DynaRisk Information Security Policy
1.0 Policy Objectives
❖ To direct the design, implementation and management of an effective Information Security
Management System (ISMS), which ensures that DynaRisk’s information assets are properly
identified and recorded, and afforded suitable protection at all times.
❖ To ensure the confidentiality, integrity and availability of DynaRisk’s information assets, and
supporting assets (including information systems) as defined within the Inventory of Assets.
❖ To ensure that all vulnerabilities, threats and risks to information assets and supporting assets
are formally identified, understood, assessed and controlled in accordance with DynaRisk’s
documented Risk Assessment Methodology.
❖ To ensure that DynaRisk’s employees, contractors and third party users comply with this
Information Security Policy, and all other ISMS documentation, through the provision of
effective information security training, awareness and ongoing monitoring activities.
❖ To ensure that DynaRisk is able to maintain full compliance with all applicable legislation,
regulations and contractual requirements, and any supporting management system
certifications (for example ISO/IEC 27001:2013).
2.0 Policy Scope
DynaRisk’s Information Security Policy shall include the following:
2.1 Information Assets
All information assets (data) either owned by DynaRisk or entrusted to DynaRisk by a client under an
agreement which specifically details DynaRisk’s responsibility for that data, and including:
❖ Information assets held, processed or stored on DynaRisk premises
❖ Information assets held, processed or stored at approved off-site premises or locations
2.2 Supporting Assets
All supporting assets (non-data) which by direct or indirect association are an integral part of ensuring
the confidentiality, integrity or availability of the information assets described in Section 2.1, including:
❖ Premises (including offices, factories, data centres, storage facilities, recovery sites etc.)
❖ Hardware (including servers, network infrastructure, laptop computers, desktop computers,
storage infrastructure and mobile devices)
❖ Software (including operating systems, commercially available software applications and
software applications developed internally by DynaRisk)
Doc Title: Information Security Policy Page 2
Doc Reference: ISDL01 Version Number: 1.0
❖ DynaRisk personnel (including permanent, temporary, full-time and part-time employees,
authorised contractors and any third party users of information systems)
2.3 Documentation and Records
All policies, processes, procedures, work instructions and records related to the management, use,
control and disposal of the information assets and their supporting assets detailed above.
3.0 Policy Statements
DynaRisk shall be committed to the protection of the information assets and supporting assets as
defined within the Scope of this Policy. DynaRisk has created its Information Security Management
System (ISMS) in accordance with the international Information Security Management Systems
standard ISO/IEC 27001:2013: this framework shall be followed for all information security related
activities, and DynaRisk shall seek to retain external certification against this standard.
To effectively manage and deliver its ISMS, DynaRisk shall:
3.1 Inventory of Assets
Define and maintain a comprehensive Inventory of Assets, including all information assets and
supporting assets as defined within Section 2.0 of this Policy. The Inventory of Assets shall detail a
named owner for each asset, who shall fully understand their responsibilities for the protection of the
asset in accordance with the documented DynaRisk Asset Management Policy (see ISDL05).
3.2 Access Control Policy
Ensure that all information assets, and their supporting assets, are protected so as to ensure their
confidentiality, integrity and availability is maintained. Access to information assets and supporting
assets shall be in accordance with DynaRisk’s Access Control Policy (see ISDL07), and be restricted
to the minimum required to undertake authorised business activities, and DynaRisk has adopted the
principle that “access is forbidden unless it has been specifically and formally pre-authorised”.
3.3 Information Classification and Handling
Ensure that all information assets shall be classified and handled in accordance with the DynaRisk
Information Classification and Handling Guide (see ISDL52), which details how information assets of
different sensitivities shall be managed, handled, processed, encrypted, stored, transmitted,
dispatched and disposed of when no longer required. This Guide also details the appropriate levels of
personnel screening or clearances necessary to access information of different classifications.
3.4 Acceptable Use
Ensure that all personnel, contractors and third party users comply with the DynaRisk Acceptable Use
Policy (see ISDL06) which details how information assets and their supporting assets should be used
in an acceptable manner and in accordance with all ISMS related policies and processes. This policy
shall detail the acceptable methods of use of information processing systems, networks (including, for
example, the internet and telephone systems) and other resources within the Scope of this Policy.
3.5 Risk Assessment
Perform regular risk assessments on all information assets, and their supporting assets, as detailed
within DynaRisk’s Risk Assessment Methodology (see ISDL31), and using the control objectives and
controls as documented within Annex A of ISO/IEC27001:2013. The documented results of risk
assessments shall be reviewed to understand the level of risk to information and supporting assets,
and appropriate controls implemented as appropriate to address any unacceptable risks that have
been identified. A Statement of Applicability (SoA) shall be produced to record which controls have
been selected and the reasons for their selection, and the justification for any controls not selected.
3.6 Information Security Incidents
Provide a mechanism for the prompt identification, reporting, investigation and closure of information
security incidents to DynaRisk, in accordance with the Information Security Incident Policy (see
ISDL04), and to fully analyse reported incidents to identify the root cause of issues and take
advantage of any improvement opportunities which may have been identified.
3.7 Access to Information and Systems
Ensure that an Access Control Policy (see ISDL07) is in place to protect all DynaRisk networks,
information systems and information assets from any unauthorised access. Legitimate remote access
shall only be granted in accordance with the policy to bona-fide personnel, contractors and third party
users, and only applies to access from DynaRisk approved devices. Remote connections shall be
used strictly in accordance with the Acceptable Use Policy. Remote access shall be regularly reviewed
and any connections that are no longer required shall be removed immediately.
3.8 Business Continuity Management
Ensure that information security is a key consideration within the Business Continuity Management
Policy (see ISDL08), so that the security of DynaRisk information assets is not compromised even
when faced with a wide variety of unplanned business interruptions.
3.9 Information Security Training
Develop a regular training and education programme, in accordance with the Information Security
Training Policy (see ISDL02), which shall be mandatory for all DynaRisk employees, contractors and
third party users, which details their individual responsibilities to fully adhere to the requirements of the
ISMS policies, processes and work instructions defined within Section 2.0 of this Policy.
3.10 Management, Monitoring and Review
Continually monitor, review and improve the DynaRisk ISMS, in accordance with the Management
Review Policy (see ISDL09), by undertaking regular reviews, internal audits (in accordance with the
Internal Audit Policy ISDL14) and other related activities, and taking prompt corrective actions and
implementing improvement opportunities in response to the findings of these activities.
3.11 Legislative Compliance
Ensure that, at all times, its Information Security Management System shall support full compliance
with the following UK legislation and regulations, including but not limited to:
Doc Title: Information Security Policy Page 4
Doc Reference: ISDL01 Version Number: 1.0
❖ Data Protection Act 1998
❖ Human Rights Act 1998
❖ Computer Misuse Act 1990
❖ Copyright, Designs and Patents Act 1988
❖ Companies Act 1985
❖ Electronic Communications Act 2000
❖ Payment Card Industry Data Security Standard (if applicable)
4.0 ISMS Responsibilities
4.1 Employees, Contractors and Third Party Users
Within DynaRisk, all employees, contractors and third party users shall understand their role in
ensuring the security of information assets (and their supporting assets) in accordance with the
Information Security Training Policy (see ISDL02) as detailed in Section 3.0.
There are, however, additional responsibilities defined in order that the ISMS shall operate efficiently
and in accordance with the requirements of ISO/IEC 27001:2013. These are detailed below.
4.2 Senior Management
The Managing Director and Director Team shall be responsible for the following activities within the
DynaRisk ISMS:
❖ Agreeing the business need for this ISMS, and communicating their ongoing commitment to it
❖ Reviewing and signing off this Information Security Policy
❖ Setting and reviewing DynaRisk’s Information Security Objectives
❖ Assigning appropriate resources necessary to manage and operate the ISMS effectively
❖ Agreeing the level of acceptable risk within the Risk Assessment Methodology (see ISDL31)
❖ Approving any decisions not to address any unacceptable residual risks, where identified
❖ Having ultimate responsibility for actions related to information security incidents/breaches
❖ Overseeing any disciplinary action resulting from information security incidents/breaches
4.3 Information Security Manager
The Information Security Manager shall have functional responsibility for the DynaRisk ISMS, and
shall be responsible for the daily operational tasks of the ISMS, including:
❖ Ensuring an appropriate structure of ISMS policies, processes and work instructions
❖ Ensuring that appropriate records are created and maintained for all ISMS activities
❖ Ensuring the ISMS operates in accordance with the current requirements of ISO27001
❖ Arranging a programme of risk assessments, risk treatments and internal audits
❖ The preparation and communication of the Statement of Applicability
❖ The provision of an appropriate user training and awareness programme for employees
4.4 Operations Manager
The Operations Manager shall be responsible for:
❖ Overall management of the information security controls in production processes
❖ Overall management and functionality of DynaRisk’s business continuity plan
❖ The provision of a user training and awareness programme for suppliers and contractors
❖ The design and review of technical security controls, including DynaRisk networks
❖ Supporting reviews, internal audits and risk assessments within their area of responsibility
Doc Title: Information Security Policy Page 6
Doc Reference: ISDL01 Version Number: 1.0
4.5 Department/Function Managers
Managers within DynaRisk shall be responsible for:
❖ Ensuring their team members are aware of and remain compliant with all information security
policies, processes and work instructions, and that they receive appropriate training
❖ The provision of a user training and awareness programme for applicable third party users
❖ Supporting reviews, internal audits and risk assessments within their area of responsibility
4.6 Asset Owners
As per the Asset Management Policy (ISDL05), designated Asset Owners shall be responsible for:
❖ Assessing the value of their asset(s) to the DynaRisk
❖ Undertaking detailed risk assessments on their asset(s), including the identification of controls
and assessing their effectiveness (as per the Risk Assessment Methodology ISDL31)
❖ Addressing any unacceptable risks (as per the Risk Assessment Methodology ISDL31)
❖ Assisting in the investigation, resolution and closure of any information security incident which
directly or indirectly affects the security of their asset(s)
❖ Reviewing and authorising the levels of access to their asset(s) which are granted to others
(as per the Access Control Policy ISDL07)
❖ Contributing to the Acceptable Use Policy (ISDL06), specifically for the use of their asset(s)
4.7 Control Owners
As per the Asset Management Policy (ISDL05), Control Owners shall be responsible for:
❖ The way in which their assigned control(s) are selected, implemented and operated
❖ Understanding which asset(s) are reliant upon each of their assigned controls
❖ Providing feedback to asset owners on the operation of each control, to assist them in
undertaking accurate risk assessments of their asset(s)
❖ Assisting in the investigation, resolution and closure of any information security incident which
actually or potentially indicates the failure of a control
This Policy needs to be formally reviewed on a yearly basis, as a minimum, or if required changes are
identified to address one or more of the following:
❖ A change in business activities, which will or could possibly affect the current operation of the
DynaRisk Information Security Management System.
❖ A change in the manner in which DynaRisk manages or operates its information assets and/or
their supporting assets.
❖ An identified shortcoming in the effectiveness of this Policy, for example as a result of a
reported information security incident or an audit finding.
The current version of this Policy, together with its previous versions, shall be recorded below.
Version Description