Contact Us
POLICIES

Information Security Policy

Purpose

This Information Security Policy outlines Smith Institute’s commitment to safeguarding the confidentiality, integrity, and availability of information. It is designed to meet the requirements of ISO 27001, Cyber Essentials Plus, UK GDPR, the Data Protection Act 2018, and other relevant UK legislation to ensure that all business operations and customer data are protected from information security threats, whether internal or external, deliberate, or accidental.

Scope

Smith Institute provides advanced mathematics, analytics and artificial intelligence consulting services, including research, development and delivery of solutions to customers worldwide. This policy covers all information assets, including but not limited to data, electronic files, paper records, IT systems, and communication infrastructure that are involved in Smith Institute’s work and applies to all employees, contractors, vendors, and third parties who have access to the company’s information systems, networks, and data.

Information Security Objectives

Smith Institute:

  • Protects information assets from unauthorised access, disclosure, modification, destruction, and interference.
  • Ensures the confidentiality, integrity, and availability of information.
  • Meets legal, regulatory and contractual security obligations under UK law.
  • Provides security training and awareness programs to employees and partners.
  • Continuously improves information security management through regular monitoring and audits.
  • Aligns with guidance from the UK National Cyber Security Centre (NCSC).

Roles and Responsibilities

  • Security Director (SD): Overall responsibility for the nomination, approval, implementation and enforcement of security procedures.
  • Information Security Officer (ISO): Responsible for implementing, monitoring, and updating the security management system. The ISO ensures compliance with this policy, ISO 27001 requirements and UK data protection laws.
  • Data Protection Officer (DPO): Oversees data protection strategy and implementation to ensure compliance with UK GDPR requirements.
  • Employees: All employees are responsible for understanding and complying with this policy. They must report any security breaches, incidents, or vulnerabilities.
  • Third-Party Partners and Contractors: Any third-party partner or contractor with access to sensitive information or systems must adhere to Smith Institute’s security standards as outlined in this policy and comply with relevant UK data protection laws.

Risk Management

  • Regular risk assessments are conducted to identify, evaluate and manage security risks.
  • Risks are categorized, prioritized and mitigated based on their potential impact on business operations.
  • Controls are implemented to manage identified risks, and their effectiveness regularly reviewed.
  • Supply chain risks are specifically assessed and managed in line with NCSC guidance.

Access Control

  • Access to information systems and data is granted on a need-to-know basis and according to roles and responsibilities.
  • Access is secured using appropriate technologies.
  • Multi-factor authentication (MFA) is mandatory for all online data services.
  • User accounts are reviewed regularly to ensure access levels remain appropriate.

Data Classification and Handling

  • All information assets are classified based on their sensitivity and criticality.
  • All data is encrypted at rest and in transit.
  • Secure disposal processes are followed to destroy information that is no longer needed.
  • Data is stored and processed in compliance with UK data sovereignty requirements.

Incident Management

  • The Smith Institute has a formal incident response plan to address security breaches or incidents.
  • All incidents are documented and analysed to prevent recurrence.
  • Data breaches likely to result in a risk to the rights and freedoms of individuals will be reported to the Information Commissioner’s Office (ICO) within 72 hours, as required by UK GDPR.
  • Data breaches affecting the confidentiality, integrity or availability of data belonging to an external organisation will be reported to the affected party within 72 hours.
  • A post-incident review will be conducted to improve future responses.

Business Continuity and Disaster Recovery

  • A Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP) are maintained to ensure the availability of critical systems and data during and after a security incident.
  • Regular tests of the BCP and DRP are conducted to ensure their effectiveness.

Compliance with UK Legal and Regulatory Requirements

  • Smith Institute complies with applicable UK laws and regulations, including, but not limited to:
  • Regular audits are conducted to ensure ongoing compliance with ISO 27001, Cyber Essentials, Cyber Essentials Plus and UK legislation.
  • The Smith Institute will cooperate fully with the ICO in case of audits or investigations.

Physical Security

  • Physical security measures are in place to protect confidential information and assets, with controls appropriate to our operating model. Access to company premises is controlled through multiple layers of security, and any sensitive materials are stored securely when not in use. Staff are required to maintain appropriate physical security measures in line with our information security policies at all times.

Security Awareness and Training

  • All employees undergo regular security awareness training.
  • Training covers password management, phishing awareness, handling sensitive data, incident reporting, and UK-specific data protection requirements.
  • Employees are educated on their rights and responsibilities under UK data protection laws.

Remote Working Security

  • Employees are provided with secure tools and technologies for remote work.
  • There are specific guidelines and security measures for remote working which are regularly reviewed.

Data Subject Rights

  • Processes are in place to handle Subject Access Requests in compliance with UK GDPR and the Data Protection Act 2018.
  • Employees will be trained to recognize and appropriately handle data subject rights requests.

Monitoring and Review

  • The Smith Institute regularly monitors and reviews its information security management system (ISMS) to ensure it is effective and compliant with ISO 27001 and UK regulations.
  • The ISMS is subject to internal and external audits.

Continuous Improvement

  • Information security practices are continuously improved through regular feedback, security assessments, and adopting new technologies and processes where applicable.
  • Non-conformities will be addressed promptly, with corrective actions taken to prevent recurrence.

Policy Review

  • This Information Security Policy will be reviewed annually and whenever there are significant changes to the company or the regulatory or competitive environment in which it operates.

March 2025

Office Address:
Willow Court, West Way, Minns
Business Park. Oxford OX2 0JB
+44 (0) 1865 244011
hello@smithinst.co.uk

About Us
Case Studies
Insights 
Capabilities

TakeAim
Careers
Contact Us

Quality Policy    |    IT Security    |    Health and Safety Policy    |    Environment Policy    |    Business Continuity    |    Privacy Policy    |    This website uses cookies    |    Terms of Use

© Smith Institute 2024. All rights reserved. Website by Studio Global

Smith Institute Ltd is a company limited by guarantee registered in England & Wales number 03341743 with registered address at 1 Minster Court, Tuscam Way, Camberley, GU15 3YY