Information Security Statement Policy

At the Chartered Institute of Export & International Trade, we recognise our duties under current Information Security and GDPR legislation and the requirements of the ISO 27001:2013 standard and confirm that we will endeavour to meet the requirements of all to maintain a safe and secure working environment for all of our interested parties.

Our Executive Committee are identified as responsible and accountable under the organisation’s RACI and regularly review their responsibilities on a quarterly basis during EC meetings. The EC confirm that they are committed to ensuring they take all reasonable and required precautions and actions applicable to the organisation’s ISMS with the intention of ensuring the confidentiality, integrity, and availability of our information security system is not compromised and to maintain that all information security assets that are within the organisation’s control.

The Legal and Compliance Department have reviewed and identified some of the information security risks applicable whilst performing the organisation’s business as usual activities and confirm that we carry out risk assessments and privacy by design as the outset of any information security project and whenever a requirement to review occurs such as change management or a change in processing or when an interim review is required.

As part of our ongoing commitment to providing a secure information security environment we also recognise our duty, so far as is reasonably practicable to comply with the following actions at all times to enable the success of the ISMS: -:

· To meet our legal obligations to maintain safe and secure working conditions.

· A commitment to fulfil legal requirements and other requirements.

· A commitment to making those within the scope of the organisation’s ISMS aware of the consequences of non-compliance.

· A commitment to eliminate hazards and reduce security risks

· A commitment to continual improvement of the ISMS management system

· A commitment to consultation and participation of team members, and, where they exist, team members' representatives. 

· To provide adequate control of the information and security risks identified including documented evidence to demonstrate whether the organisation has determined to accept or treat the risk considering the scope, context and resource of the organisation

· To consult with our team members on matters affects their information security and physical security where appropriate to do so.

· To ensure the safe handling and use of assets including labelling, version control and classification of all assets.

· To ensure that all team members are competent to carry out their roles, and to give them appropriate ISMS and security training on at least an annual basis or where there is a requirement to do so.

· To prevent and respond to security breaches.

· To provide the resources required to make this policy and our information security arrangements effective.

In addition to this as part of the organisation’s commitment to the continued success and improvement of its ISMS the following objectives have been approved and committed to by the Executive Committee during the term of 2024:-

· Structured Executive Committee reviews from Legal and Compliance on a quarterly basis for 2024 

· To plan and deliver an Information Security Day during 2024 to raise competency and awareness throughout the organisation

· Improvement of Awareness Training and Communication to all interested parties (internal and external) including a proactive approach to letting external parties with an interest know of our achievements

· Collaborating with other departments where applicable on I.T vendors which affect the ISMS

· To plan and deliver a transition to ISO 27001:2022

· To build and implement a framework for obtaining AI and other software / licences with approval process and risk assessment as BAU

 

We also recognise:

  • Our duty to cooperate and work with other interest parties’ when we work at premises or sites under their control to ensure the continued security of all those at work; and
  • Our duty to cooperate and work with other interested parties’ and their workers, when their workers come onto our premises or sites to do work for us, to ensure the security of everyone at work.

To help achieve our objectives and ensure our team members recognise their duties under GDPR and ISMS legislation and requirements whilst at work, we will also inform them of their information security responsibilities and objectives. We achieve this by a range of effective communication tools such as screensavers, training, toolbox talks, team meetings and other methods.  We also conduct refresher training on at least an annual basis to ensure team members are aware of any updates and are reminded of their requirements.

Signed COO: Kelly Shaw

12.02.24

Edited to the Chartered Institute of Export and International Trade : 

01/07/2024