Information security policy statement

Overview

Information is an important asset of significant value to the organisation.  It needs to be protected and processed securely.  To do this, we will:

  • ensure the confidentiality, integrity and availability of information belonging to us and entrusted to us by:
    • members of the public
    • our strategic partners
    • other third-party organisations
  • adopt an Information Security Management System (ISMS).  Our ISMS considers diverse security controls aligned to ISO/IEC 27001:2022
  • continually improve the ISMS.  We will measure the effectiveness of controls and adapt to new and emerging risks
  • operate in line with relevant legal obligations such as:
    • Data Protection Act 2018
    • UK General Data Protection Regulation
  • establish information security objectives to improve information security performance
  • ensure effective policies and procedures are in place to support secure working practices
  • educate and train staff to handle and process information securely
  • ensure specialist staff are available to provide support and guidance
  • investigate and record all actual and suspected security incidents

Scope

This policy applies to:

  • all information, regardless of format, that we process
  • all information ICT infrastructure and services that we operate or manage

This policy is supported and approved by:

  • Chief Executive
  • Senior Information Risk Owner
  • Corporate Leadership Team

Impact of failing to safeguard information

Failing to safeguard information can have varying degrees of impact.  This will depend on the type of failure and the information involved. It includes:

  • undermining of public confidence in public services
  • negative impact on public finances
  • embarrassment or distress caused to service users
  • reduced effectiveness in the performance of business activities
  • failure in the provision of council services
  • reputational damage

Supporting policies and compliance

Several policies, procedures and standards support this policy statement.  

We make the policies  available to all staff electronically.

The policies support a layered approach to protect information and information assets.  

Compliance

Our employees have a contractual responsibility to be aware of and conform to our:

  • values
  • rules
  • policies
  • procedures

Breaches of policy may lead to the employee going through our disciplinary procedure.  This is in accordance with the code of conduct and our disciplinary policy.

We may revoke access to our information and ICT from non-council employees who fail to comply with our policies. Such action could have an impact on contracts with third-party organisations.