Skip to content

This is the complete all-staff content for each of the 12 policies in the 01 · Policies section. Written at isms-all-staff visibility level — plain English, no implementation detail, focused on behaviour and obligations.

01 · Policies

This section contains the organisation's twelve information security policies. These policies apply to everyone — permanent employees, contractors, consultants, and any other person working on our behalf. They are not optional and they are not just for the IT team.

You do not need to memorise every word. What you do need is to understand what each policy is trying to protect, what it means for how you work day-to-day, and what you are specifically required to do. If you are ever unsure whether something you are about to do is permitted, the answer is on this page or one click away from it.

Reading these policies is part of your annual security awareness training. Completing that training is an employment obligation.

Policy 01 — Information Security Policy

Plain-language summary

This is the master policy — the one that all other policies sit beneath. It sets out why information security matters to this organisation, what we are trying to protect, and who is responsible for protecting it.

We handle information that belongs to our customers, our suppliers, our employees, and in many cases to government bodies and defence organisations. Some of that information is genuinely sensitive — it relates to contracts, technical specifications, personal data, and in some cases national security. If that information is disclosed to the wrong people, modified without authorisation, or becomes unavailable when it is needed, real harm follows: financial loss, damaged relationships, regulatory penalties, and in the most serious cases harm to people or to national security interests.

Our obligation is to protect the confidentiality, integrity, and availability of all the information we hold and handle. Confidentiality means information is seen only by people authorised to see it. Integrity means information is accurate and has not been tampered with. Availability means information is accessible to authorised people when they need it. These three properties — often called the CIA triad — are what every other policy in this section is designed to protect.

The organisation's leadership has formally committed to maintaining an Information Security Management System (ISMS) that is reviewed at least annually, that is appropriate to the risks we face, and that improves continuously. This is not a box-ticking exercise — we hold contracts with the UK Ministry of Defence and with US government customers that legally require us to maintain specific security standards. Failing to meet those standards puts those contracts at risk.

What it means for me

Information security is everyone's responsibility, not just the IT team's. You are the last line of defence for the information you work with every day. Most security incidents involve human behaviour — a phishing email that was clicked, a sensitive document emailed to the wrong person, a laptop left unlocked in a public space. None of those require technical expertise to prevent. They require awareness, attention, and the willingness to follow simple procedures.

You work here, which means you have access to information that has value. That access is a privilege that comes with responsibility. The organisation trusts you to use that access appropriately. If you are ever unsure whether something you are doing with information is permitted, ask your line manager or the CISO before doing it — not after.

My obligations

  • Read and understand the twelve policies in this section annually as part of security awareness training.
  • Sign the acceptable use agreement confirming you have read and understood your obligations. Renewal is required annually.
  • Immediately report any information security concern, incident, or near-miss to the security team using the reporting channel described in the User Guidance Hub. Do not wait to see if the problem resolves itself.
  • Complete the annual security awareness training by the deadline set each year. Failure to complete training on time is treated as a policy breach.
  • If your role gives you access to particularly sensitive information (customer CUI, personal data, classified material), your specific obligations are detailed in the Information Classification and Handling Policy below.

Policy 02 — Acceptable Use Policy

Plain-language summary

This policy covers how you are permitted to use the organisation's IT systems, networks, devices, and data. It exists because the organisation provides you with access to technology to do your job — and that access is for that purpose. It is not unlimited, and it is not private.

The organisation's systems — your laptop, your email account, the company Wi-Fi, the file servers, the cloud services — are provided for work purposes. Limited personal use is permitted where it does not interfere with your work, does not compromise security, and does not consume unreasonable resources. But you should understand that activity on company systems can be monitored. When you connect to the company network or use a company device, a login banner or similar notice informs you that your activity may be logged and reviewed for security purposes. This is a legal requirement, and we comply with it.

The rules are not designed to restrict you from doing your job. They are designed to prevent the most common causes of security incidents: malware delivered via personal browsing, sensitive data leaving the organisation through personal email, and resources being consumed in ways that create risk.

What it means for me

Your company laptop is a work tool. You can use it for limited personal tasks — checking personal email occasionally, browsing during breaks — but it is not a family computer. You should not let family members use it. You should not install personal software on it. You should not use it to store personal files in ways that mix them with company data.

Your company email account is for professional communication. Do not use it to subscribe to personal services, mailing lists, or social platforms. Do not forward work emails to a personal email address. Work email on a personal device is only permitted if the device is enrolled in the company MDM and meets the security requirements.

The company network is for work traffic. You should have no expectation of privacy on the company network — security monitoring is active. The SIEM logs network activity for security analysis. This is not surveillance of your personal life; it is detection of security threats.

My obligations

  • Use company devices and systems primarily for work purposes. Limited, occasional personal use is permitted where it does not compromise security or productivity.
  • Never install software on a company device without IT Operations approval. If you need a tool that is not already available, request it through the approved software request process.
  • Never send work documents or data to personal email accounts or personal cloud storage (personal Gmail, personal Dropbox, personal OneDrive). If you need to work from home, use the company VPN and approved remote access tools.
  • Never allow another person — including family members — to use your company device or log into your account.
  • Never use company systems to access, store, or transmit content that is illegal, offensive, discriminatory, or in breach of copyright. This includes streaming content you do not have a licence for, downloading pirated software, and accessing inappropriate websites.
  • Lock your screen whenever you leave your workstation, even briefly. On Windows: Windows key + L. On Mac: Control + Command + Q. This is not optional.
  • Report any suspicious activity on your account (unexpected login notifications, emails you did not send, password change confirmations you did not request) to IT Operations immediately.
  • Acknowledge you have read and understood this policy annually by completing the training confirmation.

Policy 03 — Access Control Policy

Plain-language summary

This policy governs who is allowed access to what — which systems, which files, which buildings, which data. Access is not granted by default. Access is granted based on what you need to do your job, nothing more.

The principle underpinning this policy is called least privilege: every person, every system, and every process should have access to only the minimum information and resources needed to perform their function. A person in the finance team does not need access to defence contract files. A person in the engineering team does not need access to payroll data. Even within a department, not everyone needs access to everything the department uses.

This matters because the most common way sensitive information is exposed is not via sophisticated external attacks — it is via internal accounts with more access than they need. An account that has been compromised has the access its owner had. An account with minimum necessary access can cause less harm when compromised than an account with broad access.

Access is tied to your role. When you join the organisation, you are given the access appropriate for your role. When your role changes, your access changes. When you leave, your access is removed — on your last day, or immediately in some circumstances.

What it means for me

You have access to specific systems and data because your role requires it. If you find yourself unable to access something you believe you need, request access through the appropriate channel — do not ask a colleague to log in for you or share their credentials. Sharing credentials is one of the most serious policy violations in this document.

If you can access something you did not expect to be able to access — a folder that seems out of scope for your role, a system you have not been granted access to — report it to IT Operations rather than exploring it. Accessing information you are not authorised to access, even accidentally, even without malicious intent, is a security incident.

When you change roles, do not assume your old access goes away automatically. Check with IT Operations and confirm your access profile has been updated. Excess access is a risk — access to systems you no longer use should be removed promptly.

My obligations

  • Never share your credentials — your username, password, or MFA authenticator — with anyone, including colleagues, your manager, and IT support staff. Legitimate IT support will never ask for your password.
  • Never log into systems using another person's account, regardless of how convenient it seems.
  • Lock your workstation and close sensitive documents whenever you leave your desk, even briefly.
  • If you are changing roles, notify IT Operations as part of the transition so your access can be updated promptly.
  • If you notice access you should not have, report it to IT Operations rather than using it.
  • If you believe you need access to additional systems or data to do your job effectively, request it through the proper channel with your manager's approval — do not attempt to work around access restrictions.
  • Immediately report any situation where you believe your account may have been compromised (unexpected login notifications, MFA requests you did not initiate, systems behaving unusually under your account).

Policy 04 — Information Classification and Handling Policy

Plain-language summary

Not all information is equally sensitive. This policy defines the categories of information we work with, what each category means, and how information in each category must be handled.

The organisation uses four information classification tiers:

Public is information we are content for anyone to see — marketing materials, published case studies, our website content. No special handling is required.

Internal is information for employees only — internal memos, general business processes, non-sensitive project information. It should not be shared outside the organisation without a reason but it is not highly sensitive.

Restricted is sensitive information that must be controlled — customer data, financial information, HR records, most technical documentation. Access is limited to people with a business need. It must be encrypted in transit and at rest, and must not be shared externally without approval.

Controlled Unclassified Information (CUI) is a specific US government designation that applies to information we handle under defence contracts. CUI has specific legal handling requirements defined by US federal regulation. If your role involves CUI, you will receive specific training on its requirements. In practical terms, CUI is the most strictly controlled information category in the organisation.

For UK defence work, we also handle material that may be marked OFFICIAL or OFFICIAL-SENSITIVE under the UK Government Security Classification scheme. These designations carry legal obligations parallel to CUI for our US contracts.

What it means for me

When you create, receive, or work with information, you need to know what category it belongs to. For most people in most roles, this is straightforward — your day-to-day work sits in Internal or Restricted. The critical behaviours are: not sharing Restricted information inappropriately (particularly not forwarding to personal email), storing it in approved locations, and not leaving it where unauthorised people could see it.

If you work on defence contracts, you will encounter CUI or OFFICIAL-marked materials. These cannot be taken home, printed on shared printers, stored on personal devices, or discussed in public spaces. If you are unsure whether something is CUI, treat it as CUI and check.

The clear desk rule is part of this policy: when you leave your workstation — for a meeting, for lunch, for the day — sensitive documents must not be visible on your desk. Lock them in a drawer. This applies to printed documents, handwritten notes, and physical media. An unlocked workstation with a sensitive document visible is a policy breach.

My obligations

  • Identify the classification of information before sharing it, storing it, or printing it. If you are unsure, ask your manager or the information owner.
  • Store Restricted and CUI information only in approved, secure locations — the designated company file server, the approved cloud storage platform, or encrypted storage. Not on a personal device, not in a personal cloud account, not in an unencrypted folder on a local drive.
  • Never print CUI or OFFICIAL-SENSITIVE material on printers accessible to people who are not authorised to see it.
  • Apply the correct marking to documents you create that contain sensitive information. Document templates include automatic header and footer markings for CUI — do not remove them.
  • Implement the clear desk policy: lock away sensitive documents whenever your workstation is unattended.
  • Shred sensitive paper documents using the cross-cut shredder or the confidential waste bin — do not put them in the general recycling.
  • When sharing Restricted or higher information with external parties, confirm they are authorised to receive it and send it via an approved encrypted method. Never send it via unsecured email without encryption.

Policy 05 — HR Security Policy

Plain-language summary

This policy covers the security obligations that apply throughout your employment — from before you start to after you leave.

Before you were given access to company systems, you went through a pre-employment screening process. For most roles, this is a Baseline Personnel Security Standard (BPSS) check covering identity verification, right to work, employment history, and criminal record. For roles involving sensitive defence information, the screening level may be higher. The screening was a condition of your appointment, and its purpose was to verify that you are who you say you are and that there are no known concerns about your suitability for the access you would be given.

The security obligations you agreed to when you joined — through your employment contract and the NDA you signed — continue throughout your employment and for a period after it ends. If you leave, you cannot take company information with you, and you cannot disclose what you learned here to people who are not authorised to know it.

This policy also covers the organisation's approach to security incidents involving employees. This is not a disciplinary document — the organisation maintains a no-blame reporting culture and encourages people to report concerns. But deliberate breaches of security policy are a serious matter and are addressed through the disciplinary process.

What it means for me

Your employment contract contains a confidentiality clause. Your NDA is a separate, enforceable document. Both remain in force after you leave the organisation. If you move to another employer, you cannot take our customer data, our technical documentation, our processes, or our contract information with you. This is not a formality — it is a legal obligation that applies whether or not you like your next job more.

During employment, you have an obligation to protect the information you access. This is not about policing your colleagues — it is about personal responsibility for the access you hold. If you see something that concerns you (a colleague handling information inappropriately, a document that should not be where it is, a system behaving unusually), report it. The reporting channel is described in the User Guidance Hub. Anonymous reporting is available.

When you leave, you will be asked to return all company equipment and data, confirm your ongoing obligations, and sign a departure acknowledgement. This is a routine process. Cooperation is expected.

My obligations

  • Maintain the confidentiality of all company, customer, and contract information during and after your employment.
  • Report any security concern, policy breach you observe, or personal circumstances that might affect your security clearance eligibility to the CISO or HR Manager promptly and without delay.
  • Return all company equipment, devices, documents, and data on or before your final day. Do not retain copies of any company information after departure.
  • Sign the departure NDA acknowledgement at your exit interview confirming you understand your continuing obligations.
  • If you are approached by anyone — a competitor, a journalist, a foreign national — seeking information about the organisation's contracts, systems, or security arrangements, report the approach to the CISO immediately without providing any information.
  • Do not discuss sensitive contract details, technical specifications, or security arrangements in public spaces, on social media, or with people not authorised to receive that information.

Policy 06 — Incident Management Policy

Plain-language summary

An information security incident is any event that has compromised, or could compromise, the confidentiality, integrity, or availability of information. This covers a wide range: a phishing email you clicked, a lost laptop, a suspicious login notification, an unexpected system outage, a file you cannot open that was accessible yesterday. All of these are potential security incidents.

The policy is simple: when in doubt, report. The organisation operates a no-blame reporting culture. The cost of reporting an incident that turns out to be harmless is low. The cost of not reporting an incident that turns out to be serious is potentially very high — both for the organisation and in some cases for the individuals affected.

Some incidents carry legally mandated reporting deadlines. Under DFARS (the US defence acquisition regulation), a cyber incident on a CUI-scope system must be reported to the US Department of Defense within 72 hours of discovery. Under UK GDPR, a personal data breach that poses a risk to individuals must be reported to the ICO within 72 hours. Under our DEFSTAN contracts, incidents must be notified to the contracting authority within 24 hours. These clocks start when the incident is discovered — not when it is confirmed. Delayed reporting has resulted in significant regulatory penalties for other organisations. Our obligation is to ensure the security team knows about potential incidents promptly so they can make the reporting decision with appropriate advice.

What it means for me

You do not need to investigate an incident before reporting it. You do not need to be certain something is wrong. The rule is: if something seems suspicious, unusual, or wrong — report it immediately and let the security team investigate.

The things you should always report include: clicking a phishing link or opening an attachment that turned out to be malicious; any unauthorised access to your account (even if you regained control); losing a company device; finding a document in a location where it should not be; a system alert you cannot explain; a colleague asking you to do something that feels wrong; and anything that gives you the feeling that "this doesn't seem right." Trust that feeling and report.

You should also understand that the 72-hour reporting clocks mentioned above make speed genuinely important. An incident that the security team learns about on day one has three full days for investigation, containment, and reporting decisions. An incident they learn about on day three has hours. Speed of internal reporting protects the organisation and protects you.

My obligations

  • Report any security incident, concern, or near-miss to the security team immediately using the reporting channel in the User Guidance Hub. Do not wait. Do not try to fix it yourself first. Do not assume IT will notice it.
  • If you lose a company device, report it within one hour. The security team can remotely wipe the device if it is reported quickly. A delayed report means the device may be accessible for longer.
  • If you receive a suspicious email, do not click any links, open any attachments, or reply to it. Report it using the phishing report button in your email client or by forwarding it to the security team. Do not forward it to colleagues to warn them — forward it to security.
  • Do not attempt to investigate a suspected incident yourself. Do not delete files, power off systems, or change passwords on compromised accounts before speaking to the security team — these actions can destroy evidence needed for investigation.
  • Cooperate fully with any security incident investigation. Provide accurate information about what happened, when, and what you did. The no-blame culture means honesty is always the right approach.

Policy 07 — Business Continuity Policy

Plain-language summary

Business continuity is what the organisation does when something goes seriously wrong — a major system failure, a cyberattack, a power outage, a natural disaster, a supplier going offline. The purpose of this policy is to ensure that even in adverse circumstances, the organisation can continue to meet its most critical obligations: delivering on active contracts, protecting customer information, and resuming normal operations as quickly as possible.

For our customers — particularly government and defence customers — service continuity is a contractual requirement. A cyberattack that takes the organisation offline for two weeks is not just a financial problem. It may mean we fail to deliver on a government contract, which has contractual and reputational consequences that outlast the technical problem.

The organisation maintains a Business Continuity Plan and a Disaster Recovery Plan. These are technical and operational documents owned by the IT team and the CISO. Your role in business continuity is simpler: know what to do if a major disruption occurs during your working day, and know how to reach the people who will coordinate the response.

What it means for me

If a major disruption occurs — systems go down, the building has to be evacuated, the network becomes unavailable — you will receive communication from your line manager or the management team about what to do. The organisation has defined which functions are critical and has plans for maintaining them during a disruption. Your role is to follow the guidance you receive, not to improvise.

The backup and recovery procedures for your work are managed by IT Operations. You do not need to maintain your own backups of company data — in fact, creating personal backups (copies of files on personal USB drives or personal cloud accounts) creates security risks that the policy prohibits. The organisation's backup systems protect your work. If you find that the backup systems are not working correctly — you cannot restore a file that was accidentally deleted, for example — report this to IT Operations rather than creating workarounds.

Remote working capability is an important part of business continuity for office-based staff. If you are set up for remote working, your ability to work from home during a disruption is part of the organisation's resilience. The home office security requirements in the Access Control Policy apply whenever you work remotely.

My obligations

  • Know the emergency contact details for your line manager and for IT Operations. Know where to find the business continuity communication channel (described in the User Guidance Hub).
  • Do not create personal backups of company data on personal devices or personal cloud storage. This creates security risks and is prohibited by the Acceptable Use Policy. Trust the organisation's backup systems.
  • If you discover that you cannot access data you expect to be able to access — a file is missing, a system is unavailable, a backup did not restore correctly — report it to IT Operations immediately. Do not wait.
  • If your role is identified as critical during a disruption, be prepared to work from your approved remote location with your company device and VPN access. Ensure your remote working setup is functional before it is needed.
  • Follow all guidance from your line manager and the management team during a disruption. Do not improvise or create workarounds that have not been approved.

Policy 08 — Change Management Policy

Plain-language summary

Change management controls the process by which modifications are made to IT systems, infrastructure, and processes. The policy exists because changes — even well-intentioned ones — are one of the most common sources of security incidents and system outages. A configuration change that seemed straightforward introduces a firewall rule that exposes a previously protected system. A software update removes a security setting that existed in the previous version. A new integration between two systems creates a data flow that was not anticipated.

The change management process requires that significant changes to IT systems go through a review and approval process before they are implemented. This gives the security team an opportunity to assess the security implications, the IT team an opportunity to plan the implementation, and management an opportunity to ensure the change is necessary and well-timed.

For most employees, this policy operates invisibly — changes happen within planned maintenance windows, systems are updated without your involvement, and you simply find that your tools are slightly different on Monday morning. The policy becomes relevant for you when you are proposing a change: requesting a new system, suggesting an integration with a supplier's platform, asking for a new application to be deployed.

What it means for me

If you need a new tool, a new system, or a new integration as part of your work — whether it is a software application, a cloud service, or a connection to a supplier's platform — the route is through the formal request process, not self-service. The approved software list (managed by IT Operations) defines what can be installed on company devices. Installing software outside that list — even free, widely used software — is a policy breach.

Cloud services deserve specific mention. Many cloud tools are easy to sign up for with a work email address — productivity apps, file sharing services, project management tools. Signing up for cloud services using your company email address without IT Operations approval brings those services into scope for your work activities, potentially exposes company data to unapproved platforms, and may create compliance issues with our contracts. If you want to use a cloud service for work, request it.

The policy is not designed to slow down legitimate work. The IT team maintains a standard change procedure for routine updates that is low-friction. The more formal process applies to significant changes with potential security implications.

My obligations

  • Do not install software on company devices without IT Operations approval. This includes browser extensions, productivity tools, and applications you use in a personal capacity.
  • Do not sign up for cloud services using your work email address without IT Operations approval.
  • If you want to use a new tool or service for work, submit a software approval request through the helpdesk. Describe the tool, what you need it for, and any information it will handle.
  • If you are aware of an upcoming business change that will require new systems or integrations — a new supplier relationship, a new contract requirement, a new business process — raise it with IT Operations early so the technology implications can be assessed.
  • Never make changes to security settings on your company device. If a security setting is preventing you from doing your work, report it to IT Operations rather than disabling it.

Policy 09 — Supplier Security Policy

Plain-language summary

This policy covers how the organisation manages the security of its relationships with third parties — suppliers, contractors, cloud service providers, and any other external organisation that has access to our information or systems.

The risk from suppliers is real and well-documented. Many of the most significant security incidents in recent years originated with a supplier compromise rather than a direct attack on the target organisation. A supplier with access to your systems, your data, or your network is a potential attack vector. Ensuring that our suppliers maintain appropriate security standards is not optional — for our defence and government contracts, it is a contractual requirement that flows down from the contracting authority through us to our supply chain.

When we engage a new supplier that will handle our information, we conduct a supplier security assessment proportionate to the risk they represent. Suppliers that will access CUI or process personal data face the most rigorous assessment. Suppliers that only receive publicly available information face a lighter-touch review. All suppliers who will access company systems must sign our NDA and agree to our supplier security requirements before access is granted.

What it means for me

If your role involves selecting, engaging, or managing suppliers, you have obligations under this policy that go beyond simply finding the right commercial relationship. Before a supplier is given access to any company system, any company data, or any customer information, they must go through the supplier approval process. This is not a bureaucratic obstacle — it is a contractual requirement and a risk management step.

If you are aware of a supplier relationship that has not gone through this process — a contractor who has been given access to systems informally, a cloud provider whose contract was not reviewed for data protection terms — report it to the CISO. The organisation would rather know about it and deal with it than discover it during an audit.

The most common informal supplier access scenario is a contractor who is given a guest Wi-Fi password or a temporary login to a shared system without a formal engagement. Both are policy breaches. Contractors accessing company systems must be formally approved, have signed the required agreements, and must be supervised appropriately while they work.

My obligations

  • Before engaging a new supplier who will access company systems, data, or customer information, initiate the supplier approval process through the CISO or procurement. Do not grant access before approval is complete.
  • Do not give contractors, visitors, or third-party engineers access to company systems — including guest Wi-Fi, shared drives, or application logins — without IT Operations or the CISO being informed.
  • If you manage an ongoing supplier relationship, ensure you are aware of the security terms in the contract and that the supplier is meeting them. Significant security incidents at a supplier must be reported to the CISO, not just managed commercially.
  • Do not share company information with suppliers beyond what is necessary for the service they provide. Information shared with a supplier should be covered by an NDA and limited to what the supplier needs.
  • If a supplier informs you of a security incident that may have affected our data, report it to the CISO immediately — do not manage it independently.

Policy 10 — Physical Security Policy

Plain-language summary

Physical security protects information by protecting the physical spaces where it is held — the building, the server room, the workstations, the documents on desks. Technical security controls can be undermined by physical access: an attacker who can sit at an unattended, unlocked workstation does not need to overcome network defences. A visitor left unescorted in the office can photograph screens, pick up printed documents, or plug in a malicious device.

The organisation divides its facilities into security zones. The public areas (reception, meeting rooms accessible to visitors) have the least restriction. The general office area has controlled entry — access cards are required. The server room and secure storage areas have the strictest controls — restricted access list, PIN and card required, no visitors without authorisation.

The physical security controls described in this policy are not bureaucracy. They are directly required by our ISO 27001 certification, our CMMC compliance programme, and our DEFSTAN contracts. An audit finding on physical security — an unescorted visitor in Zone 2, an unlocked server room door, a CCTV camera that was not operating — is a real compliance finding with real consequences.

What it means for me

The most important physical security behaviours are simple: carry your access card at all times, do not allow people to follow you through secure doors without presenting their own card (tailgating), and challenge people you do not recognise who appear to be in areas they should not be in. The challenge does not have to be aggressive — "Can I help you find someone?" is sufficient.

When visitors come to the office, they must sign in at reception, be given a visitor badge, and be escorted by you at all times while they are in the office area. This includes colleagues from other offices, contractor engineers, auditors, and delivery personnel. An unescorted visitor in the office is a security policy breach, regardless of how well-known or trusted they appear.

The clear desk and clear screen rules apply at all times. When you leave your workstation — for a meeting, for lunch, for the day — lock your screen and clear sensitive documents from your desk. A visible sensitive document on an unattended desk is exactly the kind of thing a physical security incident thrives on.

My obligations

  • Carry your access card at all times when in the office. Do not share your card with anyone.
  • Do not allow people to follow you through secure doors without swiping their own card. This applies to colleagues — everyone must badge in individually. If you suspect a tailgating attempt, report it.
  • Challenge unescorted individuals in the office area politely. If you cannot verify they should be there, escort them to reception.
  • When you host visitors, escort them at all times while they are in Zone 2 (office area) or Zone 3 (server room, secure areas). Do not leave them unattended for any reason, including brief absences.
  • Sign visitors in at reception when they arrive and sign them out when they leave. Ensure the visitor log is complete — visitor name, organisation, purpose, and your name as host.
  • Apply the clear desk policy: lock your screen and secure documents whenever you leave your workstation.
  • Report any suspicious physical security event immediately — an unfamiliar person in a restricted area, a door that should be locked but is open, a damaged access card reader, a CCTV camera that appears to have been moved or obstructed.
  • Report a lost or stolen access card to Facilities immediately. The card will be deactivated within one hour of report.

Policy 11 — Cryptography and Encryption Policy

Plain-language summary

Encryption is the technical process of making information unreadable to anyone who does not have the authorisation to read it. This policy defines when encryption is required, what standards of encryption are acceptable, and how encryption keys are managed.

For most employees, encryption is invisible — it operates in the background when you access websites (the padlock in your browser), when you connect via VPN, when files are stored on your encrypted laptop drive. You benefit from encryption constantly without thinking about it.

The policy becomes relevant for you in two scenarios: when you are moving sensitive information from one place to another, and when you are choosing how to share sensitive information with someone outside the organisation. In both cases, the policy requires that appropriate encryption is used.

The specific encryption standards required for CUI and for UK government information are defined in technical detail in the Advanced Controls section of this ISMS. For all-staff purposes, the practical rules are straightforward: use the organisation's approved tools for sharing sensitive information, do not use unapproved tools, and never send sensitive information in a way that transmits it unencrypted.

What it means for me

Your company laptop has full-disk encryption enabled by default. You do not need to do anything to activate it. If you are asked to disable encryption, or if someone offers you a reason why encryption should be turned off on your device, report it to IT Operations — that is not a legitimate request.

Email is not encrypted by default. A standard email to an external recipient travels across the internet in a form that can potentially be intercepted. This means you should never send sensitive information — CUI, financial data, personal data, contract documents — as an unencrypted email attachment. The organisation has approved methods for sending sensitive information securely: encrypted email (via the approved email gateway), secure file transfer, or the organisation's approved client portal. Use those methods. If you are unsure which method to use for a specific recipient or document type, ask IT Operations.

USB drives and portable media containing sensitive information must be encrypted. If you need to transfer sensitive data on physical media — which should be rare and approved in advance — only use the organisation's approved hardware-encrypted USB drives. A standard USB drive with sensitive files on it, lost in a car park or left on a train, is a data breach.

My obligations

  • Never send CUI, OFFICIAL-SENSITIVE, personal data, or Restricted information via standard unencrypted email to external recipients. Use the approved secure method for your specific use case.
  • Never store sensitive information on USB drives, portable hard drives, or other removable media that are not hardware-encrypted and approved by IT Operations. The list of approved devices is in the User Guidance Hub.
  • Do not use personal encryption tools or services (personal VPN services, consumer encryption apps) to encrypt company data. Use only organisation-approved tools.
  • If you receive sensitive information from an external party by unencrypted means (an unencrypted email attachment containing contract documents, for example), report it to the information owner so the sending party can be informed of the correct secure transfer method.
  • Never attempt to disable, bypass, or work around encryption controls on company devices or systems.

Policy 12 — Data Protection and Privacy Policy

Plain-language summary

This policy covers how the organisation collects, stores, uses, and protects personal data — information that identifies or could identify a living individual. This includes customer names and contact details, employee information, contractor data, and any other personal information we hold in the course of our work.

The UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 impose legal obligations on any organisation that processes personal data. Non-compliance can result in regulatory investigation by the ICO (Information Commissioner's Office), significant financial penalties (up to £17.5 million or 4% of global annual turnover, whichever is higher), and reputational damage.

The key principles of data protection that you need to understand are: personal data should be collected only for specific, legitimate purposes and not used for other purposes; only the minimum amount of personal data needed should be collected and held; personal data should be accurate and kept up to date; personal data should not be kept longer than necessary; personal data must be kept secure; and personal data must not be transferred outside the UK/EEA without appropriate safeguards unless permitted by law.

The organisation has a Data Protection Officer (DPO) or equivalent responsible for overseeing compliance with data protection law. If you have a question about whether something you are doing with personal data is appropriate, the DPO is the person to ask.

What it means for me

You encounter personal data regularly — customer email addresses, employee records, supplier contact details. The legal framework around that data applies to how you handle it, not just to how the IT systems that store it are configured.

The most common data protection breach from an employee behaviour perspective is sending personal data to the wrong person — an email containing a spreadsheet of customer records sent to the wrong address, an HR document forwarded to a colleague who did not need to see it, a printed report containing personal information left in a meeting room. None of these require technical failure. They are human errors, and they trigger ICO reporting obligations if the data is sensitive enough.

Subject access requests (SARs) are a legal right — any individual can ask what personal data the organisation holds about them, and the organisation has one month to respond. If you receive a request from someone asking for information about their personal data, do not respond yourself — forward it to the DPO immediately. The one-month clock begins from the date of the request.

When a data breach occurs — personal data is lost, disclosed inappropriately, or accessed without authorisation — the organisation has 72 hours to notify the ICO if the breach is likely to result in risk to individuals. The speed of that response depends entirely on how quickly the breach is reported internally. Report immediately.

My obligations

  • Handle personal data only as required for your specific work purpose. Do not use customer data, employee data, or other personal data for purposes other than the reason it was collected.
  • Do not share personal data with colleagues who do not need it for their work. Apply the principle of minimum necessary sharing.
  • Report any accidental disclosure of personal data immediately to the DPO and the security team — a misdirected email, a lost document, a system that showed someone data they should not have seen. Report immediately, not later.
  • If you receive a subject access request from any individual asking what data the organisation holds about them, forward it to the DPO immediately without attempting to respond yourself.
  • Do not transfer personal data to countries outside the UK or EEA without confirming with the DPO that appropriate safeguards are in place.
  • Delete personal data when it is no longer needed for the purpose for which it was collected — do not accumulate data "just in case." If you are unsure whether data should be retained, ask the DPO.
  • Complete data protection training when required. Data protection awareness is a legal obligation for individuals who process personal data, not just an organisational preference.

A note on consequences

Reading policies is not the same as following them. These obligations are real, and breaches have consequences — for the organisation, for our contracts, for our customers, and in some cases for you personally.

The organisation operates a no-blame culture for honest mistakes promptly reported. If you click a phishing link and immediately report it, the response is investigation and containment, not discipline. If you discover you mishandled a document and report it the same day, the response is to correct it and prevent recurrence.

But wilful disregard for these policies — deliberately sharing information you know should be protected, deliberately bypassing controls you know exist for a reason, deliberately concealing an incident — is treated through the disciplinary process. The policies are not suggestions.

When in doubt: stop, think, and ask. The security team would rather answer a question about whether something is permitted than deal with the consequences of something that was not.

This policies section is reviewed annually. Last reviewed: [DATE]. Policy owner: CISO. Approved by: [CEO/MD NAME]. Next review: [DATE].

Questions about any policy in this section should be directed to the CISO at [security@organisation.com] or via the helpdesk.