Information security policy statement


Information is an important asset of significant value to the organisation.  It needs to be protected and processed securely.  To do this, we will:

  • ensure the confidentiality, integrity and availability of information belonging to us and entrusted to us by:
    • members of the public
    • our strategic partners
    • other third-party organisations
  • adopt an Information Security Management System (ISMS).  Our ISMS considers diverse security controls aligned to ISO/IEC 27001:2022
  • continually improve the ISMS.  We will measure the effectiveness of controls and adapt to new and emerging risks
  • operate in line with relevant legal obligations such as:
    • Data Protection Act 2018
    • UK General Data Protection Regulation
  • establish information security objectives to improve information security performance
  • ensure effective policies and procedures are in place to support secure working practices
  • educate and train staff to handle and process information securely
  • ensure specialist staff are available to provide support and guidance
  • investigate and record all actual and suspected security incidents


This policy applies to:

  • all information, regardless of format, that we process
  • all information ICT infrastructure and services that we operate or manage

This policy is supported and approved by:

  • Chief Executive
  • Senior Information Risk Owner
  • Corporate Leadership Team