Information Security & Data Protection
How the Institute protects its information assets and those entrusted to it — aligned to ISO/IEC 27001 principles and the EU NIS2 Directive where applicable.
Scope
This policy covers all information assets under the Institute's control, including client data, project information, personnel data, intellectual property and operational systems.
Principles
- Confidentiality. Access is granted on a need-to-know basis.
- Integrity. Information is accurate and protected from unauthorised modification.
- Availability. Systems are available per agreed service levels.
- Accountability. Actions are attributable and audit-logged.
Controls
The Institute applies a risk-based controls framework aligned to ISO/IEC 27001, including:
- Access management and multi-factor authentication
- Network segmentation and perimeter protection
- Encryption in transit (TLS 1.2+) and at rest where appropriate
- Endpoint protection, patching and vulnerability management
- Backup and disaster-recovery aligned to RTO / RPO targets
- Secure software development for internal platforms
- Supplier security assessment and data-processing agreements
Incident response
The Institute maintains an incident response plan, including detection, containment, eradication, recovery and notification. Personal data breaches are notified per GDPR Article 33 timelines. Reportable cyber incidents are notified per applicable law (including NIS2 where in scope).
Business continuity
A business-continuity plan aligned to ISO 22301 principles ensures continuity of essential services during disruption.
Staff awareness
All personnel receive onboarding and annual security and privacy awareness training.
Questions about this policy?
For questions related to this policy, contact the Institute directly or email the compliance team.