Information Security Policy
Salamanca Group realises that the security of Salamanca Group information and our client’s information is
of paramount importance. To that end, Salamanca Group is committed to implementing and maintaining an
Information Management System which is compliant with the requirements of ISO 27001: 2013.
This Information Security Policy provides a framework for defining and regulating the management of
Salamanca Group Information Management systems and other information assets. This policy will be
provided to and made available to all employees of Salamanca Group in order to ensure that information is
appropriately secured against loss of confidentiality, integrity, availability and that all information we store is
in compliance with applicable legal, statutory and regulatory requirements. The Information Security Policy
will be made available to external interested parties where appropriate.
This Policy and the Information Management System and it’s related procedures will be reviewed at least
annually to ensure they are still suitable to the scale and nature of our operations. We shall seek to
continually improve our Information Management systems on an ongoing basis.
The Salamanca Group Information Management System will be based around the below core principles of
information management which are underpinned by the requirements of ISO 27001: 2013. These principles
state our intent around information security, but should also be read in conjunction with our information
security objectives and information security procedures:
—We have appointed an Information Security Officer within Salamanca Group who is our Quality, Standards
and Accreditations Manager responsible for overseeing the security of information on a group-wide
basis. This will provide group-wide direction and support for the security of both information assets and
resources;
—We will identify and classify our information assets and ensure measures are in place to protect these
assets;
—We will educate and inform all personnel on matters relating to information security to include being
vigilant with regards to human error, theft, fraud or misuse of facilities in relation to our company’s
information;
—We will abide by all relevant national and international data protection legislation when handling Salamanca
Group and our client’s information;
—We will ensure security controls are in place in relation to the group’s physical premises to prevent
unauthorised access, damage or interference with company information or physical property;
—We will ensure our Information Technology department is well resourced with a focus on information
processing hardware and software of an optimum standard in relation to inbuilt security controls;
—Company documentation and records will be controlled in line with the Salamanca Group related
procedures with access controlled and limited to those who need the access to perform their job role;
—Information should be processed in a timely and controlled manner and not stored beyond the time it is
needed to perform the task it is required for;
Information Security Policy
—We will ensure robust business continuity procedures and contingency plans are in place to mitigate
disruption to business activities and to protect our infrastructure and our key business activities from the
effects of major failures or disasters;
—We will diligently review all contractual and security related obligations to the information we hold to avoid
any breaches relating thereto.
Related Company Procedures and External Reference Documents
—Salamanca Group Data Protection Policy
—Salamanca Group Control of Documentation Procedure
—Salamanca Group Control of Records Procedure
—Salamanca Group Business Continuity Procedure
—BS ISO/IEC 27001: 2013
—Data Protection Act 1998
Anne James
Quality Standards & Accreditations Manager
David Livingston
Chief Operating Officer
V1 dated 22/01/15