Documente Academic
Documente Profesional
Documente Cultură
ISO27001:2013
ISMS POLICY DOCUMENT
Version 1
September 2014
Table of Contents
1 Introduction
2 Issue Status
3 Overview of PROPELLER STUDIOS LTD
3.1 Scope of Registration
4 Information Security Management System
4.1 Documented Information
4.1.1 Control of Records
4.1.2 Control of Records
5 Management Commitment
5.1 Role of Senior Management
6 ISMS POLICY
6.1 Introduction
6.2 Scope of the Policy
6.3 legal and regulatory obligations
6.4 Roles and Responsibilities
6.5 Strategic Approach and Principles
6.6 Business Continuity Management
6.7 Approach to Risk Management
6.8 Information Security Objectives
6.9 Responsibility, authority and communication
6.10 Management Review
6.11 Review Input
6.12 Review Output
7 Provision of Resources
7.1 Human Resources General
7.2 Infrastructure
8 Risk Assessment Methodology
8.1 Risk Treatment Plan
9 Measurement, Analysis & Improvement
9.1 Information Security Standards
9.2 Internal ISMS Audits
9.3 Monitoring & Measurement of Processes
9.4 Monitoring & Measurement of Service
9.5 Analysis of Data
9.6 Continual Improvement
9.7 Corrective Action and Improvement
9.8 Complaints Policy
9.9 Preventative Action
10 Appendices
10.1 Appendix 1 Organisation Chart
Appendix 2 List of Controlled Documents
2
Company Policy Documents
1 INTRODUCTION
This document is the ISMS Policy Document of PROPELLER STUDIOS LTD. It is the property of PROPELLER
STUDIOS LTD and is a controlled document.
The purpose of the ISMS Policy Document is to provide an overview of the company, the activities it carries
out and the quality standards of operation it conforms to. It is not designed to act as a procedure manual,
although it does carry information about where procedures information is located and the detailed
information on Documentation Requirements for essential procedures e.g. document control, and control of
records; internal audit and corrective/preventative action (please see Procedures Log).
Throughout this ISMS Policy Document there are explanations of the requirements of the standard,
paraphrased and appended in smaller grey text. This precedes a section explaining how the company
implement this particular aspect of the standard.
2 ISSUE STATUS
The issue status is indicated by the version number in the footer of this document. It identifies the issue
status of this ISMS Policy Document.
When any part of this ISMS Policy Document is amended, a record is made in the Amendment Log shown
below.
The ISMS Policy Document can be fully revised and re-issued at the discretion of the Management Team.
Please note that this ISMS Policy Document is only valid on day of printing.
We have a retained client base of over 300 organisations. They represent a wide demographic of the
service sector, although we do specialise in the construction industry.
As bid consultants, we understand the challenges associated with completing PQQs and tenders. We
provide a comprehensive range of tender writing and graphic design services that require us to store and
use client data.
We have developed and sell EasyPQQ which is an online computer application. EasyPQQ has a worldwide
user base, acting as a knowledge hub, search engine and bid management tool. It is used by a wide range
of organisations, from multinationals to local SMEs.
3
Company Policy Documents
We have also developed a cloud-based computing solution, EasyBOP which is an integrated Business
Operations Platform that unifies all company processes with one enterprise-level solution.
As a consequence of our business activity it is essential that we operate a clearly defined and robust
approach to the security of our own and clients data.
4
Company Policy Documents
PROPELLER STUDIOS LTD has a commitment to quality and a formal information security management
system (ISMS) that addresses the following areas:
Quality
Performance monitoring and review
Policy and Procedures
Managing external relationships
Financial Management
Strategic and business planning
Human resource development
Service innovation.
4.1.1 Documents
All documents are maintained and controlled by the Managing Director. Policy and procedure documents
are reviewed annually. Any documents requiring amendment are updated, authorised, and completed. All
updates to documents are signed and dated by the Managing Director. Documents are re-issued as an
electronic PDF document and a limited number of hard copies are produced. Obsolete documents will be
archived and restricted by the Managing Director, electronic copies of all past versions are kept. All
managers hold responsibility for cascading information to staff.
4.1.2 Records
All project records are stored in appropriate electronic folders and managed by respective departments.
Hard copies of documents are restricted to a minimum and should not be produced unnecessarily.
Electronic records are encouraged over hard copies due to environmental concerns, available storage space
and to prevent unnecessary expenditure.
5
Company Policy Documents
5. MANAGEMENT COMMITMENT
The Managing Director will ensure that PROPELLER STUDIOS LTD staff are aware of the importance of
meeting customer as well as statutory and regulatory requirements, and overall, to contribute to achieving
PROPELLER STUDIOS LTDs Information Security Objectives which are aligned with the current business
plan.
The Senior Management Team is responsible for implementing the ISMS and ensuring the system is
understood and complied with at all levels of the organisation. They are responsible for ensuring that;
The information security policy and objectives are established and in line with the strategic direction of
the organisation
Integration of the ISMS into the organisations processes.
That resources needed for the ISMS are available
Communication covering the importance of effective information security management and conformance
to the ISMS requirements is in place.
The ISMS achieves its intended outcome(s)
The contribution of persons involved in the effectiveness of the ISMS by direction and support.
Continual improvement is promoted
Other management roles within their area of responsibility are supported.
An internal audit of procedures and policies is conducted annually in September. A review of the
Information Security Objectives takes place in July. In addition achievement of the quality objectives are
measured against quarterly targets set in relation to the business plan. Staff contribution towards the
Information Security Objectives is measured in supervision and documented annual appraisals in October.
6. ISMS POLICY
6.1 Introduction
This document is the Information Security Policy for PROPELLER STUDIOS LTD. It describes the companys
corporate approach to Information Security and details how we address our responsibilities in relation to
this vital area of our business. As a company we are committed to satisfy applicable requirements related
to information security and the continual improvement of the ISMS.
Information Security is the responsibility of all members of staff, not just the senior management team,
and as such all staff should retain an awareness of this policy and its contents and demonstrate a practical
application of the key objectives where appropriate in their daily duties.
We also make the details of our policy known to all other interested parties including external where
appropriate and determine the need for communication and by what methods relevant to the information
security management system. These include but not limited to customers and clients and their
requirements are documented in contracts, purchase orders and specifications etc.
Verification of compliance with the policy will be verified by a continuous programme of internal audits.
6
Company Policy Documents
Integration we maintain a number of flow charts which illustrate key business activities and their
correspondence to ISMS requirements.
Client data is maintained within a separate database located at our data centre in London. Staff access to
the database is restricted to the senior management of the applications development team and customer
services staff. Control for applications development staff is maintained through access from an identified IP
address and minimum 9 character alpha numeric code. These are maintained in a register and new
permissions can only be generated by the Managing Director or Application Programming Director. Access
for Customer Services Staff is limited through permissions granted by our ultimate client and a 9 character
alpha numeric code.
The following table provides a summary of the information classification levels that have been adopted by
Propeller Studios Limited. Detailed information on defining information classification levels and providing
appropriate levels of security and access is provided in the Data Security Policy.
Confidential Normally accessible only to specified Sensitive personal data; salary information; bank details;
members of Propeller Studios Limited source code files, client data stored on systems;
passwords; client tender documents
Restricted Normally accessible only to specified Personal Data; Board Reports; System Designs, client
members of Propeller Studios Ltd data held on our systems;
staff or clients
Protected Normally accessible only to specified All information held on EasyBOP company management
members of Propeller Studios Ltd system. Internal correspondence, Analytics and AdWords
staff or clients accounts.
Open Accessible to all members of the Annual accounts, newsletters, blog posts, product
public information releases, brochures, product updates, outage
notices. Information available on the Propeller Studios
Limited websites.
7
Company Policy Documents
Registered users of our application can only ever see the data stored in their own company account. Both
applications core logic architecture has been designed to run as a multi-user environment from their
inception. Data segregation is enforced through a unique client identifier and is persistent through the
application programming logic, the database table relationships, and the file system structure.
Best practice with respect to client password administration is enforced through the minimum requirement
for password strength. This is a minimum 9 character, case sensitive, alpha numeric string.
Access to the company business operations database is restricted by password. Passwords MUST NOT be
written down either on paper or retained electronically. Passwords will be changed on a six monthly basis
and the last twenty passwords may not be reused.
Passwords should be no less than 9 characters in length and consist of both numbers, cases and letters.
8
Company Policy Documents
The primary array This collection of computers, switches, firewalls and hard storage units make up the
day to day system that delivers the companies hosting services.
The secondary array This collection of computers is located in a separate datacentre in Wilbury Way,
Hitchin and acts as our third level backup
The Primary array has been designed so that no single piece of hardware can cause a system wide failure
of any service. Utilising the Microsoft Hyper-V 2008 R2 platform and Open-E VSS V6 SAN storage devices,
automatic failover of key hardware has been designed, and tested, so that the virtual servers will
automatically switch to the live server in the event of a hardware failure.
The hardware is connected using multiple switches configured in a crossover setup. This adds the ability
for any single network device to fail without interruption to service. The largest impact that will be felt will
be a slight data access performance degradation if a SAN switch is compromised.
All data at the Primary array is backed up locally, and then transferred to the Secondary array (Hitchin
Disaster Recovery site) during off peak times where historic copies of data are stored.
In the event of any failure our engineers are contacted by email and text message with the details of the
failure.
9
Company Policy Documents
They will then respond to any support call within their SLA times:
8 6 Monday to Friday:
Critical Failure : 30 minute response
Other Failure : 1 hour response
24 Hours:
Critical Failure : 1 hour response
Other Failure : 2 hour response
In most cases the response times will be far below the above. Our aim is to respond to any type of failure
within 5 minutes.
Web traffic is being routed through a ModSecurity Web Application Firewall, providing another level of
protection as public web access does not have direct access to the application servers.
There is access permitted from specific IP addresses to specific ports and servers for management by
Propeller Studios and their strategic partners. Communication between servers takes place on an internal
private network, not connected to the public internet. The Storage Area Network is also completely offline
with no direct internet access
We aim to reduce all opportunities for data to be compromised. This includes the possibility of theft of data.
Similarly access to the premises is also controlled by the Information Security Manager. Door entry access
is restricted by passcode and security fob issued to staff. Entry codes are easily changed if required due to
staff leaving.
Immediately a policy breach has been detected any relevant user is either removed or reset depending
upon the most appropriate action in the circumstances.
Objective 1: Existing services - PROPELLER STUDIOS LTD will continue to deliver its services within a
secure environment
Objective 2: Development - PROPELLER STUDIOS LTD will conduct annual risk assessments to ensure that
risk to information in the care of PROPELLER STUDIOS LTD is minimised or eliminated.
10
Company Policy Documents
6.9.3 Implementation
Following the annual audit, results will be collated and disseminated through PROPELLER STUDIOS LTDs
internal communications framework:
6.10.1 General
Senior Management ensures:
That the ongoing activities of PROPELLER STUDIOS LTD are reviewed regularly and that any required
corrective action is adequately implemented and reviewed to establish an effective preventative process
Measurement of PROPELLER STUDIOS LTDs performance against our declared Information Security
Objectives
That internal audits are conducted regularly to review progress and assist in the improvement of
processes & procedures. The reviews will be discussed as part of PROPELLER STUDIOS LTDs SMT
meetings
That employees have the necessary training, support, specifications and equipment to effectively carry
out the work.
The management team hold planning and review meetings every month. Minutes of these are taken and
the agenda normally includes an update and discussion around the current work of all departments and
services.
Risk management and the status of risk assessments and treatment plan
Monitoring and measuring of results including internal audits
Fulfilment of information security objectives
Serious untoward incidents
Status of preventive, non conformances and corrective actions
Follow up actions from previous management reviews
Changes in external and internal issues that are relevant to the ISMS
Recommendations / opportunities for continual improvements.
Feedback from interested parties
6.11.1 Implementation
11
Company Policy Documents
6.12.1 Implementation
7 PROVISION OF RESOURCES
PROPELLER STUDIOS LTD will provide all the resources needed to implement and maintain the Information
Security Management System and improve effectiveness of the system. PROPELLER STUDIOS LTD will also
ensure that the resources needed to enhance the satisfaction and requirements of service users, service
commissioners and staff are identified and in place through audit and continual review.
7.2 Infrastructure
PROPELLER STUDIOS LTDs buildings, workspace, and associated utilities are managed by the Information
Security Manager. The procurement and management of hardware, software and supporting services such
as communication and information systems are also coordinated by the Information Security Manager.
We maintain a detailed asset register, including serial numbers, description and location or person to
whom assigned.
7.2.1 Implementation
Buildings, workspace and associated utilities requirements are regularly reviewed to ensure we make
efficient use of office space. Both hardware and software is reviewed on an ongoing bases to ensure that
head office staff are equipped with fit for purpose IT equipment and software.
IT systems are maintained and serviced by an external IT company in conjunction with the office manager.
Management Accounts
Management & Performance information
Training updates
12
Company Policy Documents
Within each of these areas the risks (if any) are identified together with a rating as to the importance of
the risk. The associated consequence or severity of the risk is also rated together with the probable
likelihood of the risk occurring.
13
Company Policy Documents
We use an Excel spreadsheet to collect and analyse the risks identified in the following assets / asset
groups:
All typical / likely threats have been assessed based on their potential effects on Confidentiality, Integrity
and Availability (CIA attributes) using a ratings scale of;
Very Low - 1, Low 2, Medium 3, High 4 and Very high 5 and expressed across key areas of
Vulnerability, Probability and Impact
Following this analysis evaluations are drawn as to what the most appropriate action is together with the
estimated cost of implementing action to address the identified issue and an estimate of the cost of
ignoring the risk. Key evaluation criteria use is 1 Accept risk, 2 - Apply controls, 3 - Avoid risk, 4
Transfer the risk.
The document identifies controls to mitigate risks following the process of identification, analysis and
evaluation described in section 7 and is directly linked to the aspects of the organisation.
This document is kept within a secure file titled ISO270001 within the document section of the company
business operations database
Service Level Agreements (SLA) are used to identify the areas of a contract that will be measured and
monitored.
9.1.1 Implementation
We review our performance as part of a continuous review of Management Information. These reports help
us to assess whether we are meeting our performance targets and provide us with month on month
business performance benchmarking information. PROPELLER STUDIOS LTD conducts annual audits, and
provides annual reports to our customers.
14
Company Policy Documents
9.3.1 Implementation
Where the agreed requirements are not met, an action plan clearly detailing compliance will then be
agreed with PROPELLER STUDIOS LTDs Information Security Manager with a timescale for compliance set
at 6 months with the service commissioner or client.
15
Company Policy Documents
9.5.1 Implementation
The data is collected by services and submitted to PROPELLER STUDIOS LTDs Research Department. Data
is monitored by Senior Management.
9.6.1 Implementation
We review our performance as part of a continuous review of Management Information, service-user /
customer feedback and comments. In particular we review our progress against our company information
security objectives (business plan aims), with a view to seeing what we can improve and where. The chart
below illustrates this process:
In terms of continual improvement, we also review the suitability, adequacy and effectiveness of our ISMS.
16
Company Policy Documents
The complex nature of the clients we work with, demands that we have flexible but effective processes and
procedures in place.
However, PROPELLER STUDIOS LTD also uses internal and external audits and risk assessments to
continuously improve its service delivery, financial, HR and operational functions.
10 APPENDICES
17
Company Policy Documents
18
Company Policy Documents
Propeller Software Audit Form for Office based PC and P0001 V1 30/09/2015 30/09/2016
Laptops
Virus Software Compliance Check Form P0002 V1 30/09/2015 30/09/2016
Company Appraisal Questionnaire P0003 V1 30/09/2015 30/09/2016
Supplier PQQ to Join Supply Chain Database P0004 V1 30/09/2015 30/09/2016
Supplier Performance Assessment Form P0005 V1 30/09/2015 30/09/2016
Contract of Employment P0006 V1 30/09/2015 30/09/2016
Supplier Terms and Conditions Contract P0007 V1 30/09/2015 30/09/2016
Data Protection Policy P0008 V1 30/09/2015 30/09/2016
Access Control Policy P0009 V1 30/09/2015 30/09/2016
Secure Disposal of IT Equipment Policy P0010 V1 30/09/2015 30/09/2016
Application and Hosting Policy P0011 V2 30/09/2015 30/09/2016
Clear Desk Policy P0012 V1 30/09/2015 30/09/2016
ISMP P0013 V1 30/09/2015 30/09/2016
EasyBOP Terms and Conditions and Service Level P0014 V1 30/09/2015 30/09/2016
Agreement
EasyPQQ Terms and Conditions and Service Level P0015 V1 30/09/2015 30/09/2016
Agreement
Tender Writing Terms and Conditions P0016 V1 30/09/2015 30/09/2016
Bribery Policy Statement P0017 V1 30/09/2015 30/09/2016
Corporate Social Responsibility Policy P0018 V1 30/09/2015 30/09/2016
Environmental Policy Statement P0019 V1 30/09/2015 30/09/2016
Equal Opportunities and Diversity Policy P0020 V1 30/09/2015 30/09/2016
Health and Safety Policy P0021 V1 30/09/2015 30/09/2016
Health and Safety Policy Statement P0022 V1 30/09/2015 30/09/2016
Quality Policy Statement P0023 V1 30/09/2015 30/09/2016
Recruitment Policy P0024 V1 30/09/2015 30/09/2016
Sustainability Policy P0025 V1 30/09/2015 30/09/2016
Software Installation Policy P0026 V1 30/09/2015 30/09/2016
Information Security Incident Management Policy P0027 V1 30/09/2015 30/09/2016
Propeller Confidentiality Agreement P0028 V1 30/09/2015 30/09/2016
Server Committee Monthly Compliance Audit Report P0029 V1 30/09/2015 30/09/2016
Non-conformance Notice P0030 V1 30/09/2015 30/09/2016
Outage Notification and Permit to Work P0031 V1 30/09/2015 30/09/2016
Complaints Policy P0032 V1 30/09/2015 30/09/2016
Complaint Form P0033 V1 30/09/2015 30/09/2016
Business Continuity Policy P0034 V1 30/09/2015 30/09/2016
Legal Register P0035 V1 30/09/2015 30/09/2016
Andrew Hammond
Managing Director
19