Propeller Studios ISMS Policy Document - EasyPQQ · Company Policy Documents 3 1 INTRODUCTION This...

Company Policy Documents

Propeller Studios ISMSPolicy Document


2

Information Security Management Systems Policy Document

ISO27001:2013ISMS POLICY DOCUMENT

Version 1

September 2014

Table of Contents 1 Introduction2 Issue Status3 Overview of PROPELLER STUDIOS LTD 3.1 Scope of Registration4 Information Security Management System 4.1 Documented Information 4.1.1 Control of Records 4.1.2 Control of Records5 Management Commitment 5.1 Role of Senior Management6 ISMS POLICY 6.1 Introduction 6.2 Scope of the Policy 6.3 legal and regulatory obligations 6.4 Roles and Responsibilities 6.5 Strategic Approach and Principles 6.6 Business Continuity Management 6.7 Approach to Risk Management 6.8 Information Security Objectives 6.9 Responsibility, authority and communication 6.10 Management Review 6.11 Review Input 6.12 Review Output7 Provision of Resources 7.1 Human Resources General 7.2 Infrastructure8 Risk Assessment Methodology 8.1 Risk Treatment Plan9 Measurement, Analysis & Improvement 9.1 Information Security Standards 9.2 Internal ISMS Audits 9.3 Monitoring & Measurement of Processes 9.4 Monitoring & Measurement of Service 9.5 Analysis of Data 9.6 Continual Improvement 9.7 Corrective Action and Improvement 9.8 Complaints Policy 9.9 Preventative Action 10 Appendices 10.1 Appendix 1 – Organisation Chart Appendix 2 – List of Controlled Documents


3

1 INTRODUCTIONThis document is the ISMS Policy Document of PROPELLER STUDIOS LTD. It is the property of PROPELLERSTUDIOS LTD and is a controlled document. The purpose of the ISMS Policy Document is to provide an overview of the company, the activities it carriesout and the quality standards of operation it conforms to. It is not designed to act as a procedure manual,although it does carry information about where procedures information is located and the detailedinformation on Documentation Requirements for essential procedures e.g. document control, and control ofrecords; internal audit and corrective/preventative action (please see Procedures Log). Throughout this ISMS Policy Document there are explanations of the requirements of the standard,paraphrased and appended in smaller grey text. This precedes a section explaining how the companyimplement this particular aspect of the standard. 2 ISSUE STATUSThe issue status is indicated by the version number in the footer of this document. It identifies the issuestatus of this ISMS Policy Document. When any part of this ISMS Policy Document is amended, a record is made in the Amendment Log shownbelow. The ISMS Policy Document can be fully revised and re-issued at the discretion of the Management Team. The ISMS Policy Document will be reviewed on a Quarterly basis as standard. Please note that this ISMS Policy Document is only valid on day of printing.

Issue Amendment Date Initials Authorised

1 1st Authorised Issue 31/09/2014 A.D.H A.D.H

3 OVERVIEW OF PROPELLER STUDIOS LTD“Propeller Studios Ltd provide clients with products and services that help them to win work, control costs,manage processes and share information through the use of our cloud based, online computer software. We have a retained client base of over 300 organisations. They represent a wide demographic of theservice sector, although we do specialise in the construction industry. As bid consultants, we understand the challenges associated with completing PQQs and tenders. Weprovide a comprehensive range of tender writing and graphic design services that require us to store anduse client data. We have developed and sell EasyPQQ which is an online computer application. EasyPQQ has a worldwideuser base, acting as a knowledge hub, search engine and bid management tool. It is used by a wide rangeof organisations, from multinationals to local SMEs.


4

We have also developed a cloud-based computing solution, EasyBOP which is an integrated BusinessOperations Platform that unifies all company processes with one enterprise-level solution. As a consequence of our business activity it is essential that we operate a clearly defined and robustapproach to the security of our own and clients data. 3.1 Scope of RegistrationProvider of online, cloud based computer systems used by third parties to create, store and reuse digitalinformation. 4 INFORMATION SECURITY MANAGEMENT SYSTEM


5

PROPELLER STUDIOS LTD has a commitment to quality and a formal information security managementsystem (ISMS) that addresses the following areas:

Quality●

Performance monitoring and review●

Policy and Procedures●

Managing external relationships●

Financial Management●

Strategic and business planning●

Human resource development●

Service innovation. ●

4.1 DOCUMENTED INFORMATION 4.1.1 DocumentsAll documents are maintained and controlled by the Managing Director. Policy and procedure documentsare reviewed annually. Any documents requiring amendment are updated, authorised, and completed. Allupdates to documents are signed and dated by the Managing Director. Documents are re-issued as anelectronic PDF document and a limited number of hard copies are produced. Obsolete documents will bearchived and restricted by the Managing Director, electronic copies of all past versions are kept. Allmanagers hold responsibility for cascading information to staff. 4.1.2 Records All project records are stored in appropriate electronic folders and managed by respective departments.Hard copies of documents are restricted to a minimum and should not be produced unnecessarily.Electronic records are encouraged over hard copies due to environmental concerns, available storage spaceand to prevent unnecessary expenditure.


6

5. MANAGEMENT COMMITMENT 5.1 Role of Senior ManagementPROPELLER STUDIOS LTD’s Senior Management Team are committed to the development andimplementation of an Information Security Policy, an Information Security Management System, and tofrequently review this system. Responsibility has been assigned to ensure that the ISMS conforms to therequirement of the standard and the provision to report on performance to the senior management teamhas been defined. The Managing Director will ensure that PROPELLER STUDIOS LTD staff are aware of the importance ofmeeting customer as well as statutory and regulatory requirements, and overall, to contribute to achievingPROPELLER STUDIOS LTD’s Information Security Objectives which are aligned with the current businessplan. The Senior Management Team is responsible for implementing the ISMS and ensuring the system isunderstood and complied with at all levels of the organisation. They are responsible for ensuring that;

The information security policy and objectives are established and in line with the strategic direction of●

the organisationIntegration of the ISMS into the organisations processes.●

That resources needed for the ISMS are available●

Communication covering the importance of effective information security management and conformance●

to the ISMS requirements is in place.The ISMS achieves its intended outcome(s)●

The contribution of persons involved in the effectiveness of the ISMS by direction and support.●

Continual improvement is promoted●

Other management roles within their area of responsibility are supported.●

An internal audit of procedures and policies is conducted annually in September. A review of theInformation Security Objectives takes place in July. In addition achievement of the quality objectives aremeasured against quarterly targets set in relation to the business plan. Staff contribution towards theInformation Security Objectives is measured in supervision and documented annual appraisals in October. 6. ISMS POLICY 6.1 IntroductionThis document is the Information Security Policy for PROPELLER STUDIOS LTD. It describes the company’scorporate approach to Information Security and details how we address our responsibilities in relation tothis vital area of our business. As a company we are committed to satisfy applicable requirements relatedto information security and the continual improvement of the ISMS. Information Security is the responsibility of all members of staff, not just the senior management team,and as such all staff should retain an awareness of this policy and its contents and demonstrate a practicalapplication of the key objectives where appropriate in their daily duties. We also make the details of our policy known to all other interested parties including external whereappropriate and determine the need for communication and by what methods relevant to the informationsecurity management system. These include but not limited to customers and clients and theirrequirements are documented in contracts, purchase orders and specifications etc. Verification of compliance with the policy will be verified by a continuous programme of internal audits.


7

6.2 Scope of the PolicyThe scope of this policy relates to use of the database and computer systems operated by the company atits data centre in London and offices in Hitchin, in pursuit of the company’s business of providing tenderconsultancy and providing online computer applications. It also relates where appropriate to external risksources including functions which are outsourced. Integration – we maintain a number of flow charts which illustrate key business activities and theircorrespondence to ISMS requirements. 6.3 Legal and Regulatory ObligationsData Protection Act 1998Employment Agency Act 2003 6.4 Roles and ResponsibilitiesOur Information Security Manager (This role is carried out by our Managing Director) is responsible forrandomly sampling records to ensure that all required data has been captured, and that data is accurateand complete. It is the responsibility of all staff to ensure that all data is treated with the utmostconfidentiality, and that no data is given out without the prior authority of any person affected. 6.5 Strategic Approach and Principles 6.5.1 Information ClassificationAll staff has access to the company business operations database which is the only software used tomanage company workflow. It is structured to have different access levels. Access levels are issued to staffwhen they are employed and the access provided is relevant to staff job role. All staff actions within thedatabase are recorded within an audit log, meaning that the company always has access to informationallowing them to assess which data has been viewed by staff member. Access privileges are reviewedannually at appraisal or as required during promotions or a change in scope of job role. Client data is maintained within a separate database located at our data centre in London. Staff access tothe database is restricted to the senior management of the applications development team and customerservices staff. Control for applications development staff is maintained through access from an identified IPaddress and minimum 9 character alpha numeric code. These are maintained in a register and newpermissions can only be generated by the Managing Director or Application Programming Director. Accessfor Customer Services Staff is limited through permissions granted by our ultimate client and a 9 characteralpha numeric code. The following table provides a summary of the information classification levels that have been adopted byPropeller Studios Limited. Detailed information on defining information classification levels and providingappropriate levels of security and access is provided in the Data Security Policy.

Security Level Definition Examples

Confidential Normally accessible only to specifiedmembers of Propeller Studios Limited

Sensitive personal data; salary information; bank details;source code files, client data stored on systems;passwords; client tender documents

Restricted Normally accessible only to specifiedmembers of Propeller Studios Ltdstaff or clients’

Personal Data; Board Reports; System Designs, clientdata held on our systems;

Protected Normally accessible only to specifiedmembers of Propeller Studios Ltdstaff or clients’

All information held on EasyBOP company managementsystem. Internal correspondence, Analytics and AdWordsaccounts.

Open Accessible to all members of thepublic

Annual accounts, newsletters, blog posts, productinformation releases, brochures, product updates, outagenotices. Information available on the Propeller StudiosLimited websites.


8

6.5.2 Access ControlAll client user accounts contain information that is sensitive to the client. There are therefore securitypartitions between client data sets which are set programmatically when new client accounts are created. Registered users of our application can only ever see the data stored in their own company account. Bothapplications core logic architecture has been designed to run as a multi-user environment from theirinception. Data segregation is enforced through a unique client identifier and is persistent through theapplication programming logic, the database table relationships, and the file system structure. Best practice with respect to client password administration is enforced through the minimum requirementfor password strength. This is a minimum 9 character, case sensitive, alpha numeric string. Access to the company business operations database is restricted by password. Passwords MUST NOT bewritten down either on paper or retained electronically. Passwords will be changed on a six monthly basisand the last twenty passwords may not be reused. Passwords should be no less than 9 characters in length and consist of both numbers, cases and letters. 6.5.3 Incident ManagementAny and all incidents must be reported immediately in the first instance to the Managing Director who alsofulfils the role of Information Security Manager. Please refer to the Information Security IncidentManagement Policy. 6.5.4 Physical SecurityAccess to the office via three separate locks on the main door. The office is also protected with intruderalarms outside of office hours and linked to Redcare police alert system. The Hitchin Server Room isprotected by a security door with access code known only to authorised personnel. All client data is held onremote servers located within an outsourced data centre which has ISO27001:2005 level security in place. 6.5.5 Third-Party AccessThird party access is not permitted to our systems, save for two vendor rated suppliers. These partners arerequired to provide internet connectivity and support on our hosting systems. Access is only granted on a‘permit to work’ basis issued by either the Managing Director or Application Programming Director. 6.6 Business Continuity ManagementThe Company has continually reviewed and improved its own arrangements for the maintenance, securityand backup of the collection of computers that make up its hosting array. The schematic diagram belowdepicts the way in which the system is configured.


9

The primary array – This collection of computers, switches, firewalls and hard storage units make up theday to day system that delivers the companies hosting services. The secondary array – This collection of computers is located in a separate datacentre in Wilbury Way,Hitchin and acts as our third level backup The Primary and Secondary ArrayThe Primary hosted virtualisation platform has been designed to deliver the following:

Fully Redundant infrastructure●

A high level of security●

Flexible server infrastructure, allowing hot upgrades with minimal downtime●

Flexible, upgradable and resilient storage●

Redundant backups both onsite and offsite●

24 hour on call support service●

The Primary array has been designed so that no single piece of hardware can cause a system wide failureof any service. Utilising the Microsoft Hyper-V 2008 R2 platform and Open-E VSS V6 SAN storage devices,automatic failover of key hardware has been designed, and tested, so that the virtual servers willautomatically switch to the live server in the event of a hardware failure. The hardware is connected using multiple switches configured in a crossover setup. This adds the abilityfor any single network device to fail without interruption to service. The largest impact that will be felt willbe a slight data access performance degradation if a SAN switch is compromised. All data at the Primary array is backed up locally, and then transferred to the Secondary array (HitchinDisaster Recovery site) during off peak times where historic copies of data are stored.In the event of any failure our engineers are contacted by email and text message with the details of thefailure.


10

They will then respond to any support call within their SLA times:

8 – 6 Monday to Friday: ●

Critical Failure : 30 minute response❍

Other Failure : 1 hour response❍

24 Hours: ●

Critical Failure : 1 hour response❍

Other Failure : 2 hour response❍

In most cases the response times will be far below the above. Our aim is to respond to any type of failurewithin 5 minutes. Security of the Primary and Secondary ArrayThe security configuration at the data centre comprises two dedicated firewalls configured in tandem forfault tolerance. They are locked down to only allow web traffic (Ports 80 and 443) from public internetaddress. All other traffic is blocked to prevent unauthorised access to critical servers. Web traffic is being routed through a ModSecurity Web Application Firewall, providing another level ofprotection as public web access does not have direct access to the application servers. There is access permitted from specific IP addresses to specific ports and servers for management byPropeller Studios and their strategic partners. Communication between servers takes place on an internalprivate network, not connected to the public internet. The Storage Area Network is also completely offlinewith no direct internet access 6.7 Approach to Risk ManagementWe have carried out a full risk assessment of the potential for a breach of security as documented withinour separate Risk Assessment Document. We aim to reduce all opportunities for data to be compromised. This includes the possibility of theft of data. 6.7.1 Action in the event of a policy breachAccess to the system is centrally controlled and removal of access to the system is a very simple procedure,which is controlled by the Information Security Manager. Similarly access to the premises is also controlled by the Information Security Manager. Door entry accessis restricted by passcode and security fob issued to staff. Entry codes are easily changed if required due tostaff leaving. Immediately a policy breach has been detected any relevant user is either removed or reset dependingupon the most appropriate action in the circumstances. 6.8 Information Security Objectives Our objectives are set out in our business plan 2015-2017 and are then disseminated to eachdepartment/project for incorporation into their management roles. Each department is responsible fordelivering its objectives and this is monitored via individual, appraisals & team meetings. PROPELLERSTUDIOS LTD’s Quality Objectives are as follows: Objective 1: Existing services - PROPELLER STUDIOS LTD will continue to deliver its services within asecure environment Objective 2: Development - PROPELLER STUDIOS LTD will conduct annual risk assessments to ensure thatrisk to information in the care of PROPELLER STUDIOS LTD is minimised or eliminated.


11

6.9 Responsibility, Authority and Communication The management structure of PROPELLER STUDIOS LTD is shown as an organisation chart (see Appendix)the chart shows functional relationships and responsibilities. 6.9.1 Management RepresentativeThe Information Security Officer is responsible for the maintenance, measurement and review of ourInformation Security Management System. The Information Security Officer will ensure that the processesneeded for the Information Security Management System are established, implemented and maintainedwithin PROPELLER STUDIOS LTD. In addition he/she will report to SMT about system performance. 6.9.2 Internal CommunicationsSenior management utilise PROPELLER STUDIOS LTD’s internal communications framework in order todisseminate information about the effectiveness of the Information Security Management System. 6.9.3 ImplementationFollowing the annual audit, results will be collated and disseminated through PROPELLER STUDIOS LTD’sinternal communications framework: 6.10 Management Review 6.10.1 GeneralSenior Management ensures:

That the ongoing activities of PROPELLER STUDIOS LTD are reviewed regularly and that any required●

corrective action is adequately implemented and reviewed to establish an effective preventative processMeasurement of PROPELLER STUDIOS LTD’s performance against our declared Information Security●

ObjectivesThat internal audits are conducted regularly to review progress and assist in the improvement of●

processes & procedures. The reviews will be discussed as part of PROPELLER STUDIOS LTD’s SMTmeetingsThat employees have the necessary training, support, specifications and equipment to effectively carry●

out the work.

The management team hold planning and review meetings every month. Minutes of these are taken andthe agenda normally includes an update and discussion around the current work of all departments andservices. 6.11 Review Input The monthly Server Committee meetings review the following information:

Risk management and the status of risk assessments and treatment plan●

Monitoring and measuring of results including internal audits●

Fulfilment of information security objectives●

Serious untoward incidents●

Status of preventive, non conformances and corrective actions●

Follow up actions from previous management reviews●

Changes in external and internal issues that are relevant to the ISMS●

Recommendations / opportunities for continual improvements.●

Feedback from interested parties●

6.11.1 Implementation

Meetings are scheduled●

A suggested agenda is prepared by the chair●

Members invited to add items to the agenda●

Agenda is circulated to members●


12

Meeting take place●

Actions defined●

Meetings are minuted by a designated staff member●

Minutes are approved by Chair●

Minutes are circulated amongst members●

Completion of actions is reviewed at the next meeting.●

6.12 Review Output The Senior Management Team reviews produce the following outputs:

Policies and procedures are updated to make operations more efficient●

Operations and services are improved through measurement against targets and actions to improve or●

rectify specific areas.Where resources are lacking actions are put in place to rectify this.●

6.12.1 Implementation

Corrective actions are identified●

Targets created●

Improvements actioned●

Situation re-evaluated at a specified later date.●

7 PROVISION OF RESOURCESPROPELLER STUDIOS LTD will provide all the resources needed to implement and maintain the InformationSecurity Management System and improve effectiveness of the system. PROPELLER STUDIOS LTD will alsoensure that the resources needed to enhance the satisfaction and requirements of service users, servicecommissioners and staff are identified and in place through audit and continual review. 7.1 Human Resources General 7.1.1 Competence, Awareness & TrainingWe maintain a detailed Training Matrix demonstrating who has received what training and when. 7.2 Infrastructure PROPELLER STUDIOS LTD’s buildings, workspace, and associated utilities are managed by the InformationSecurity Manager. The procurement and management of hardware, software and supporting services suchas communication and information systems are also coordinated by the Information Security Manager. We maintain a detailed asset register, including serial numbers, description and location or person towhom assigned. 7.2.1 Implementation Buildings, workspace and associated utilities requirements are regularly reviewed to ensure we makeefficient use of office space. Both hardware and software is reviewed on an ongoing bases to ensure thathead office staff are equipped with fit for purpose IT equipment and software. IT systems are maintained and serviced by an external IT company in conjunction with the office manager. The Managing Director prepares and distributes a wide range of information:

Management Accounts●

Management & Performance information●

Training updates●


13

8 RISK ASSESSMENT METHODOLOGYWe have identified the following process as a means of conducting regular risk assessments relating toInformation Security Issues. Within each of these areas the risks (if any) are identified together with a rating as to the importance ofthe risk. The associated consequence or severity of the risk is also rated together with the probablelikelihood of the risk occurring.


14

We use an Excel spreadsheet to collect and analyse the risks identified in the following assets / assetgroups:

Buildings, offices, secure rooms security●

Hardware – desktops. Laptops, removable media●

Software applications●

Infrastructure / servers●

Client information and data●

Paper records●

People and reputation●

Key contacts●

Critical third party suppliers●

Utilities●

All typical / likely threats have been assessed based on their potential effects on Confidentiality, Integrityand Availability (CIA attributes) using a ratings scale of;

Very Low - 1, Low – 2, Medium – 3, High 4 and Very high – 5 and expressed across key areas of●

Vulnerability, Probability and Impact

Following this analysis evaluations are drawn as to what the most appropriate action is together with theestimated cost of implementing action to address the identified issue and an estimate of the cost ofignoring the risk. Key evaluation criteria use is 1 – Accept risk, 2 - Apply controls, 3 - Avoid risk, 4 –Transfer the risk. 8.1 Risk Treatment Plan - Statement of ApplicabilityThe approach to our risk treatment plan has been designed and implemented using the main headingswithin the standard (Annex A Table A.1 – Control objectives and controls) as a guide to establish that allcontrols required have been considered and that there are no omissions. The document identifies controls to mitigate risks following the process of identification, analysis andevaluation described in section 7 and is directly linked to the aspects of the organisation. This document is kept within a secure file titled ISO270001 within the document section of the companybusiness operations database 9 MEASUREMENT, ANALYSIS & IMPROVEMENT 9.1 Information Security StandardsIn all PROPELLER STUDIOS LTD’s services there are a specific set of quality measurements developed to beused to audit each service to enable a purchaser to be assured of the quality of delivery. Service Level Agreements (SLA) are used to identify the areas of a contract that will be measured andmonitored. 9.1.1 ImplementationWe review our performance as part of a continuous review of Management Information. These reports helpus to assess whether we are meeting our performance targets and provide us with month on monthbusiness performance benchmarking information. PROPELLER STUDIOS LTD conducts annual audits, andprovides annual reports to our customers.


15

9.2 Internal ISMS Audits The internal audit process is as follows: 9.2.1 Internal Audit Process Flowchart

9.3 Monitoring & Measurement of Process 9.3.1 Implementation Where the agreed requirements are not met, an action plan clearly detailing compliance will then beagreed with PROPELLER STUDIOS LTD’s Information Security Manager with a timescale for compliance setat 6 months with the service commissioner or client. 9.4 Monitoring & Measurement of ServiceOur approach determines what needs to be measured inclusive of security processes and controls, themethods by which we ensure valid results, the periods and persons involved in conducting this activity andthe reporting frequency and the responsibility for analysing and evaluating the results. We retain all documents and records involved in this process.PROPELLER STUDIOS LTD establishes at the outset of a new service contract the reporting demands withinthe Service Level Agreement. This process will be supported with the data reports compiled and will enablethe review to monitor performance, effectiveness of delivery, contract compliance and potential servicedevelopments. PROPELLER STUDIOS LTD provides full information for this purpose on a quarterly andannual basis.


16

9.5 Analysis of DataIncident logs are used to record any Information Security incidents or breaches giving cause for concern,and these are regularly assessed during the Management Review process to identify areas forimprovement. 9.5.1 ImplementationThe data is collected by services and submitted to PROPELLER STUDIOS LTD’s Research Department. Datais monitored by Senior Management. 9.6 Continual ImprovementThe organisation will continually improve the effectiveness of the Information Security ManagementSystem through the use of the quality policy, quality objectives, audit results, analysis of data, correctiveand preventive actions and management review. 9.6.1 ImplementationWe review our performance as part of a continuous review of Management Information, service-user /customer feedback and comments. In particular we review our progress against our company informationsecurity objectives (business plan aims), with a view to seeing what we can improve and where. The chartbelow illustrates this process:

9.7 Corrective Action and ImprovementBoth these areas are reviewed within the agenda for the Server Committee meetings and typically coverthe action taken to control and correct any non conformances noting any consequences of the action takenand themes which may be evident. In terms of continual improvement, we also review the suitability, adequacy and effectiveness of our ISMS. 9.8 Complaints PolicyPROPELLER STUDIOS LTD is committed to giving its clients the best possible service, involving them in theplanning of their treatment, and giving them opportunities to air any complaints that they may have on theservice we provide. To this end we operate the following procedure; Complaints Policy P0031


17

9.9 Preventative Action PROPELLER STUDIOS LTD has various processes and procedures in place to ensure that preventativeaction against nonconformities can be introduced, documented and seen through till completion to addressthe initial problem. The complex nature of the clients we work with, demands that we have flexible but effective processes andprocedures in place. However, PROPELLER STUDIOS LTD also uses internal and external audits and risk assessments tocontinuously improve its service delivery, financial, HR and operational functions. 10 APPENDICES 10.1 Appendix 1 - Organisation ChartDisplayed on next page


18


19

Appendix 2 – List of Controlled Documents

Name Reference Version Date Renewal Date

Propeller Software Audit Form for Office based PC andLaptops

P0001 V1 30/09/2015 30/09/2016

Virus Software Compliance Check Form P0002 V1 30/09/2015 30/09/2016Company Appraisal Questionnaire P0003 V1 30/09/2015 30/09/2016Supplier PQQ to Join Supply Chain Database P0004 V1 30/09/2015 30/09/2016Supplier Performance Assessment Form P0005 V1 30/09/2015 30/09/2016Contract of Employment P0006 V1 30/09/2015 30/09/2016Supplier Terms and Conditions Contract P0007 V1 30/09/2015 30/09/2016Data Protection Policy P0008 V1 30/09/2015 30/09/2016Access Control Policy P0009 V1 30/09/2015 30/09/2016Secure Disposal of IT Equipment Policy P0010 V1 30/09/2015 30/09/2016Application and Hosting Policy P0011 V2 30/09/2015 30/09/2016 Clear Desk Policy P0012 V1 30/09/2015 30/09/2016 ISMP P0013 V1 30/09/2015 30/09/2016 EasyBOP Terms and Conditions and Service LevelAgreement

P0014 V1 30/09/2015 30/09/2016

EasyPQQ Terms and Conditions and Service LevelAgreement

P0015 V1 30/09/2015 30/09/2016

Tender Writing Terms and Conditions P0016 V1 30/09/2015 30/09/2016 Bribery Policy Statement P0017 V1 30/09/2015 30/09/2016 Corporate Social Responsibility Policy P0018 V1 30/09/2015 30/09/2016 Environmental Policy Statement P0019 V1 30/09/2015 30/09/2016 Equal Opportunities and Diversity Policy P0020 V1 30/09/2015 30/09/2016 Health and Safety Policy P0021 V1 30/09/2015 30/09/2016 Health and Safety Policy Statement P0022 V1 30/09/2015 30/09/2016 Quality Policy Statement P0023 V1 30/09/2015 30/09/2016 Recruitment Policy P0024 V1 30/09/2015 30/09/2016 Sustainability Policy P0025 V1 30/09/2015 30/09/2016 Software Installation Policy P0026 V1 30/09/2015 30/09/2016 Information Security Incident Management Policy P0027 V1 30/09/2015 30/09/2016 Propeller Confidentiality Agreement P0028 V1 30/09/2015 30/09/2016 Server Committee Monthly Compliance Audit Report P0029 V1 30/09/2015 30/09/2016 Non-conformance Notice P0030 V1 30/09/2015 30/09/2016 Outage Notification and Permit to Work P0031 V1 30/09/2015 30/09/2016 Complaints Policy P0032 V1 30/09/2015 30/09/2016 Complaint Form P0033 V1 30/09/2015 30/09/2016Business Continuity Policy P0034 V1 30/09/2015 30/09/2016 Legal Register P0035 V1 30/09/2015 30/09/2016

This policy has been approved by:

Andrew HammondManaging Director Propeller Reference Number P0013

Version V1

Document Owner Andy Hammond

Date Last reviewed 30/09/2015

Date of Next Review 30/09/2016

Propeller Studios ISMS Policy Document - EasyPQQ · Company Policy Documents 3 1 INTRODUCTION This...

Documents

Transcript of Propeller Studios ISMS Policy Document - EasyPQQ · Company Policy Documents 3 1 INTRODUCTION This...