ISMS Policy

Last updated - 30 August 2023

1. Purpose

1.1. Nowhere Group Limited (‘nowhere’) has an Information Security Management System (ISMS) and Security Team in place to ensure that its data assets are protected from all threats, whether internal or external, deliberate or accidental.

1.2. This policy provides information as to how nowhere aims to meet these requirements, with reference to key processes and policies, as appropriate.

1.3. It includes any information which, if disclosed or made publicly available could damage nowhere’s clients, commercial or financial interests, privacy, reputation or employability (‘Confidential Client and Company Data’). As well as any information that relates to an identified or identifiable living individual (‘Personal data’).

2. Objectives

2.1. nowhere has established and will continually improve the ISMS in accordance with the ISO27001:2013 standard. This standard demonstrates that nowhere is committed to following information security best practices, and provides an independent, expert verification that information security is managed in line with international best practice and business objectives.

2.2. nowhere’s ISMS provides a framework for all the policies and procedures involved in the information risk management process, including all legal, physical and technical controls.

2.3. nowhere has the following four main objectives:

2.1.1. Objective 1: To continue to deliver services within a secure environment.

2.1.2. Objective 2: To conduct continuous risk assessments to ensure that risk to information is minimised or eliminated, with an annual review of all processes.

2.1.3. Objective 3: To follow and comply with legislation and client contracted requirements.

2.1.4. Objective 4: We will communicate our commitment towards the ISMS to maintain internal and external confidence in our:

2.1.4.1 Preparedness and achievements;

2.1.4.2 Our capability to face events

2.1.4.3 Our ability to recover from crisis

2.4. nowhere will provide all the resources of equipment, trained and competent staff and any other requirements to enable these objectives to be met.

3. Scope

3.1. This policy applies to all nowhere employees, consultants, contractors and associates operating on behalf of nowhere (‘Staff’), who have access to Personal and Confidential Client and Company Data.

3.2. The scope of this policy relates to nowhere’s delivery of its business management consultancy services and digital products to corporate clients, public sector organisations, licensees and individuals. It also relates where appropriate to external risk sources including functions which are outsourced.

3.3. This policy also applies to the running of all nowhere services, including:

3.3.1. The delivery of products and services to clients.

3.3.2. The delivery of trainings and licenced products to nowhere licensees.

3.3.3. The provisioning of products to clients and the clients of nowhere licensees and trading associates.

3.3.4. The gathering of client and marketing data.

3.3.5. The use of third-party ISPs and developer tools.

4. Policy

4.1. nowhere will share this policy with all interested parties including external where appropriate and determine the need for communication and by what relevant methods.

4.2. nowhere will ensure that all Personal and Confidential Client and Company Data is processed lawfully and stored with appropriate confidentiality procedures as per nowhere’s Access Control, Change Management, Cryptography, Data Handling, Logging and Monitoring, Server Security and Software Development polices.

4.3. All legal requirements, codes of practice and all other applicable requirements to our activities will be met to ensure the continual improvement of the ISMS.

4.4. The ISMS is subject to both regular internal and external annual audits which covers the requirements of the ISO27001:2013 standard.

4.5. A Business Continuity Plan and IT Disaster Plan is maintained and tested to counteract interruptions to business activities and to protect critical business processes from the effects of major failures or disasters.

4.6. The Security Team will establish and implement information security continuity controls at regular intervals in order to ensure that they are valid and effective during business-critical situations.

4.7. The Security Team’s approach to managing information security and its implementation (i.e. control objectives, controls, policies, processes and procedures for information security) must be reviewed independently at planned intervals or when significant changes occur.

4.8. Information security awareness, training and resources will be made available to all Staff.

4.9. It is the responsibility of each member of Staff to adhere to the nowhere ISMS Policy and all related IT policies such as the Devices and Remote Access Policy.

4.10. It is the responsibility of each member of Staff to consider all possible information security risks before starting any new client or software development work to minimise any damage to Personal and Confidential Client and Company Data.

4.11. Appropriate contacts with special interest groups or other specialist security forums and professional associations shall be maintained by the Security Team to ensure the continual improvement of the ISMS.

5. Compliance

5.1. All relevant legislative statutory, regulatory, contractual requirements and nowhere’s approach to meet these requirements must be explicitly identified, documented and kept up to date for each information system and the organisation.

5.2. Information systems must be regularly reviewed for compliance with nowhere’s information security policies and standards.

5.3. Appropriate procedures must be implemented to ensure compliance with legislative, regulatory and contractual requirements related to intellectual property rights and use of proprietary software products.

5.4. Records must be protected from loss, destruction, falsification, unauthorized access and unauthorized release, in accordance with legislatory, regulatory, contractual and business requirements.

5.5. Privacy and protection of personally identifiable information must be ensured as required in relevant legislation and regulation where applicable.

5.6. The Security Team must ensure that regular compliancy reviews of information processing and procedures are completed with the appropriate Staff, security policies, standards and any other security requirements.

6. Personnel Responsible for this Policy

6.1. The Security Team has direct responsibility for maintaining the ISMS Policy and ensuring it remains appropriate and suitable to the business.

7. Breaches of Policy

7.1. Breaches of this policy and/or security incidents can be defined as events which could have, or have resulted in, loss or damage to nowhere assets, or an event which is in breach of nowhere security procedures and policies.

7.2. All nowhere employees, consultants, contractors and associates have a responsibility to report security incidents and breaches of this policy as quickly as possible to the Security Team. This obligation also extends to any external organisations contracted to support or access nowhere information systems.

7.3. nowhere will take appropriate measures to remedy any breach of the policy and its associated procedures and guidelines. In the case of an employee then the matter may be dealt with under the disciplinary procedures.

8. Contact Information

8.1. The Security Team can be contacted on security@now-here.com.