Last updated: Jan 2025

Introduction

This policy demonstrates Cloud Gateway’s commitment to protecting the confidentiality, integrity, and availability of information.

As an organisation that has implemented a Information Security Management System (ISMS) in line with international standard ISO/IEC 27001, this policy outlines our dedication to information security practices and controls, risk management and continuous improvement, and serves as the foundation for all information security-related initiatives within the organisation.

Scope

This policy applies to all systems, people and processes that constitute our information systems, including employees, contractors and suppliers that have access to our systems.

Information Security Policy

Scope of registration

Our scope of registration for the ISO 27001 standard is:

The provision of networking and security services for the public and private sector within the United Kingdom and internationally.

Information security requirements

Cloud Gateway keeps a central record and maintains abreast of applicable legislative and regulatory requirements, including those related to protecting the security of information.

The information security controls defined in ISO 27002 are reviewed, and those that are applicable to Cloud Gateway are defined in a Statement of Applicability. The organisation is committed to, and independently verified to be, delivering and continually optimising its fulfilment of those requirements.

Responsibilities

The ISO Steering group is responsible for reviewing, setting and approving the implementations of the Information Security Management System.

Senior Leadership is responsible for ensuring that roles, responsibilities and authorities are appropriately assigned, maintained and updated as necessary.

Senior Leadership will ensure that the information security policy, processes, expectations and requirements are upheld across the organisation.

All employees are responsible for adhering to the requirements of the information security policy and for fulfilling any duties related to assigned roles, responsibilities or authorities.

Information security objectives

To support this policy, Cloud Gateway decides upon and documents measurable information security objectives on an annual basis. These objectives are regularly reviewed to track progress, and they are always aligned with our strategic goals.

Employee training and provision of resources

Cloud Gateway will always invest in training and awareness to empower our employees to understand and uphold information security controls and objectives, as well as to ensure awareness and understanding of the ISMS and its requirements.

Cloud Gateway will also provide the required resources to enable these objectives to be met, such as tools, equipment and a safe and healthy working environment.

Risk-based approach

Cloud Gateway proactively manages and mitigating risks through a risk-based approach to operations. As well as an innate part of our processes, we encourage an open environment whereby risks can be raised by any member of staff, so that we can identify and address potential issues early.

We strive to prevent information security failures and ensure high security throughout our operations.

Supplier and partner collaboration

By collaborating closely with suppliers, contractors, and partners, Cloud Gateway ensures that services meet our information security standards. We value mutually beneficial relationships that contribute to delivering highly secure products and services.

Continuous improvement

Cloud Gateway remains dedicated to delivering continuous improvement. Ideas for improvements may be obtained from any source including employees, customers, suppliers, risk management and service reports, before they are analysed and implemented if agreed.

Continual assessment of the ISMS is achieved through regular review meetings and audits.

Information security policy areas

A set of lower-level controls, processes and procedures for information security are defined, in support of this policy and its stated objectives. These policies include:

• Organisational controls

• People controls

• Physical controls

• Technological controls

This suite of supporting documentation is written, reviewed and approved by employees with competence in the relevant area and communicated to the appropriate audience, which may be internal and or external to the organisation.

Compliance

Users shall abide by existing information security policies and procedures. Any user found to have violated this policy may be subject to disciplinary action, up to and including termination of employment or contract or agreement as the case may be.