Quality and Information Security Policy
1.1 General Policy
Spherica (‘the Company’) is committed to ensuring it provides the highest quality service possible while protecting information both internally and externally, for employees and customers. In order to achieve this the Company ensures compliance with all relevant UK and EU legislation, as well as regularly reviewing overseas partners’ certification and standards. The Company has also implemented and will maintain a Quality Management System (QMS) and an Information Security Management System (ISMS) in accordance with ISO 9001:2015 and ISO 27001:2013, as well as regularly updating its systems and processes to ensure legislative compliance.
The QMS and ISMS apply to the control of the entire Company, premises and resources in the UK and as such this policy provides a framework for; setting, monitoring, reviewing and achieving the Company’s objectives, programmes and targets with regards to quality and information security.
The Company is committed to preserving the confidentiality, integrity and availability of all information security management systems and documentation, in order to ensure that the Company manages information risk. As a result of this the Company is then able to:-
- Ensure that the needs of employees, customers and the requirements of corporate governance are met.
- Establish confidence that partnership arrangements, involving the exchange and sharing of information, are legal and secure.
- Ensure that all security features, e.g. procedures and policies, are fully implemented, effective and correct.
- Be sure that the services and products offered by third party suppliers of information security assurance are adequate and fit for purpose.
Information security requirements to; establish, implement, maintain and continually improve information security, within a management system, will continue to be aligned with; the Company’s objectives, the Company’s general practices, GDPR regulations, the ISMS and other applicable legislation.
The implementation, review and commitment to information and data security compliance will enable all who work on behalf of the Company to work efficiently, effectively and securely. Commitment to the Company’s information security requirements will ensure that all electronic operations, exchange of documentation/data, office and remote working is all carried out to an acceptable level, whilst still committing to reducing any information-related risks to an acceptable level.
The Company has documented QMS and ISMS objectives which are reviewed at least annually to ensure that the objectives set are being furthered. These objectives are supported by documented policies, procedures and templates to ensure a high level of quality is maintained and reduce any risk to the security of information within the Company’s systems.
The overarching quality and information security policy and objectives of the Company are as follows:-
- Information will be protected against unauthorised access.
- Procedures and policies regarding information security will be regularly reviewed to ensure confidentiality is maintained, as well as to maintain a high standard of work.
- Regulatory and legislative requirements relevant to the business as a whole and information systems, including the processing of information, will be met, i.e. relevant Data Protection legislation, to ensure that the integrity of information is maintained.
- Business Continuity Plans will be established, maintained and tested.
- Training will be available to all staff (and any relevant third parties), as well as the provision of all necessary resources and equipment.
- Business requirements for availability of information and systems will be met.
- Any breaches, actual or suspected, of procedure, policy or security will be investigated and reported as necessary.
- To maintain compliance with all applicable legislation.
- All employees are made aware of their individual obligations in respect of this policy and the Company as a whole.
- Ensure that the management systems will achieve the objectives that are set and seek continual improvement in the effectiveness and performance of the Company’s management systems.
1.2 Risk Assessment
The Company’s management systems are applicable to the entire business, thus covering; at home workers, customer sites and remote access working. Therefore, the Company will identify any risk to/from any assets, make decisions about which risks are intolerable and therefore need to be mitigated, as well as manage the residual risks through carefully considered policies, procedures, and controls.
Further to the information security standard the focus of all risk assessments carried out is to successfully evaluate any risk and ensure that confidentiality, integrity and availability of information which is held is sufficiently safeguarded. This is achieved by ensuring robust procurement processes, contractual agreements and relevant company policies are in place and communicated to both employees and, where relevant, to third parties or customers.
1.3 Roles and Responsibilities
All roles and responsibilities will be reviewed in line with Company needs and the management system requirements.
All employees, contractors and third parties with access to the Company’s systems are expected to comply with this policy, any management system standard that is achieved and the relevant legislation, as is appropriate to their role.
The Company will regularly review the impact of its partners and third parties on the Company’s ability to comply with the quality and information security standards. This will be done by regular reviews of the services offered/provided by third parties and their ability to ensure they uphold the best information security standards they can, in order to support the Company in maintaining its QMS and ISMS.
1.4 Monitoring and Review
To ensure the company maintains its awareness for continuous improvement, the QMS and ISMS is regularly reviewed by “Top Management” to ensure it remains appropriate and suitable to our business. The QMS and ISMS are subject to both internal and external annual audits.
This policy has been approved by the company management and shall be reviewed annually.