Last updated: Feb 2023
This document defines the Information Security Policy of Cloud Gateway.
We recognise at a senior level the need for business to operate smoothly and without interruption for the benefit of our customers, staff and other stakeholders.
In order to provide such a level of continuous operations, we have implemented an Information Security Management System (ISMS) in line with the International Standard for Information Security, ISO/IEC 27001. This standard defines the requirements for an ISMS based on globally recognised best practices.
The operation of the ISMS has many benefits for the business including:
Retain existing customers
Easily demonstrate compliance
Reduce risks of cyber attacks
Support employees with clear training and policies
Give our customers confidence
And many more
We have decided to maintain full certification to ISO/IEC 27001 so that the effective adoption of information security best practice may be validated by an independent third party, a Registered Certification Body.
This policy applies to all systems, people and processes that constitute our Information Systems, including board members, directors, employees, suppliers and other third parties who have access to our systems.
A Statement of Applicability aligned with the ISO 27001 standard records the relevant controls that we have implemented. This document is maintained by a Controlled Document Register within the business.
2. Information Security Policy
2.1 Information Security Requirements
A clear definition of the requirements for information security within Cloud Gateway is agreed and maintained with the internal business so that all ISMS activity is focussed on the fulfilment of those requirements. Statutory, regulatory and contractual requirements will also be documented and input into the planning process. Specific requirements about the security of new or changed systems or services will be captured as part of the design stage of each project.
It is a fundamental principle of Cloud Gateway’s Information Security Management system that the controls implemented are driven by business needs and this will be regularly communicated to all staff through team meetings and various documents.
The Information Security Steering group is responsible for setting and approving the information security policy.
The CEO and CTO are responsible for ensuring that roles, responsibilities and authorities are appropriately assigned, maintained and updated as necessary.
All Employees are responsible for adhering to the requirements of the information security policy and for fulfilling any duties related to assigned roles, responsibilities or authorities.
2.3 Framework for setting objectives
A regular cycle will be used for setting information security objectives that coincide with the business objectives. These objectives will be based upon a clear understanding of the business requirements, informed by the management review process during which the views of relevant interested parties may be obtained.
Information security objectives will be documented for an agreed time period, together with details of how they will be achieved. These will be evaluated and monitored as part of the management reviews to ensure that they remain valid.
In accordance with ISO/IEC 27001 the reference controls detailed in Annex A of the standard will be adopted where appropriate by us. These will be reviewed on a regular basis in light of the outcome from a Risk Assessment in line with information security risk treatment plans. For details of which Annex A controls have been implemented which have been excluded please see our Statement of Applicability.
The adoption of the Statement of Applicability will provide additional assurance to our customers and help further with our compliance with international data protection legislations, where applicable.
2.4 Continual Improvement of the ISMS
The Cloud Gateway policy regarding continual improvement is to:
Continually improve the effectiveness of the ISMS
Enhance current processes to bring them into line with good practice as defined with ISO/IEC 27001 and related standards
Achieve ISO/IEC 27001 certification and maintain it on an on-going basis
Increase level of proactivity (and stakeholder perception of proactivity) with regard to information security
Make information security processes and controls more measurable in order to provide a sound basis of informed decision
Review relevant metrics on an annual basis to assess whether it is appropriate to change them, based on collected historical data
Obtain ideas for improvement via regular meetings and other forms of communication with interested parties
Review ideas for improvement at regular management meetings in order to prioritise and assess timescales and benefits
Ideas for improvements may be obtained from any source including employees, customers, suppliers, IT staff, risk assessment and service reports. Once identified they will be recorded and evaluated as part of the internal Continuous Business Improvement process.
2.5 Information security policy areas
Cloud Gateway defines policy in a wide variety of information security-related areas which are described in detail in a comprehensive set of policy documentation that accompanies this overarching information security policy.
Each of these policies is defined and agreed by one or more people with competence in the relevant area and, once formally approved, is communicated to an appropriate audience, both within and external to the organisation.
Details on the relevant set of policy documentation can be found in the Information Security Management System and is subject to user access control. Alternatively, request for details can be issued to email@example.com
2.6 Application of information security policy
The policy statements made in this document and in the set of supporting policies have been reviewed and approved by the Senior Leadership Team and must be complied with.
Failure by an employee to comply with these policies may result in disciplinary action in accordance with our Employee Disciplinary Process. Questions regarding any policies should be raised in the first instance to the employee’s immediate line manager.
3. Scope of Registration
The provision of networking and security services for the public and private sector within the United Kingdom and internationally.