Vous êtes sur la page 1sur 19

Company Policy Documents

Propeller Studios ISMS


Policy Document
Company Policy Documents

Information Security Management Systems Policy Document

ISO27001:2013
ISMS POLICY DOCUMENT

Version 1
September 2014

Table of Contents

1 Introduction
2 Issue Status
3 Overview of PROPELLER STUDIOS LTD
3.1 Scope of Registration
4 Information Security Management System
4.1 Documented Information
4.1.1 Control of Records
4.1.2 Control of Records
5 Management Commitment
5.1 Role of Senior Management
6 ISMS POLICY
6.1 Introduction
6.2 Scope of the Policy
6.3 legal and regulatory obligations
6.4 Roles and Responsibilities
6.5 Strategic Approach and Principles
6.6 Business Continuity Management
6.7 Approach to Risk Management
6.8 Information Security Objectives
6.9 Responsibility, authority and communication
6.10 Management Review
6.11 Review Input
6.12 Review Output
7 Provision of Resources
7.1 Human Resources General
7.2 Infrastructure
8 Risk Assessment Methodology
8.1 Risk Treatment Plan
9 Measurement, Analysis & Improvement
9.1 Information Security Standards
9.2 Internal ISMS Audits
9.3 Monitoring & Measurement of Processes
9.4 Monitoring & Measurement of Service
9.5 Analysis of Data
9.6 Continual Improvement
9.7 Corrective Action and Improvement
9.8 Complaints Policy
9.9 Preventative Action
10 Appendices
10.1 Appendix 1 Organisation Chart
Appendix 2 List of Controlled Documents

2
Company Policy Documents

1 INTRODUCTION
This document is the ISMS Policy Document of PROPELLER STUDIOS LTD. It is the property of PROPELLER
STUDIOS LTD and is a controlled document.

The purpose of the ISMS Policy Document is to provide an overview of the company, the activities it carries
out and the quality standards of operation it conforms to. It is not designed to act as a procedure manual,
although it does carry information about where procedures information is located and the detailed
information on Documentation Requirements for essential procedures e.g. document control, and control of
records; internal audit and corrective/preventative action (please see Procedures Log).

Throughout this ISMS Policy Document there are explanations of the requirements of the standard,
paraphrased and appended in smaller grey text. This precedes a section explaining how the company
implement this particular aspect of the standard.

2 ISSUE STATUS
The issue status is indicated by the version number in the footer of this document. It identifies the issue
status of this ISMS Policy Document.

When any part of this ISMS Policy Document is amended, a record is made in the Amendment Log shown
below.

The ISMS Policy Document can be fully revised and re-issued at the discretion of the Management Team.

The ISMS Policy Document will be reviewed on a Quarterly basis as standard.

Please note that this ISMS Policy Document is only valid on day of printing.

Issue Amendment Date Initials Authorised

1 1st Authorised Issue 31/09/2014 A.D.H A.D.H

3 OVERVIEW OF PROPELLER STUDIOS LTD


Propeller Studios Ltd provide clients with products and services that help them to win work, control costs,
manage processes and share information through the use of our cloud based, online computer software.

We have a retained client base of over 300 organisations. They represent a wide demographic of the
service sector, although we do specialise in the construction industry.

As bid consultants, we understand the challenges associated with completing PQQs and tenders. We
provide a comprehensive range of tender writing and graphic design services that require us to store and
use client data.

We have developed and sell EasyPQQ which is an online computer application. EasyPQQ has a worldwide
user base, acting as a knowledge hub, search engine and bid management tool. It is used by a wide range
of organisations, from multinationals to local SMEs.

3
Company Policy Documents

We have also developed a cloud-based computing solution, EasyBOP which is an integrated Business
Operations Platform that unifies all company processes with one enterprise-level solution.

As a consequence of our business activity it is essential that we operate a clearly defined and robust
approach to the security of our own and clients data.

3.1 Scope of Registration


Provider of online, cloud based computer systems used by third parties to create, store and reuse digital
information.

4 INFORMATION SECURITY MANAGEMENT SYSTEM

4
Company Policy Documents

PROPELLER STUDIOS LTD has a commitment to quality and a formal information security management
system (ISMS) that addresses the following areas:

Quality
Performance monitoring and review
Policy and Procedures
Managing external relationships
Financial Management
Strategic and business planning
Human resource development
Service innovation.

4.1 DOCUMENTED INFORMATION

4.1.1 Documents
All documents are maintained and controlled by the Managing Director. Policy and procedure documents
are reviewed annually. Any documents requiring amendment are updated, authorised, and completed. All
updates to documents are signed and dated by the Managing Director. Documents are re-issued as an
electronic PDF document and a limited number of hard copies are produced. Obsolete documents will be
archived and restricted by the Managing Director, electronic copies of all past versions are kept. All
managers hold responsibility for cascading information to staff.

4.1.2 Records
All project records are stored in appropriate electronic folders and managed by respective departments.
Hard copies of documents are restricted to a minimum and should not be produced unnecessarily.
Electronic records are encouraged over hard copies due to environmental concerns, available storage space
and to prevent unnecessary expenditure.

5
Company Policy Documents

5. MANAGEMENT COMMITMENT

5.1 Role of Senior Management


PROPELLER STUDIOS LTDs Senior Management Team are committed to the development and
implementation of an Information Security Policy, an Information Security Management System, and to
frequently review this system. Responsibility has been assigned to ensure that the ISMS conforms to the
requirement of the standard and the provision to report on performance to the senior management team
has been defined.

The Managing Director will ensure that PROPELLER STUDIOS LTD staff are aware of the importance of
meeting customer as well as statutory and regulatory requirements, and overall, to contribute to achieving
PROPELLER STUDIOS LTDs Information Security Objectives which are aligned with the current business
plan.

The Senior Management Team is responsible for implementing the ISMS and ensuring the system is
understood and complied with at all levels of the organisation. They are responsible for ensuring that;

The information security policy and objectives are established and in line with the strategic direction of
the organisation
Integration of the ISMS into the organisations processes.
That resources needed for the ISMS are available
Communication covering the importance of effective information security management and conformance
to the ISMS requirements is in place.
The ISMS achieves its intended outcome(s)
The contribution of persons involved in the effectiveness of the ISMS by direction and support.
Continual improvement is promoted
Other management roles within their area of responsibility are supported.

An internal audit of procedures and policies is conducted annually in September. A review of the
Information Security Objectives takes place in July. In addition achievement of the quality objectives are
measured against quarterly targets set in relation to the business plan. Staff contribution towards the
Information Security Objectives is measured in supervision and documented annual appraisals in October.

6. ISMS POLICY

6.1 Introduction
This document is the Information Security Policy for PROPELLER STUDIOS LTD. It describes the companys
corporate approach to Information Security and details how we address our responsibilities in relation to
this vital area of our business. As a company we are committed to satisfy applicable requirements related
to information security and the continual improvement of the ISMS.

Information Security is the responsibility of all members of staff, not just the senior management team,
and as such all staff should retain an awareness of this policy and its contents and demonstrate a practical
application of the key objectives where appropriate in their daily duties.

We also make the details of our policy known to all other interested parties including external where
appropriate and determine the need for communication and by what methods relevant to the information
security management system. These include but not limited to customers and clients and their
requirements are documented in contracts, purchase orders and specifications etc.

Verification of compliance with the policy will be verified by a continuous programme of internal audits.

6
Company Policy Documents

6.2 Scope of the Policy


The scope of this policy relates to use of the database and computer systems operated by the company at
its data centre in London and offices in Hitchin, in pursuit of the companys business of providing tender
consultancy and providing online computer applications. It also relates where appropriate to external risk
sources including functions which are outsourced.

Integration we maintain a number of flow charts which illustrate key business activities and their
correspondence to ISMS requirements.

6.3 Legal and Regulatory Obligations


Data Protection Act 1998
Employment Agency Act 2003

6.4 Roles and Responsibilities


Our Information Security Manager (This role is carried out by our Managing Director) is responsible for
randomly sampling records to ensure that all required data has been captured, and that data is accurate
and complete. It is the responsibility of all staff to ensure that all data is treated with the utmost
confidentiality, and that no data is given out without the prior authority of any person affected.

6.5 Strategic Approach and Principles

6.5.1 Information Classification


All staff has access to the company business operations database which is the only software used to
manage company workflow. It is structured to have different access levels. Access levels are issued to staff
when they are employed and the access provided is relevant to staff job role. All staff actions within the
database are recorded within an audit log, meaning that the company always has access to information
allowing them to assess which data has been viewed by staff member. Access privileges are reviewed
annually at appraisal or as required during promotions or a change in scope of job role.

Client data is maintained within a separate database located at our data centre in London. Staff access to
the database is restricted to the senior management of the applications development team and customer
services staff. Control for applications development staff is maintained through access from an identified IP
address and minimum 9 character alpha numeric code. These are maintained in a register and new
permissions can only be generated by the Managing Director or Application Programming Director. Access
for Customer Services Staff is limited through permissions granted by our ultimate client and a 9 character
alpha numeric code.

The following table provides a summary of the information classification levels that have been adopted by
Propeller Studios Limited. Detailed information on defining information classification levels and providing
appropriate levels of security and access is provided in the Data Security Policy.

Security Level Definition Examples

Confidential Normally accessible only to specified Sensitive personal data; salary information; bank details;
members of Propeller Studios Limited source code files, client data stored on systems;
passwords; client tender documents
Restricted Normally accessible only to specified Personal Data; Board Reports; System Designs, client
members of Propeller Studios Ltd data held on our systems;
staff or clients
Protected Normally accessible only to specified All information held on EasyBOP company management
members of Propeller Studios Ltd system. Internal correspondence, Analytics and AdWords
staff or clients accounts.
Open Accessible to all members of the Annual accounts, newsletters, blog posts, product
public information releases, brochures, product updates, outage
notices. Information available on the Propeller Studios
Limited websites.

7
Company Policy Documents

6.5.2 Access Control


All client user accounts contain information that is sensitive to the client. There are therefore security
partitions between client data sets which are set programmatically when new client accounts are created.

Registered users of our application can only ever see the data stored in their own company account. Both
applications core logic architecture has been designed to run as a multi-user environment from their
inception. Data segregation is enforced through a unique client identifier and is persistent through the
application programming logic, the database table relationships, and the file system structure.

Best practice with respect to client password administration is enforced through the minimum requirement
for password strength. This is a minimum 9 character, case sensitive, alpha numeric string.

Access to the company business operations database is restricted by password. Passwords MUST NOT be
written down either on paper or retained electronically. Passwords will be changed on a six monthly basis
and the last twenty passwords may not be reused.

Passwords should be no less than 9 characters in length and consist of both numbers, cases and letters.

6.5.3 Incident Management


Any and all incidents must be reported immediately in the first instance to the Managing Director who also
fulfils the role of Information Security Manager. Please refer to the Information Security Incident
Management Policy.

6.5.4 Physical Security


Access to the office via three separate locks on the main door. The office is also protected with intruder
alarms outside of office hours and linked to Redcare police alert system. The Hitchin Server Room is
protected by a security door with access code known only to authorised personnel. All client data is held on
remote servers located within an outsourced data centre which has ISO27001:2005 level security in place.

6.5.5 Third-Party Access


Third party access is not permitted to our systems, save for two vendor rated suppliers. These partners are
required to provide internet connectivity and support on our hosting systems. Access is only granted on a
permit to work basis issued by either the Managing Director or Application Programming Director.

6.6 Business Continuity Management


The Company has continually reviewed and improved its own arrangements for the maintenance, security
and backup of the collection of computers that make up its hosting array. The schematic diagram below
depicts the way in which the system is configured.

8
Company Policy Documents

The primary array This collection of computers, switches, firewalls and hard storage units make up the
day to day system that delivers the companies hosting services.

The secondary array This collection of computers is located in a separate datacentre in Wilbury Way,
Hitchin and acts as our third level backup

The Primary and Secondary Array


The Primary hosted virtualisation platform has been designed to deliver the following:

Fully Redundant infrastructure


A high level of security
Flexible server infrastructure, allowing hot upgrades with minimal downtime
Flexible, upgradable and resilient storage
Redundant backups both onsite and offsite
24 hour on call support service

The Primary array has been designed so that no single piece of hardware can cause a system wide failure
of any service. Utilising the Microsoft Hyper-V 2008 R2 platform and Open-E VSS V6 SAN storage devices,
automatic failover of key hardware has been designed, and tested, so that the virtual servers will
automatically switch to the live server in the event of a hardware failure.

The hardware is connected using multiple switches configured in a crossover setup. This adds the ability
for any single network device to fail without interruption to service. The largest impact that will be felt will
be a slight data access performance degradation if a SAN switch is compromised.

All data at the Primary array is backed up locally, and then transferred to the Secondary array (Hitchin
Disaster Recovery site) during off peak times where historic copies of data are stored.
In the event of any failure our engineers are contacted by email and text message with the details of the
failure.

9
Company Policy Documents

They will then respond to any support call within their SLA times:

8 6 Monday to Friday:
Critical Failure : 30 minute response
Other Failure : 1 hour response
24 Hours:
Critical Failure : 1 hour response
Other Failure : 2 hour response

In most cases the response times will be far below the above. Our aim is to respond to any type of failure
within 5 minutes.

Security of the Primary and Secondary Array


The security configuration at the data centre comprises two dedicated firewalls configured in tandem for
fault tolerance. They are locked down to only allow web traffic (Ports 80 and 443) from public internet
address. All other traffic is blocked to prevent unauthorised access to critical servers.

Web traffic is being routed through a ModSecurity Web Application Firewall, providing another level of
protection as public web access does not have direct access to the application servers.

There is access permitted from specific IP addresses to specific ports and servers for management by
Propeller Studios and their strategic partners. Communication between servers takes place on an internal
private network, not connected to the public internet. The Storage Area Network is also completely offline
with no direct internet access

6.7 Approach to Risk Management


We have carried out a full risk assessment of the potential for a breach of security as documented within
our separate Risk Assessment Document.

We aim to reduce all opportunities for data to be compromised. This includes the possibility of theft of data.

6.7.1 Action in the event of a policy breach


Access to the system is centrally controlled and removal of access to the system is a very simple procedure,
which is controlled by the Information Security Manager.

Similarly access to the premises is also controlled by the Information Security Manager. Door entry access
is restricted by passcode and security fob issued to staff. Entry codes are easily changed if required due to
staff leaving.

Immediately a policy breach has been detected any relevant user is either removed or reset depending
upon the most appropriate action in the circumstances.

6.8 Information Security Objectives


Our objectives are set out in our business plan 2015-2017 and are then disseminated to each
department/project for incorporation into their management roles. Each department is responsible for
delivering its objectives and this is monitored via individual, appraisals & team meetings. PROPELLER
STUDIOS LTDs Quality Objectives are as follows:

Objective 1: Existing services - PROPELLER STUDIOS LTD will continue to deliver its services within a
secure environment

Objective 2: Development - PROPELLER STUDIOS LTD will conduct annual risk assessments to ensure that
risk to information in the care of PROPELLER STUDIOS LTD is minimised or eliminated.

10
Company Policy Documents

6.9 Responsibility, Authority and Communication


The management structure of PROPELLER STUDIOS LTD is shown as an organisation chart (see Appendix)
the chart shows functional relationships and responsibilities.

6.9.1 Management Representative


The Information Security Officer is responsible for the maintenance, measurement and review of our
Information Security Management System. The Information Security Officer will ensure that the processes
needed for the Information Security Management System are established, implemented and maintained
within PROPELLER STUDIOS LTD. In addition he/she will report to SMT about system performance.

6.9.2 Internal Communications


Senior management utilise PROPELLER STUDIOS LTDs internal communications framework in order to
disseminate information about the effectiveness of the Information Security Management System.

6.9.3 Implementation
Following the annual audit, results will be collated and disseminated through PROPELLER STUDIOS LTDs
internal communications framework:

6.10 Management Review

6.10.1 General
Senior Management ensures:

That the ongoing activities of PROPELLER STUDIOS LTD are reviewed regularly and that any required
corrective action is adequately implemented and reviewed to establish an effective preventative process
Measurement of PROPELLER STUDIOS LTDs performance against our declared Information Security
Objectives
That internal audits are conducted regularly to review progress and assist in the improvement of
processes & procedures. The reviews will be discussed as part of PROPELLER STUDIOS LTDs SMT
meetings
That employees have the necessary training, support, specifications and equipment to effectively carry
out the work.

The management team hold planning and review meetings every month. Minutes of these are taken and
the agenda normally includes an update and discussion around the current work of all departments and
services.

6.11 Review Input


The monthly Server Committee meetings review the following information:

Risk management and the status of risk assessments and treatment plan
Monitoring and measuring of results including internal audits
Fulfilment of information security objectives
Serious untoward incidents
Status of preventive, non conformances and corrective actions
Follow up actions from previous management reviews
Changes in external and internal issues that are relevant to the ISMS
Recommendations / opportunities for continual improvements.
Feedback from interested parties

6.11.1 Implementation

Meetings are scheduled


A suggested agenda is prepared by the chair
Members invited to add items to the agenda
Agenda is circulated to members

11
Company Policy Documents

Meeting take place


Actions defined
Meetings are minuted by a designated staff member
Minutes are approved by Chair
Minutes are circulated amongst members
Completion of actions is reviewed at the next meeting.

6.12 Review Output


The Senior Management Team reviews produce the following outputs:

Policies and procedures are updated to make operations more efficient


Operations and services are improved through measurement against targets and actions to improve or
rectify specific areas.
Where resources are lacking actions are put in place to rectify this.

6.12.1 Implementation

Corrective actions are identified


Targets created
Improvements actioned
Situation re-evaluated at a specified later date.

7 PROVISION OF RESOURCES
PROPELLER STUDIOS LTD will provide all the resources needed to implement and maintain the Information
Security Management System and improve effectiveness of the system. PROPELLER STUDIOS LTD will also
ensure that the resources needed to enhance the satisfaction and requirements of service users, service
commissioners and staff are identified and in place through audit and continual review.

7.1 Human Resources General

7.1.1 Competence, Awareness & Training


We maintain a detailed Training Matrix demonstrating who has received what training and when.

7.2 Infrastructure
PROPELLER STUDIOS LTDs buildings, workspace, and associated utilities are managed by the Information
Security Manager. The procurement and management of hardware, software and supporting services such
as communication and information systems are also coordinated by the Information Security Manager.

We maintain a detailed asset register, including serial numbers, description and location or person to
whom assigned.

7.2.1 Implementation
Buildings, workspace and associated utilities requirements are regularly reviewed to ensure we make
efficient use of office space. Both hardware and software is reviewed on an ongoing bases to ensure that
head office staff are equipped with fit for purpose IT equipment and software.

IT systems are maintained and serviced by an external IT company in conjunction with the office manager.

The Managing Director prepares and distributes a wide range of information:

Management Accounts
Management & Performance information
Training updates

12
Company Policy Documents

8 RISK ASSESSMENT METHODOLOGY


We have identified the following process as a means of conducting regular risk assessments relating to
Information Security Issues.

Within each of these areas the risks (if any) are identified together with a rating as to the importance of
the risk. The associated consequence or severity of the risk is also rated together with the probable
likelihood of the risk occurring.

13
Company Policy Documents

We use an Excel spreadsheet to collect and analyse the risks identified in the following assets / asset
groups:

Buildings, offices, secure rooms security


Hardware desktops. Laptops, removable media
Software applications
Infrastructure / servers
Client information and data
Paper records
People and reputation
Key contacts
Critical third party suppliers
Utilities

All typical / likely threats have been assessed based on their potential effects on Confidentiality, Integrity
and Availability (CIA attributes) using a ratings scale of;

Very Low - 1, Low 2, Medium 3, High 4 and Very high 5 and expressed across key areas of
Vulnerability, Probability and Impact

Following this analysis evaluations are drawn as to what the most appropriate action is together with the
estimated cost of implementing action to address the identified issue and an estimate of the cost of
ignoring the risk. Key evaluation criteria use is 1 Accept risk, 2 - Apply controls, 3 - Avoid risk, 4
Transfer the risk.

8.1 Risk Treatment Plan - Statement of Applicability


The approach to our risk treatment plan has been designed and implemented using the main headings
within the standard (Annex A Table A.1 Control objectives and controls) as a guide to establish that all
controls required have been considered and that there are no omissions.

The document identifies controls to mitigate risks following the process of identification, analysis and
evaluation described in section 7 and is directly linked to the aspects of the organisation.

This document is kept within a secure file titled ISO270001 within the document section of the company
business operations database

9 MEASUREMENT, ANALYSIS & IMPROVEMENT

9.1 Information Security Standards


In all PROPELLER STUDIOS LTDs services there are a specific set of quality measurements developed to be
used to audit each service to enable a purchaser to be assured of the quality of delivery.

Service Level Agreements (SLA) are used to identify the areas of a contract that will be measured and
monitored.

9.1.1 Implementation
We review our performance as part of a continuous review of Management Information. These reports help
us to assess whether we are meeting our performance targets and provide us with month on month
business performance benchmarking information. PROPELLER STUDIOS LTD conducts annual audits, and
provides annual reports to our customers.

14
Company Policy Documents

9.2 Internal ISMS Audits


The internal audit process is as follows:

9.2.1 Internal Audit Process Flowchart

9.3 Monitoring & Measurement of Process

9.3.1 Implementation
Where the agreed requirements are not met, an action plan clearly detailing compliance will then be
agreed with PROPELLER STUDIOS LTDs Information Security Manager with a timescale for compliance set
at 6 months with the service commissioner or client.

9.4 Monitoring & Measurement of Service


Our approach determines what needs to be measured inclusive of security processes and controls, the
methods by which we ensure valid results, the periods and persons involved in conducting this activity and
the reporting frequency and the responsibility for analysing and evaluating the results.

We retain all documents and records involved in this process.


PROPELLER STUDIOS LTD establishes at the outset of a new service contract the reporting demands within
the Service Level Agreement. This process will be supported with the data reports compiled and will enable
the review to monitor performance, effectiveness of delivery, contract compliance and potential service
developments. PROPELLER STUDIOS LTD provides full information for this purpose on a quarterly and
annual basis.

15
Company Policy Documents

9.5 Analysis of Data


Incident logs are used to record any Information Security incidents or breaches giving cause for concern,
and these are regularly assessed during the Management Review process to identify areas for
improvement.

9.5.1 Implementation
The data is collected by services and submitted to PROPELLER STUDIOS LTDs Research Department. Data
is monitored by Senior Management.

9.6 Continual Improvement


The organisation will continually improve the effectiveness of the Information Security Management
System through the use of the quality policy, quality objectives, audit results, analysis of data, corrective
and preventive actions and management review.

9.6.1 Implementation
We review our performance as part of a continuous review of Management Information, service-user /
customer feedback and comments. In particular we review our progress against our company information
security objectives (business plan aims), with a view to seeing what we can improve and where. The chart
below illustrates this process:

9.7 Corrective Action and Improvement


Both these areas are reviewed within the agenda for the Server Committee meetings and typically cover
the action taken to control and correct any non conformances noting any consequences of the action taken
and themes which may be evident.

In terms of continual improvement, we also review the suitability, adequacy and effectiveness of our ISMS.

9.8 Complaints Policy


PROPELLER STUDIOS LTD is committed to giving its clients the best possible service, involving them in the
planning of their treatment, and giving them opportunities to air any complaints that they may have on the
service we provide. To this end we operate the following procedure; Complaints Policy P0031

16
Company Policy Documents

9.9 Preventative Action


PROPELLER STUDIOS LTD has various processes and procedures in place to ensure that preventative
action against nonconformities can be introduced, documented and seen through till completion to address
the initial problem.

The complex nature of the clients we work with, demands that we have flexible but effective processes and
procedures in place.

However, PROPELLER STUDIOS LTD also uses internal and external audits and risk assessments to
continuously improve its service delivery, financial, HR and operational functions.

10 APPENDICES

10.1 Appendix 1 - Organisation Chart


Displayed on next page

17
Company Policy Documents

18
Company Policy Documents

Appendix 2 List of Controlled Documents

Name Reference Version Date Renewal Date

Propeller Software Audit Form for Office based PC and P0001 V1 30/09/2015 30/09/2016
Laptops
Virus Software Compliance Check Form P0002 V1 30/09/2015 30/09/2016
Company Appraisal Questionnaire P0003 V1 30/09/2015 30/09/2016
Supplier PQQ to Join Supply Chain Database P0004 V1 30/09/2015 30/09/2016
Supplier Performance Assessment Form P0005 V1 30/09/2015 30/09/2016
Contract of Employment P0006 V1 30/09/2015 30/09/2016
Supplier Terms and Conditions Contract P0007 V1 30/09/2015 30/09/2016
Data Protection Policy P0008 V1 30/09/2015 30/09/2016
Access Control Policy P0009 V1 30/09/2015 30/09/2016
Secure Disposal of IT Equipment Policy P0010 V1 30/09/2015 30/09/2016
Application and Hosting Policy P0011 V2 30/09/2015 30/09/2016
Clear Desk Policy P0012 V1 30/09/2015 30/09/2016
ISMP P0013 V1 30/09/2015 30/09/2016
EasyBOP Terms and Conditions and Service Level P0014 V1 30/09/2015 30/09/2016
Agreement
EasyPQQ Terms and Conditions and Service Level P0015 V1 30/09/2015 30/09/2016
Agreement
Tender Writing Terms and Conditions P0016 V1 30/09/2015 30/09/2016
Bribery Policy Statement P0017 V1 30/09/2015 30/09/2016
Corporate Social Responsibility Policy P0018 V1 30/09/2015 30/09/2016
Environmental Policy Statement P0019 V1 30/09/2015 30/09/2016
Equal Opportunities and Diversity Policy P0020 V1 30/09/2015 30/09/2016
Health and Safety Policy P0021 V1 30/09/2015 30/09/2016
Health and Safety Policy Statement P0022 V1 30/09/2015 30/09/2016
Quality Policy Statement P0023 V1 30/09/2015 30/09/2016
Recruitment Policy P0024 V1 30/09/2015 30/09/2016
Sustainability Policy P0025 V1 30/09/2015 30/09/2016
Software Installation Policy P0026 V1 30/09/2015 30/09/2016
Information Security Incident Management Policy P0027 V1 30/09/2015 30/09/2016
Propeller Confidentiality Agreement P0028 V1 30/09/2015 30/09/2016
Server Committee Monthly Compliance Audit Report P0029 V1 30/09/2015 30/09/2016
Non-conformance Notice P0030 V1 30/09/2015 30/09/2016
Outage Notification and Permit to Work P0031 V1 30/09/2015 30/09/2016
Complaints Policy P0032 V1 30/09/2015 30/09/2016
Complaint Form P0033 V1 30/09/2015 30/09/2016
Business Continuity Policy P0034 V1 30/09/2015 30/09/2016
Legal Register P0035 V1 30/09/2015 30/09/2016

This policy has been approved by:

Andrew Hammond
Managing Director

Propeller Reference Number P0013


Version V1
Document Owner Andy Hammond
Date Last reviewed 30/09/2015
Date of Next Review 30/09/2016

19