Information Security & Risk Management Policy

1. Purpose

Innoteq Engage Limited (“we”, “us”, “our” or the “Company”) is committed to safeguarding its information assets and ensuring compliance with applicable data protection laws, including the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. This policy integrates our Information Security Management System (ISMS) and Personal Information Management System (PIMS) to protect the confidentiality, integrity, and availability of all information, including personal and sensitive data, processed by the organisation.

 

2. Scope

This policy applies to all employees, contractors, consultants, and third parties who access or handle Innoteq Engage Limited’s information systems, data, or infrastructure. It includes all digital and physical information assets, focusing specifically on personal data processed under PIMS. This high-level Information Security & Risk Management Policy sits alongside the “Data Protection Policy” and provides a high-level outline of, and justification for, the Company’s risk-based information security controls.

 

3. Objectives

• Information Security: Ensure the protection of information assets from unauthorised access, disclosure, alteration, or destruction.
• Privacy Management: Safeguard personal and sensitive data in compliance with data protection laws.
• Risk Management: Identify, assess, and mitigate risks to minimise operational, financial, and reputational harm.
• Compliance: Maintain adherence to legal, regulatory, and contractual obligations.

 

4. Key Principles

4.1 Confidentiality: Restrict access to information based on roles and business needs.

4.2 Integrity: Ensure all data is accurate, complete, and protected from unauthorised modifications.

4.3 Availability: Ensure information and systems are accessible to authorised users when required.

4.4 Accountability: Establish clear roles and responsibilities for information security and data privacy.

5. Roles and Responsibilities

• Senior Management: Provide leadership, resources, and strategic oversight for ISMS and PIMS implementation.
• Information Security Officer (ISO): Manage the ISMS, oversee risk assessments, and lead incident responses.
• Legal Compliance Department: Ensure compliance with PIMS and act as the main point of contact for data protection matters.
• Employees: Adhere to security protocols and report risks or incidents promptly.
• Third Parties: Comply with Innoteq Engage Limited’s security and privacy standards when handling information.

 

6. Risk Management

6.1 Risk Assessments: Conduct regular assessments to identify, evaluate, and prioritise risks.

6.2 Mitigation Strategies: Implement controls to address identified risks, such as encryption, firewalls, and multi-factor authentication.

6.3 Monitoring: Continuously monitor systems and processes to detect and address vulnerabilities.

6.4 Incident Response: Establish and maintain procedures to respond to security incidents promptly.

 

7. Personal Information Management System (PIMS)

7.1 Data Classification: Identify and classify personal data processed by the organisation based on sensitivity and risk.

7.2 Data Minimisation: Collect only the personal data necessary for specific, lawful purposes.

7.3 Lawful Processing: Ensure all personal data processing has a valid legal basis under UK GDPR.

7.4 Individual Rights: Respect data subjects’ rights, including access, rectification, erasure, and objection.

7.5 Third-Party Processing: Conduct due diligence on processors handling personal data and establish contracts that align with PIMS requirements.

7.6 Retention and Disposal: Retain personal data only as long as necessary and securely dispose of it when no longer required.

 

8. Information Security Controls

• Access Control: Grant access based on the principle of least privilege.
• Encryption: Use encryption to protect sensitive data in transit and at rest.
• System Monitoring: Monitor systems to detect unauthorised activities or breaches.
• Physical Security: Secure physical premises to prevent unauthorised access to information assets.
• Training: Provide regular training on security and privacy best practices, including phishing awareness and data protection.

 

9. Breach Management

9.1 Reporting: All employees must report suspected data breaches to the ISO or DPO immediately.

9.2 Investigation: The ISO or the Legal Compliance Department will investigate and assess the severity and impact of the breach.

9.3 Notification: If necessary, notify the Information Commissioner’s Office (ICO) within 72 hours of becoming aware of the breach and inform affected data subjects promptly.

9.4 Mitigation: Take corrective actions to prevent recurrence and minimise impact.

 

10. Compliance and Legal Obligations

Innoteq Engage Limited complies with:

• UK GDPR and the Data Protection Act 2018.
• The Computer Misuse Act 1990.
• The Privacy and Electronic Communications Regulations (PECR).
• Relevant contractual and regulatory obligations.

 

11. Monitoring and Review

This policy is reviewed annually, or more frequently if required by changes in law, regulation, or business operations. Regular audits are conducted to ensure compliance with ISMS and PIMS standards.

 

12. Consequences of Non-Compliance

Failure to comply with this policy may result in disciplinary action, up to and including termination of employment, and could have legal implications for individuals and the organisation.

 

Contact Information

If you have any inquiries, requests or concerns about this policy, please contact the Legal Compliance Department at: legal@innoteqengage.co.uk.

Last Update: 03/2025