ISMS Policy
1. Purpose
1.1. Nowhere Group Limited (‘nowhere’) has an Information Security Management System (ISMS) in place to ensure that its data assets are protected from all threats, whether internal or external, deliberate or accidental.
1.2. Including any information which, if disclosed or made publicly available could damage nowhere’s clients, commercial or financial interests, privacy, reputation or employability (‘Confidential Client and Company Data’).
1.3. Including any information that relates to an identified or identifiable living individual (‘Personal data’).
1.4. nowhere’s ISMS provides a framework for all the policies and procedures involved in the information risk management process, including all legal, physical and technical controls.
1.5. nowhere has established and will continually improve the ISMS in accordance with the ISO27001:2013 standard. This standard demonstrates that nowhere is committed to following information security best practices, and provides an independent, expert verification that information security is managed in line with international best practice and business objectives.
1.6. This policy provides information as to how nowhere aims to meet these requirements, with reference to key processes and policies, as appropriate.
2. Objectives
2.1. nowhere has the following three main objectives:
2.1.1. Objective 1: To continue to deliver services within a secure environment.
2.1.2. Objective 2: To conduct continuous risk assessments to ensure that risk to information is minimised or eliminated, with an annual review of all processes.
2.1.3. Objective 3: To follow and comply with legislation and client contracted requirements.
3. Scope
3.1. This policy applies to all nowhere employees, consultants, contractors and associates operating on behalf of nowhere, who have access to Personal and Confidential Client and Company Data.
3.2. The scope of this policy relates to nowhere’s delivery of its business management consultancy services and digital products to corporate clients, public sector organisations, licensees and individuals. It also relates where appropriate to external risk sources including functions which are outsourced.
3.3. This policy also applies to the running of all nowhere services, including:
3.3.1. The delivery of products and services to clients.
3.3.2. The delivery of trainings and licenced products to nowhere licensees.
3.3.3. The provisioning of products to clients and the clients of nowhere licensees and trading associates.
3.3.4. The gathering of client and marketing data.
3.3.5. The use of third-party ISPs and developer tools.
4. Policy
4.1. nowhere will ensure that all Personal and Confidential Client and Company Data is processed lawfully and stored with appropriate confidentiality procedures as per nowhere’s Access Control, Change Management, Cryptography, Data Handling, Logging and Monitoring, Server Security and Software Development polices.
4.2. All legal requirements, codes of practice and all other applicable requirements to our activities will be met to ensure the continual improvement of the ISMS.
4.3. A Business Continuity Plan and IT Disaster Plan is maintained and tested to counteract interruptions to business activities and to protect critical business processes from the effects of major failures or disasters.
4.4. Information security awareness, training and resources will be made available to all staff.
4.5. It is the responsibility of each member of staff to adhere to the nowhere ISMS Policy and all related IT policies such as the Devices and Remote Access Policy.
4.6. The ISMS is subject to both regular internal and external annual audits which covers the requirements of the ISO27001:2013 standard.
5. Personnel Responsible for this Policy
5.1. The Security Team has direct responsibility for maintaining the ISMS Policy and ensuring it remains appropriate and suitable to the business.
6. Breaches of Policy
6.1. Breaches of this policy and/or security incidents can be defined as events which could have, or have resulted in, loss or damage to nowhere assets, or an event which is in breach of nowhere security procedures and policies.
6.2. All nowhere employees, consultants, contractors and associates have a responsibility to report security incidents and breaches of this policy as quickly as possible to the Security Team. This obligation also extends to any external organisations contracted to support or access nowhere information systems.
6.3. nowhere will take appropriate measures to remedy any breach of the policy and its associated procedures and guidelines. In the case of an employee then the matter may be dealt with under the disciplinary procedures.
7. Contact Information
7.1. The Security Team can be contacted on security@now-here.com.