ISMS Home · Information Security Management System
Welcome to the ISMS space
This is the organisation's Information Security Management System — the single place where everything related to protecting our information, our systems, and our people is documented, evidenced, and maintained.
You are here because information security is part of your job. Not the specialist part that belongs to the IT team or the CISO — the human part that belongs to everyone. The decisions you make every day about how you handle information, how you use your devices, how you respond to a suspicious email, and how you treat a sensitive document are all part of how this organisation keeps its obligations to its customers, its people, and its regulators.
This space is not a rulebook you are expected to memorise. It is a reference — something you return to when you have a question, when something goes wrong, or when you want to understand the reasoning behind a policy or procedure. Most of what you need day to day is in two sections: the Policies section and the User Guidance Hub. Start there.
If you are new to the organisation, start with the [New Starter Security Checklist] in the User Guidance Hub. If you are returning after a long absence, start with the [What Has Changed] page. If you are here because something has gone wrong, go straight to [Reporting a Security Incident].
Why this matters here specifically
Most organisations have some version of an information security programme. Ours is more extensive than most, and it is worth understanding why — not because you need to know the regulatory details, but because the context makes the obligations feel less arbitrary.
We hold contracts with the UK Ministry of Defence and with US government customers. Those contracts require us to handle information that is sensitive in a national security context — specifications, designs, communications, and data that, in the wrong hands, could cause genuine harm. The US government classifies this as Controlled Unclassified Information (CUI). The UK government classifies it at OFFICIAL and OFFICIAL-SENSITIVE. Both regimes impose specific legal requirements on how that information is stored, transmitted, accessed, and protected.
We are also certified to ISO 27001, which is the internationally recognised standard for information security management. We hold Cyber Essentials certification, which is a UK government-backed baseline. And we are working toward CMMC Level 2 certification, which is a US Department of Defense requirement for defence contractors.
None of this is theoretical. A serious security incident affecting CUI could result in loss of contracts, regulatory investigation, financial penalties, and in the most serious cases legal consequences for individuals. Our customers trust us with their information because we have demonstrated we protect it. Keeping that trust is a business imperative, not a compliance exercise.
How to use this space
The ISMS space is organised into eight sections. Not all sections are relevant to everyone — your Scroll Content Manager audience group determines what you can see. If you see less than a colleague does, that is expected and intentional.
Here is what each section contains and who it is primarily for.
00 · Home
You are here. The welcome page, how to navigate the space, key contacts, and the quick-reference role table below. Relevant to everyone.
01 · Policies
The twelve information security policies that apply to everyone in the organisation. Written in plain language with clear statements of your obligations. You are required to read these annually as part of security awareness training.
Go here when: you want to understand what you are and are not permitted to do with information, devices, or systems. When you are unsure whether a specific action is allowed. When you want to understand why a rule exists.
02 · Fundamental Controls
The five baseline technical security controls that every device and account in the organisation operates under: firewalls, secure configuration, user access control, malware protection, and patch management.
Go here when: something related to your device, your access, or your software is not working as expected. When you want to understand what a security control does and why. When you have received a notification or prompt you do not understand.
03 · Advanced Controls
The detailed technical and procedural implementation of all 110 NIST SP 800-171 security controls, organised by family. This section is restricted to IT Operations and security staff — it is not visible to all-staff.
Go here when: you are in the IT Operations or security team and need the implementation specification, the assessor checklist, or the evidence requirements for a specific control. If you do not have access to this section, you are not missing anything relevant to your role.
04 · User Guidance Hub
Practical how-to content for everyday security tasks. How to report a phishing email. How to work securely from home. How to handle a sensitive document. How to use the VPN. Written for users, not engineers.
Go here when: you need to do something and want to know the correct way to do it. When something has gone wrong and you need to know what to do next. When you are working in an unfamiliar situation — travelling, working from a different location, onboarding as a new starter.
05 · Risk Register
The organisation's live information security risk register. Restricted to management and security staff.
Go here when: you are in a management or CISO role and need to review the current risk picture, understand treatment decisions, or update a risk record following an assessment or incident.
06 · Audit and Evidence
The evidence records that demonstrate our compliance — the log reviews, the access audits, the configuration audit records, the training completion records. Restricted to IT Operations and security staff.
Go here when: you are preparing for an assessment, need to produce an evidence item, or need to verify that a specific control has been evidenced for the current period.
07 · Reference Library
Supporting documents, standards references, templates, and links to external frameworks (NIST SP 800-171, ISO 27001, CUI Registry, NCSC guidance). Useful background reading for anyone who wants to understand the frameworks behind the policies.
Go here when: you want to understand the source material behind a specific policy or control. When you need a template for a document, a risk record, or a policy exception request.
Quick-reference role table
Information security responsibilities are distributed across the organisation. This table shows who owns what at the programme level. It is not an exhaustive list of every person involved in every control — it is the accountability map for the most common questions about who to go to.
| Responsibility | Role | Who holds it |
|---|---|---|
| Overall ISMS ownership and accountability | Chief Information Security Officer (CISO) | [NAME] |
| Day-to-day IT security operations | IT Manager | [NAME] |
| SIEM monitoring and alert review | Security Analyst | [NAME] |
| Device and system administration | IT Operations | [NAME / TEAM] |
| HR security — screening, leavers, NDA | HR Manager | [NAME] |
| Physical security and facilities | Facilities Manager | [NAME] |
| Data protection and privacy | Data Protection Officer | [NAME] |
| Supplier security and contract terms | CISO + Procurement | [NAME] |
| Incident response — Incident Commander | CISO | [NAME] |
| Incident response — Technical Lead | IT Manager | [NAME] |
| Management review and board reporting | CISO + CEO/MD | [NAMES] |
| Training programme delivery | HR Manager + CISO | [NAMES] |
| Risk register ownership | CISO | [NAME] |
| Vulnerability scanning programme | Security Analyst | [NAME] |
| Change Advisory Board chair | IT Manager | [NAME] |
| Backup and recovery operations | IT Operations | [NAME / TEAM] |
| CUI access group management | IT Manager | [NAME] |
| DEFSTAN contracting authority liaison | CISO | [NAME] |
| DFARS reporting — primary | CISO | [NAME] |
| DFARS reporting — backup | IT Manager | [NAME] |
| ICO data breach notification | DPO + CISO | [NAMES] |
What this table means for you: if you have a security concern, question, or incident and you are not sure who to contact, the CISO is always the right escalation point. For day-to-day technical issues, IT Operations is your first contact. For anything that might be an incident — something that has gone wrong or might have gone wrong — do not work out who the right person is before reporting. Report to the security team and they will coordinate from there.
Key contacts
These are the contacts you need in the most common scenarios. Save them before you need them. Do not wait until something is wrong to look them up.
I need to report a security incident or something suspicious
Security team (24-hour contact): [security@organisation.com] · [phone number]
Use this for: phishing emails, account compromise, suspicious activity, lost devices, anything that feels wrong. Speed matters. Report immediately and let the security team decide how serious it is.
My device has a problem or I cannot access something I need
IT Operations helpdesk: [helpdesk@organisation.com] · [phone number] · [helpdesk portal URL]
Use this for: device issues, software problems, access problems, update failures, password resets, anything technical that is not a security incident.
I have a question about a policy or my obligations
CISO: [ciso@organisation.com] · [phone number]
Use this for: policy questions, questions about whether a specific action is permitted, questions about CUI handling, questions about your security clearance.
I want to report a data protection concern or a subject access request has arrived
Data Protection Officer: [dpo@organisation.com] · [phone number]
Use this for: data protection questions, subject access requests from individuals, data breach reports, questions about what personal data the organisation holds and why.
I have a concern I want to report confidentially
Confidential reporting: [confidential reporting channel — email or third-party platform]
Use this for: concerns about colleague behaviour, concerns about a process that seems wrong, anything you want to raise without your name being attached. Anonymous reporting is available through this channel.
I am a new starter and do not know where to begin
New Starter Security Checklist: [link to 04 · User Guidance Hub → New Starters]
Your line manager is your first point of contact for any onboarding question that is not covered in the checklist.
Your first ten minutes in this space
If you have arrived here as part of your security awareness training, here is the recommended reading order. This is not everything — it is the minimum you need to understand your obligations and know who to contact if something goes wrong.
Step 1 — Read this page in full. You have nearly done this. The navigation guide and role table above are reference material you will return to.
Step 2 — Read the Information Security Policy (01 · Policies → Policy 01). This is the master policy that all other policies sit beneath. It explains why we have an ISMS and what it is trying to protect.
Step 3 — Read the Acceptable Use Policy (01 · Policies → Policy 02). This is the policy that most directly governs how you use your devices and systems every day. The rules about personal use of company devices, email, and cloud services are here.
Step 4 — Read the Incident Management Policy (01 · Policies → Policy 06). Know how to report an incident before you need to report one. The reporting process and the no-blame culture are explained here.
Step 5 — Bookmark the key contacts section above. Specifically: the security team 24-hour contact and the IT Operations helpdesk. These are the two contacts you are most likely to need urgently.
Step 6 — Complete the annual security awareness training module linked from your training platform. This is a mandatory requirement — not optional, and not something that can be deferred indefinitely without consequence.
If you have completed all six steps, you understand your core obligations and know what to do when something goes wrong. That is the goal of this space for all-staff users.
Frequently asked questions
Who can see everything in this space?
The security team (isms-security audience group) can see all content in all sections. IT Operations staff (isms-it-staff) can see technical procedures in Sections 02 and 03. Management (isms-management) can see governance content in Sections 00, 01, 05, and 07. All other staff can see Sections 00, 01, 02, and 04. These access levels are set by the IT team and cannot be changed by individuals.
I found something in a policy I disagree with or think is wrong.
Raise it with your line manager and copy the CISO. Policies are reviewed annually and are updated when there is a good reason to change them. If you have identified a genuine error or an instruction that creates an unreasonable situation, we want to know. The policies are not unchangeable — they are updated when the organisation's risk picture, its contracts, or its operational reality changes.
I did something that might be a policy breach. What do I do?
Tell the security team or your line manager now. The no-blame culture means that honest mistakes that are reported promptly are handled through learning and correction, not disciplinary action. The time it takes to decide whether to report is time the security team could be containing any damage. Report immediately.
My manager told me to do something that I think conflicts with a policy.
Raise the conflict with the CISO directly. In the unlikely event of a genuine conflict between a manager's instruction and a security policy, the policy takes precedence for information security matters. The CISO can clarify this with your manager if needed. Do not assume the manager is wrong — it may be a misunderstanding — but do not proceed with the action until the conflict is resolved.
I want to learn more about information security beyond what is in this space.
The NCSC (National Cyber Security Centre) publishes free, high-quality guidance for individuals and organisations at ncsc.gov.uk. The NCSC's guidance for individuals at home and at work is genuinely useful and is written at a level accessible to non-technical readers. The CISO is also happy to discuss the frameworks and standards that underpin this ISMS for anyone who wants to understand the broader context.
A note on keeping this space current
The ISMS space is reviewed and updated on the following schedule:
- Annual: all policies reviewed and re-confirmed or updated; training content refreshed; key contacts verified.
- Quarterly: the evidence register and audit records are reviewed; the risk register is reviewed.
- Within 30 days: any significant change to our systems, our contracts, our CUI scope, or our threat picture triggers a review of the relevant sections.
- Immediately: when an incident reveals a gap in a policy or procedure, that gap is addressed without waiting for the annual review cycle.
If you find content that is out of date — a contact who has left, a process that no longer matches reality, a link that is broken — report it to the CISO. Keeping this space accurate is a shared responsibility.
ISMS version and review information
| Field | Value |
|---|---|
| Space name | [Organisation Name] ISMS |
| Space version | v[X.X] |
| Last full review | [DATE] |
| Next scheduled review | [DATE] |
| Space owner | CISO — [NAME] |
| Approved by | [CEO/MD NAME] |
| ISO 27001 certification | [Certification body, certificate number, expiry date] |
| Cyber Essentials certification | [Certificate reference, valid to date] |
| CMMC status | [Level 2 — in preparation / certified, expiry date] |
| DEFSTAN compliance | [Profile level — current as of date] |
Questions about this space or its content: [ciso@organisation.com]