ISO27001:2005 ISMS POLICY DOCUMENT Version 1.40 November 2018 … · ISO27001:2005 ISMS POLICY DOCUMENT Version 1.40 November 2018 . ISMS POLICY DOCUMENT Comtec, Comtec House, Albert

ISMS POLICY DOCUMENT

Comtec, Comtec House, Albert Road North, Reigate, Surrey RH2 9EL Page 1 of 23

ISMS Policy version 1.40 (November 2018) For Issue

Document Version No. 1.40 Updated November 2018

ISO27001:2005 ISMS POLICY DOCUMENT

Version 1.40

November 2018





Table of Contents

1 Introduction ................................................................................................................................ 4

2 Issue Status ................................................................................................................................. 5

3 Overview of Comtec .................................................................................................................... 6

3.1 Scope of Registration ...................................................................................................................... 6

4 Information Security Management System .................................................................................. 7

4.1 Control of Documents ..................................................................................................................... 9

4.2 Control of Records .......................................................................................................................... 9

5 Management Commitment ........................................................................................................ 10

5.1 Role of Senior Management ......................................................................................................... 10

6 ISMS POLICY .............................................................................................................................. 10

6.1 Introduction .................................................................................................................................. 10

6.2 Scope of the Policy ........................................................................................................................ 10

6.3 legal and regulatory obligations ................................................................................................... 10

6.4 Roles and Responsibilities ............................................................................................................. 10

6.5 Strategic Approach and Principles ................................................................................................ 11

6.6 Business Continuity Management ................................................................................................ 11

6.7 Approach to Risk Management .................................................................................................... 11

6.8 Information Security Objectives ................................................................................................... 11

6.9 Responsibility, authority and communication .............................................................................. 12

6.10 Management Review .................................................................................................................... 12

6.11 Review Input ................................................................................................................................. 13

6.12 Review Output .............................................................................................................................. 13

7 Provision of Resources ............................................................................................................... 14

7.1 Human Resources General ............................................................................................................ 14

7.2 Infrastructure ................................................................................................................................ 14

8 Risk Assessment Methodology ................................................................................................... 17

9 Measurement, Analysis & Improvement .................................................................................... 17

9.1 Information Security Standards .................................................................................................... 17

9.2 Internal ISMS Audits ...................................................................................................................... 18

9.3 Monitoring & Measurement of Processes .................................................................................... 19





9.4 Monitoring & Measurement of Service ........................................................................................ 19

9.5 Analysis of Data ............................................................................................................................. 19

9.6 Continual Improvement ................................................................................................................ 19

9.7 Corrective Action .......................................................................................................................... 21

9.8 Preventative Action ....................................................................................................................... 21

10 Appendices ................................................................................................................................ 22

10.1 Appendix 1 – Organisation Chart .................................................................................................. 22

Appendix 2 – List of Controlled Documents ............................................................................................ 23



ISMS Policy version 1.31 (September 2016) For Issue

Document Version No. 1.31 Updated September 2016

1 INTRODUCTION

This document is the ISMS Policy Document of Comtec. It is the property of Comtec and is a controlled document. The purpose of the ISMS Policy Document is to provide an overview of the company, the activities it carries out and the quality standards of operation it conforms to. It is not designed to act as a procedure manual, although it does carry information about where procedures information is located and the detailed information on Documentation Requirements for essential procedures e.g. document control, and control of records; internal audit and corrective/preventative action (please see Procedures Log). Throughout this ISMS Policy Document there are explanations of the requirements of the standard, paraphrased and appended in smaller grey text. This precedes a section explaining how the company implement this particular aspect of the standard.





2 ISSUE STATUS

The issue status is indicated by the version number in the footer of this document. It identifies the

issue status of this ISMS Policy Document.

When any part of this ISMS Policy Document is amended, a record is made in the Amendment Log

shown below.

The ISMS Policy Document can be fully revised and re-issued at the discretion of the Management

Team.

The ISMS Policy Document will be reviewed on a Quarterly basis as standard.

Please note that this ISMS Policy Document is only valid on day of printing.

Issue Amendment Date Initials Authorised

1 Version 1 01/08/13 DR DR

2 Update of staff members referred to in the document. Update of internal audit process flowchart.

23/09/16 CS NC





3 OVERVIEW OF COMTEC

At Comtec Enterprises Ltd we have built a business aimed at providing a single fully managed service of power protection and IT Infrastructure solutions for IT and Telecom environments. With over 15 years experience and many businesses depending on us to plan, protect and sustain their corporate productivity, we can say we are amongst the leaders in the field of providing truly scalable and highly flexible solutions. As “Trusted Advisers” in the infrastructure environment we are able to deliver a solution based on your business needs today and that scales in line with your businesses growth. In building long relationships with our customers and partnering the global leader in UPS systems, we understand the importance of customer service, quality and after sales support. We are dedicated in building trusting relationships with our customers. For more information about Comtec Enterprises Ltd please visit www.comtec.com. 3.1 Scope of Registration Design and installation of data centres, infrastructure networks and communications including (but not restricted to) sales & supply of hardware, software, project management, consultancy, managed services and support contracts

http://www.comtec.com/





4 INFORMATION SECURITY MANAGEMENT SYSTEM

Define Scope

Objectives Testing Framework

Risk Assessment Criteria

Identify assets

Identify threats to assets

Identify vulnerabilities which could be exploited

Identify impact of loss of Confidentiality

Integrity, Availability

Estimate Cost of Risks

Risks Accepted

Management Authorise ISMS

Summary of decisions regarding risk

Assessment, justify exclusions

Estimate Options for Minimising Risk

Apply Controls

Accept Risks

Avoid Risks

Transfer Risks (e.g. Insurance)

Statement of Applicability

No

Yes

ESTABLISHING AN ISMS





Comtec has a commitment to quality and a formal information security management system (ISMS) that addresses the following areas:

Quality

Performance monitoring and review

Policy and Procedures

Managing external relationships

Financial Management

Strategic and business planning

Human resource development

Service innovation.

Risk Treatments

Plan

Identify Management Action

Resources, Responsibilities

and Privileges

Implement Risk

Treatment Plan

Implement Controls to meet Control

Objectives

Implement Training & Awareness Program

IMPLEMENTING AND OPERATING AN ISMS





The Senior Management Team is responsible for implementing the ISMS and ensuring the system is understood and complied with at all levels of the organisation. They are responsible for ensuring that all staff:

Are aware of the policies and objectives of the organisation Are committed to implementing Comtec’s Information Security Management System Understand service user requirements Create positive internal and external communications Understanding of the organisation's processes Understanding how statutory and regulatory requirements impact on the organisation and

service users Understand their area of responsibility Use time and resources efficiently Reduce wastage Contribute to high levels of morale and motivation within the organisation.

Comtec’s Information Security Management System is managed by the Information Security Officer (Phil Reed), although ultimate responsibility is with the Managing Director (Nick Claxson). All staff are required to maintain the system and to have a stake in improvements to efficiency. An internal audit of procedures and policies is conducted quarterly with an annual external audit taking place in November. 4.1 Control of Documents All documents are maintained and controlled by the Information Security Officer (Phil Reed). Policy and procedure documents are reviewed annually. Any documents requiring amendment are updated, authorised, and completed. All updates to documents are signed and dated by the Information Security Officer (Phil Reed). Documents are re-issued as an electronic PDF document and a limited number of hard copies are produced. Obsolete documents will be archived and restricted by the Information Security Officer, electronic copies of all past versions are kept. All managers hold responsibility for cascading information to staff. Documents received by fax should be removed immediately and handed to the person to whom it is addressed. 4.2 Control of Records All project records are stored in appropriate electronic folders and managed by respective departments. Hard copies of documents are restricted to a minimum and should not be produced unnecessarily. Electronic records are encouraged over hard copies due to environmental concerns, available storage space and to prevent unnecessary expenditure.





5 MANAGEMENT COMMITMENT

5.1 Role of Senior Management Comtec’s Senior Management Team are committed to the development and implementation of an Information Security Policy, an Information Security Management System, and to frequently review this system. The Information Security Officer (Phil Reed) will ensure that Comtec staff are aware of the importance of meeting customer as well as statutory and regulatory requirements, and overall, to contribute to achieving Comtec’s Information Security Objectives which are aligned with the current business plan. An induction programme has been implemented to ensure all new employees receive ISO awareness training.

6 ISMS POLICY

6.1 Introduction

This document is the Information Security management document for Comtec Enterprises Ltd. It describes the company’s corporate approach to Information Security and details how we address our responsibilities in relation to this vital area of our business.

Information Security is the responsibility of all members of staff, not just the senior management team, and as such all staff should retain an awareness of this policy and its contents.

Verification of compliance with the policy will be verified by a continuous programme of internal audits.

6.2 Scope of the Policy

The scope of this policy relates to use of the database and computer systems operated by the company at its office in Reigate, in pursuit of the company’s business of providing IT solutions to small/medium sized businesses.

6.3 Legal and regulatory obligations

Data Protection Act 1998

Employment Agency Act 2003

6.4 Roles and Responsibilities

Our Information Security Officer (Phil Reed) is responsible for randomly sampling records to ensure that all required data has been captured, and that data is accurate and complete.

It is the responsibility of all staff to ensure that all data is treated with the utmost confidentiality, and that no data is given out without the prior authority of any person affected.





6.5 Strategic Approach and Principles

6.5.1 Access Control – See Data Security Policy

6.5.2 Incident Management – See Data Security Policy

6.5.3 Physical Security – See Data Security Policy

6.5.4 Third-party Access – See Data Security Policy

6.6 Business Continuity Management – See Business Continuity Plan

6.7 Approach to Risk Management

We aim to reduce all opportunities for data to be compromised. This includes the possibility of theft of data.

We have carried out a full risk assessment of the potential for a breach of security as documented within our separate Risk Assessment Document.

A full description can be found in our Data Security Manual.

6.7.1 Action in the event of a policy breach.

Access to the system is centrally controlled and removal of access to the system is a very simple procedure, which is controlled by the Information Security Officer (Phil Reed).

Access to the premises is controlled by the Managing Director (Nick Claxson). Door entry access fobs are controlled using access control software, which allows a particular fob to be instantly disabled if required.

Immediately a policy breach has been detected any relevant user is either removed or reset depending upon the most appropriate action in the circumstances.

A full description of access control can be found in our Data Security Manual.

6.8 Information Security Objectives Our objectives are set out in our business plan and are then disseminated to each department/project for incorporation into their management roles. Each department is responsible for delivering its objectives and this is monitored via individual, appraisals & team meetings. Comtec’s Quality Objectives are as follows:





Objective 1: Existing services - Comtec will continue to deliver its services within a secure environment Objective 2: Development - Comtec will conduct annual risk assessments to ensure that risk to information in the care of Comtec is minimised or eliminated. 6.9 Responsibility, authority and communication

The management structure of Comtec is shown as an organisation chart (see Appendix) the chart shows functional relationships and responsibilities. 6.9.1 Management Representative The Information Security Officer (Phil Reed) is responsible for the maintenance, measurement and review of our Information Security Management System. The Information Security Officer (Phil Reed) will ensure that the processes needed for the Information Security Management System are established, implemented and maintained within Comtec. In addition he will report to SMT about system performance. 6.9.2 Internal Communications Senior management utilise Comtec’s internal communications framework in order to disseminate information about the effectiveness of the Information Security Management System. The Managing Director (Nick Claxson) provides an ISO overview at the quarterly senior team meetings. 6.9.3 Implementation Following the annual audit, results are reviewed by the senior management team. Any non conformities or opportunities for improvement are addressed and an action plan devised. 6.10 Management Review

6.10.1 General Senior Management ensures:

That the ongoing activities of Comtec are reviewed regularly and that any required corrective action is adequately implemented and reviewed to establish an effective preventative process.

Measurement of Comtec’s performance against our declared Information Security Objectives.

That internal audits are conducted regularly to review progress and assist in the improvement of processes & procedures. The reviews are discussed as part of Comtec’s SMT meetings.





That employees have the necessary training, support, specifications and equipment to effectively carry out the work.

The senior management team hold planning and review meetings every quarter. Minutes of these are taken and the agenda normally includes an update and discussion around the current work of all departments and services. 6.11 Review Input The quarterly Senior Management Team meetings review the following information:

Risk management and the status of risk assessments

Results of audits

Serious untoward incidents

Status of preventive and corrective actions

Follow up actions from previous management reviews

Changes that could affect policies and procedures (Information Security Management System)

Recommendations for improvements.

6.11.1 Implementation

Meetings are scheduled

A suggested agenda is prepared by the chair

Members invited to add items to the agenda

Agenda is circulated to members

Meetings take place

Actions are defined

Meetings are minuted by a designated staff member

Minutes are approved by Chair

Minutes are circulated amongst members

Completion of actions is reviewed at the next meeting. 6.12 Review Output The Senior Management Team reviews produce the following outputs:

Policies and procedures are updated to make operations more efficient

Operations and services are improved through measurement against targets and actions to improve or rectify specific areas.

Where resources are lacking actions are put in place to rectify this.






Corrective actions are identified

Targets created

Improvements actioned

Situation re-evaluated at a specified later date.

7 PROVISION OF RESOURCES

Comtec will provide all the resources needed to implement and maintain the Information Security Management System and improve effectiveness of the system. Comtec will also ensure that the resources needed to enhance the satisfaction and requirements of service users, service commissioners and staff are identified and in place through audit and continual review. 7.1 Human Resources General 7.1.1 Competence, Awareness & Training We maintain a detailed Training Matrix demonstrating who has received what training and when. This is kept on the company intranet (sharepoint) for ease of access. 7.2 Infrastructure Comtec’s buildings, workspace, and associated utilities are managed by the Managing Director (Nick Claxson). The procurement and management of hardware, software and supporting services such as communication and information systems are coordinated by the Lead Architect (Phil Reed). We maintain a detailed asset register, including serial numbers, description, location and person to whom assigned. 7.2.1 Implementation Buildings, workspace and associated utilities requirements are regularly reviewed to ensure we make efficient use of office space. Both hardware and software is reviewed on an ongoing basis to ensure that staff are equipped with fit for purpose IT equipment and software. IT systems are maintained and serviced by our own internal engineers in conjunction with our Lead Architect (Phil Reed). Head office prepares and distributes a wide range of information:

Management Accounts

Management & Performance information





Training updates 7.3 Employment Recruitment, performance and termination of employment is handled by our Managing Director (Nick Claxson) in conjunction with department heads. All new starters will be asked to read and sign a copy of our Data Security Policy and if handling client data they must also sign a DBS/CCJ declaration form. A new starter form will then be produced and sent to the NOC department to set up any equipment, access rights, security levels and key fob access. An induction programme has recently been implemented to include an overview of the business, company policies and procedures, ISO requirements and a tour of the building to ensure all health and safety requirements have been covered. All HR information will be securely filed in a lockable cabinet with restricted access. Termination of employment will result if any employee is found guilty of gross misconduct or subject to the 3 stage warning process as set out in the company handbook. Upon termination of employment, contract or agreement all company assets must be returned to the Managing Director (Nick Claxson). Access to the building, servers and any company information will be immediately disabled.





M

A

N

A

G

E

M

E

N

T

R

E

V

I

E

W

Continuous Improvement

Document Control Records

Redefine Objectives

Preventive Action

Corrective

Action

ACT

PLAN

CHECK

DO

Appoint Man

Rep & Team

Scope and Policy

Significant Aspects

Legal &

Emergency

Objectives & Documents

Document Control & Records

Document Control & Records

Internal Audit

Test Emergency Response

Check Legal Compliance

Check Programme

Programme

Document

Control &

Records

Operational Control

Procedures

Train & Communicate

Implement Programme





8 RISK ASSESSMENT METHODOLOGY

We have identified the following process as means of conducting regular risk assessments relating to Information Security Issues.

We use a Microsoft word table to collect and analyse the risks identified in the following areas:

Password Policy

Building Security

Data Access

Assets

Threats

Vulnerabilities

Confidentiality

Integrity

Availability

Within each of these areas the risks (if any) are identified together with a rating of 1 to 3 as to the importance of the risk. The associated Impact or severity of the risk is also rated on a scale of 1 to 3. Together with the probable likelihood of the risk occurring.

Following this analysis conclusions are drawn as to what the most appropriate action is together with the estimated cost of implementing action to address the identified issue and an estimate of the cost of ignoring the risk.

9 MEASUREMENT, ANALYSIS & IMPROVEMENT

9.1 Information Security Standards In all Comtec’s services there are a specific set of quality measurements developed to be used to audit each service to enable a purchaser to be assured of the quality of delivery. Service Level Agreements (SLA) are used to identify the areas of a contract that will be measured and monitored. 9.1.1 Implementation We review our performance as part of a continuous review of Management Information. These reports help us to assess whether we are meeting our performance targets and provide us with month on month business performance benchmarking information. Comtec conducts quarterly internal audits with an annual external audit each November.





9.2 Internal ISMS Audits The internal audit process is as follows: 9.2.1 Internal Audit Process Flowchart





9.3 Monitoring & Measurement of Processes 9.3.1 Implementation Where the agreed requirements are not met, an action plan clearly detailing compliance will then be agreed with Comtec’s Managing Director (Nick Claxson) with a timescale for compliance set at 6 months. 9.4 Monitoring & Measurement of Service Comtec establishes at the outset of a new service contract the reporting demands within the Service Level Agreement. This process will be supported with the data reports compiled and will enable the review to monitor performance, effectiveness of delivery, contract compliance and potential service developments. Comtec provides full information for this purpose on a quarterly and annual basis. 9.5 Analysis of Data Incident logs are used to record any Information Security incidents or breaches giving cause for concern, and these are regularly assessed during the Management Review process to identify areas for improvement. 9.5.1 Implementation The data is collected by services and submitted to Comtec’s Services Department. Data is monitored by Senior Management. 9.6 Continual Improvement The organisation shall continually improve the effectiveness of the Information Security Management System through the use of the quality policy, quality objectives, audit results, analysis of data, corrective and preventive actions and management review.






We review our performance as part of a continuous review of Management Information, service-user/customer feedback and comments. In particular we review our progress against our company information security objectives (business plan aims), with a view to seeing what we can improve and where. The chart below illustrates this process:





9.7 Corrective Action

9.7.1 Complaints Policy Comtec is committed to giving its clients the best possible service, involving them in the planning of their datacenter, and giving them opportunities to air any complaints that they may have on the service we provide. To this end we operate the following procedure: 9.8 Preventative Action Comtec has various processes and procedures in place to ensure that preventative action against nonconformities can be introduced, documented and seen through till completion to address the initial problem. The complex nature of the clients we work with, demands that we have flexible but effective processes and procedures in place. However, Comtec also uses internal and external audits and risk assessments to continuously improve its service delivery, financial, HR and operational functions. 9.9 Improvement

The agenda for the Management Review meetings shall include, but not be limited to:

Follow-up from previous meetings

Review of company ISMS Policy

Review and setting of Information Security Objectives

Review of Incidents / Complaint Logs

Customer Feedback

Audit Results

Staff performance in relation to Information Security handling

Changes that could affect the Information Security Management System

Recommendations to improve the ISMS and their implementation





10 APPENDICES

10.1 Appendix 1 – Organisation Chart

Nick Claxson (Managing Director)

Nick Claxson

Interim Head of Service

Jon Elsey

Power Install Manager

Roy Cole ISX Engineer.

Senior Electrician

Iain Ross ISX Engineer

Electrician

Andy Law

Contracts Manager

Dan Brockwell

Service Desk Manager

Jon Carlier

2nd Line Engineer

Joe Manners

1st Line Engineer

TBC

2nd Line Comms Engineer

David Croft Service Delivery Manager

Graham Taylor

Warehouse & Logistics Manager

Phil Reed Head Of Presales

Geoff Denham

Datacentre Presales Team Leader

TBC

Sales Person

Tariq Darr

Datacentre Specialist

Ian Gregg


Steven Earwicker


Andy Holland

Comms Presales Team Leader

TBC

Communications Sales Person

Eddie Desouza Marketing & New Business

New Business Team Leader

Simon Tomlins

Business Development Manager

Duncan Woods


Scott Campbell






Appendix 2 – List of Controlled Documents

Ref No Name Version Date Associated Documents

0001 D. Robertson 1 23/08/13 Data Security/Risk Assessment/Business Continuity Plan

0002 D. Robertson 1.2 10/11/13 As above

0003 D. Robertson 1.3 27/11/14 As above

0004 N. Claxson 1.31 23/09/16 As above

0005 P.Reed 1.40 28/11/16