Last updated: Feb 2024

Introduction

This policy defines the information security policy of Cloud Gateway. To operate effectively, with respect to the sensitivity of information and without interruption for the benefit of our customers, staff and other stakeholders, we have implemented an Information Security Management System (ISMS) in line with ISO 27001. The standard defines requirements for an ISMS based on globally recognised best practices.

The operation of the ISMS has many benefits for the business including:

• Customer retention and confidence

• Reduced risk of cyber attacks

• Ability to demonstrate compliance

• Employee learning and development

Our scope of registration the the ISO 27001 standard is:

The provision of networking and security services for the public and private sector within the United Kingdom and internationally.

Scope

This policy applies to all systems, people and processes that constitute our information systems, including board members, directors, employees, suppliers and other third parties who have access to our systems.

A Statement of Applicability aligned with the ISO 27001 standard records the relevant controls that we have implemented.

Information Security Policy

Information Security Requirements

The information security requirements applicable to Cloud Gateway are defined in a Statement of Applicability. Generally speaking, activity is focussed on the fulfilment of those requirements.

Legislative and regulatory requirements are documented in a Schedule of Requirements.

The controls implemented as part of the ISMS are regularly communicated to all staff through team meetings, training and documentation.

Responsibilities

Our Information Security Steering group is responsible for reviewing, setting and approving the implementations of the ISMS.

Our CEO and Operations Director are responsible for ensuring that roles, responsibilities and authorities are appropriately assigned, maintained and updated as necessary.

All employees are responsible for adhering to the requirements of the information security policy and for fulfilling any duties related to assigned roles, responsibilities or authorities.

Framework for setting objectives

A regular cycle will be used for setting information security objectives that coincide with the business objectives. These objectives will be based upon a clear understanding of the business requirements, informed by the management review process during which the views of relevant interested parties may be obtained.

Information security objectives will be documented for an agreed time period, together with details of how they will be achieved. These will be evaluated and monitored as part of the management reviews to ensure that they remain valid.

In accordance with ISO/IEC 27001, the reference controls detailed in Annex A of the standard will be adopted where appropriate. These will be reviewed on a regular basis in light of risk management procedures.

Continual Improvement of the ISMS

The Cloud Gateway policy regarding continual improvement is to:

• Continually improve the effectiveness of the ISMS

• Achieve ISO/IEC 27001 certification and maintain it on an on-going basis

• Make information security processes and controls more measurable in order to provide a sound basis of informed decision

• Obtain ideas for improvement via regular meetings and other forms of communication with interested parties

• Review ideas for improvement at regular management meetings, assess benefits

Ideas for improvements may be obtained from any source including employees, customers, suppliers, risk management and service reports.

Information security policy areas

Cloud Gateway defines policy in a wide variety of information security-related areas, detailed in documents that accompany this information security policy.

Each of these policies are defined and agreed by one or more people with competence in the relevant area and, once formally approved, are communicated to an appropriate audience, both internal and external to the organisation.

Application of information security policy

The policy statements made in this document and in supporting policies have been reviewed and approved by the Senior Leadership Team and must be complied with.

Compliance

Non-compliance with this policy may result in disciplinary action and/or termination of contract.