ensure that all identified risks are covered.
This policy is issued, reviewed at least annually and maintained by the Information Security Manager, who also provides advice and guidance on its implementation and ensures compliance.
All A-GRC employees shall comply with this policy.
Dated: 1 January 2018