Information Security Management Policy

Document Owner: Pobl Tech Limited (T/A Pobl)

Overview

This document sets out how Pobl manages information security across the organisation.

It defines the governance framework, responsibilities, and controls we use to protect information assets, ensuring the confidentiality, integrity, and availability of systems and data.

Information security underpins how we design, deliver, and support all services, and forms a core part of our operational approach.

Scope

This policy applies to:

All employees, directors, and contractors
All information assets, systems, and services managed or accessed by Pobl
All devices, platforms, and environments used to deliver services

This includes internal systems, development and hosting environments, cloud platforms, and third-party services where Pobl has responsibility or access.

Our approach to security

We are committed to protecting information from unauthorised access, loss, disclosure, alteration, or disruption.

Information security is treated as a core business requirement and is embedded across:

Technical delivery
Operational processes
Day-to-day working practices

Our controls are proportionate to risk and aligned with recognised UK guidance, including Cyber Essentials and National Cyber Security Centre (NCSC) principles.

Governance

Overall responsibility for information security sits with senior management, with day-to-day oversight led by the Technical Director.

Our governance approach includes:

Defining and maintaining security policies and procedures
Identifying and managing information security risks
Overseeing incident management and response
Embedding security considerations into technical delivery
Regularly reviewing security posture and improvement actions

Roles and responsibilities

Technical Director

Responsible for:

Overall information security oversight
Risk assessment and mitigation
Approval of access to critical systems
Coordination of incident response
Ensuring alignment with legal and regulatory requirements
Technical and development team

Responsible for:

Following security policies and procedures
Applying secure development and configuration practices
Protecting credentials and access methods
Reporting security concerns or incidents
All staff

Responsible for:

Handling information securely
Following organisational security guidance
Reporting suspected risks or incidents

Risk management

Information security risks are identified and managed on an ongoing basis.

Risks may arise from:

Technical vulnerabilities
Human error or misuse
Third-party services
Changes to systems or environments
External threats

Risks are assessed based on likelihood and impact, with appropriate controls applied and reviewed over time.

Technical and organisational controls

We apply a layered approach to security, including:

Role-based access control and least privilege
Secure authentication and credential management
Regular patching and system updates
Network and application-level protections
Logging and monitoring of system activity

Controls are reviewed periodically to ensure they remain effective and appropriate.

Security awareness

Security awareness forms part of onboarding and ongoing working practices.

Team members are expected to understand their responsibilities in areas such as:

Data protection
Phishing and social engineering risks
Device and account security
Incident reporting

We encourage a positive reporting culture so that potential issues are identified and addressed early.

Incident management

Any suspected or confirmed security incident must be reported immediately and handled in line with our Incident Response Plan.

Incidents are:

Assessed and recorded
Managed in a structured and timely way
Reviewed to identify improvements and reduce future risk

Compliance and alignment

This policy supports compliance with:

UK GDPR and the Data Protection Act 2018
Cyber Essentials and Cyber Essentials Plus
NCSC guidance for secure systems and cloud services
Relevant contractual and client-specific requirements

While we do not claim formal ISO 27001 certification, recognised security principles are embedded across our delivery and operational practices.

Review and maintenance

This policy is reviewed:

At least annually
Following significant changes to systems, services, or regulatory requirements
Following major incidents or identified risks
Final note

Information security is not treated as a standalone process. It is part of how we work day to day, ensuring that the systems we build and support remain secure, reliable, and trusted over time.