Information Security Management Policy

This Policy sets out Xynomix (the organisation) strategic commitment to information security management. It is the policy of the organisation to ensure the confidentiality, integrity and availability of information owned by both the organisation and clients is maintained to:

  • Ensure continued quality of service
  • Meet the organisations contractual, legal, and regulatory obligations
  • Meet the needs and expectations of other interested parties.  

Information security management shall be treated as an integral part of management activities and will be pursued in the same manner and with the same vigour as other managerial objectives.

Xynomix is committed to:

  • Taking appropriate action to ensure the confidentiality and integrity of the organisations and client owned information, held by, and managed by the organisation
  • Developing, maintaining and exercising business continuity plans to ensure the availability of information and information systems
  • Treating information security as a business-critical issue
  • Ensuring that legislative and regulatory and contractual requirements are met
  • Protecting and respecting intellectual property rights of the organisation and others
  • Creating a security positive culture within the organisation
  • Establishing and maintaining an effective Information Security Forum
  • Ensuring information security risks are managed to an acceptable level
  • Identifying and implementing controls for information assets that are proportionate to levels of risk
  • Communicating this Policy and supporting arrangements to all employees, relevant clients, contractors, and other stakeholders
  • Achieving individual accountability for compliance with this Policy, related policies and supporting procedures
  • Ensuring all breaches of information security, actual or suspected, are reported, and investigated in line with published policies
  • Developing, implementing, and maintaining an information security management system (ISMS) in accordance with the best practice contained within ISO/IEC 27001:2013

The Managing Director, with support from the organisations Directors has overall responsibility and authority to ensure that this Policy is effectively implemented and delivered. All internal personnel and suppliers are required to play an active role in the protection of the organisations assets and treat information security appropriately in order that this purpose can be achieved.

To support this Policy, subject specific policies and supporting procedures will be produced in response to changes in risks faced by the organisation, legislation, regulation, contractual obligations, and operational working practices.

Information security objectives, which are aligned with the organisations strategic business objectives, are agreed on an annual basis, supported by a set of key performance indicators (KPIs) and are monitored by the Managing Director.

The organisation recognises the need for continual improvement. The information security management system will be constantly reviewed and any changes are communicated to all relevant employees and interested parties.

Failure to comply with this policy, subject-specific policies and supporting procedures, may result in disciplinary action being taken.

This Policy and the organisation’s performance in meeting its requirements will be monitored and reviewed by the Board as a minimum, on an annual basis.