Skip to content
Legal

Information Security Policy

Our commitment to protecting the confidentiality, integrity, and availability of information assets.

Document owner: Louise Clayton, Managing Director — Talk Think Do Ltd

1. Introduction and Purpose

Talk Think Do Ltd (“Talk Think Do”, “we”, “us”, “our”) is committed to protecting the confidentiality, integrity, and availability of all information assets, including client data, intellectual property, and business-critical systems.

This Information Security Policy establishes the framework for managing information security across our organisation. It reflects our obligations under ISO 27001, the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, the Cyber Essentials Plus scheme, and other applicable legislation and contractual requirements.

All employees, contractors, consultants, and third parties with access to Talk Think Do information systems and data are required to comply with this policy.

2. Scope

This policy applies to:

  • All information assets owned, controlled, or processed by Talk Think Do, including those held on behalf of clients;
  • All employees, contractors, and third-party suppliers with access to our systems, premises, or data;
  • All information systems, networks, applications, cloud infrastructure, and physical assets used to store, process, or transmit information;
  • All business functions, including software development, managed support, and internal operations.

3. Information Security Objectives

Our information security objectives are to:

  • Protect client and business information from unauthorised access, disclosure, modification, or destruction;
  • Ensure the continuous availability of systems and services critical to our operations and client commitments;
  • Maintain compliance with ISO 27001, Cyber Essentials Plus, UK GDPR, and all applicable legislation;
  • Foster a security-aware culture across the organisation;
  • Continuously improve our security posture through regular risk assessment and review.

4. Roles and Responsibilities

Senior Management

Senior management is responsible for providing strategic direction, resource allocation, and visible commitment to information security. The Managing Director holds ultimate accountability for this policy and the Information Security Management System (ISMS).

All Staff

Every employee and contractor is responsible for:

  • Complying with this policy and all supporting procedures;
  • Reporting actual or suspected security incidents promptly;
  • Completing information security awareness training as required;
  • Using information assets only for authorised business purposes.

Information Asset Owners

Designated individuals are responsible for identifying, classifying, and managing risks associated with specific information assets.

5. Risk Management

Talk Think Do operates a risk-based approach to information security. We:

  • Conduct regular information security risk assessments to identify threats, vulnerabilities, and potential impacts;
  • Implement appropriate controls to reduce risk to an acceptable level;
  • Review the risk register at least annually, or following significant changes to our environment;
  • Document risk treatment decisions and track remediation actions to completion.

6. Information Classification

All information assets are classified according to their sensitivity and the potential impact of unauthorised disclosure. Our classification tiers are:

  • Public — Information intended for general release (e.g. marketing materials, website content);
  • Internal — Information for internal use only, not intended for public disclosure;
  • Confidential — Sensitive business or client information requiring restricted access;
  • Restricted — Highly sensitive information subject to the strictest controls (e.g. credentials, client personal data, source code repositories).

Information must be handled, stored, transmitted, and disposed of in accordance with its classification level.

7. Access Control

Access to information systems and data is granted on a need-to-know and least-privilege basis. We:

  • Maintain a formal process for granting, reviewing, and revoking access rights;
  • Require strong, unique passwords and enforce multi-factor authentication (MFA) on all critical systems;
  • Review user access rights at regular intervals and immediately upon changes in role or employment status;
  • Prohibit sharing of user credentials;
  • Log and monitor access to sensitive systems.

8. Acceptable Use

Information assets must be used responsibly and only for authorised purposes. The following activities are prohibited:

  • Accessing, copying, or distributing confidential or client data without authorisation;
  • Installing unauthorised software on company or client systems;
  • Using company systems to conduct personal or external business activities;
  • Attempting to circumvent security controls or access restricted systems;
  • Sharing client or internal information with unauthorised parties.

9. Physical and Environmental Security

We take appropriate measures to protect physical access to information assets, including:

  • Securing physical devices (laptops, mobile devices) against loss or theft;
  • Applying full-disk encryption to all portable devices;
  • Implementing a clear-desk and clear-screen policy;
  • Ensuring secure disposal of physical media containing sensitive data.

10. Technical Security Controls

We implement technical controls proportionate to the sensitivity of the information processed, including:

  • Endpoint protection (anti-malware, EDR) on all devices;
  • Patching and vulnerability management with timely application of security updates;
  • Network segmentation and firewall controls;
  • Encrypted communications (TLS) for all data in transit;
  • Encryption of data at rest for sensitive and restricted classifications;
  • Regular penetration testing and vulnerability assessments;
  • Cloud security controls aligned with Microsoft Azure best practices and the Microsoft Secure Score framework.

11. Third-Party and Supply Chain Security

We recognise that third-party suppliers can introduce security risks. We:

  • Assess the information security posture of suppliers before engagement;
  • Include information security obligations in contractual agreements with suppliers and sub-processors;
  • Monitor supplier compliance on an ongoing basis;
  • Ensure that client data shared with third parties is subject to equivalent protections.

12. Incident Management

We maintain a formal information security incident management process. All staff are required to report suspected security incidents — including data breaches, malware infections, unauthorised access, or loss of devices — immediately to the designated security contact.

We will:

  • Investigate and contain incidents promptly;
  • Notify affected parties and regulatory authorities (including the ICO) within required timescales where personal data is involved;
  • Conduct post-incident reviews to identify root causes and preventive measures;
  • Maintain records of all incidents and responses.

13. Business Continuity and Disaster Recovery

We maintain business continuity and disaster recovery plans to ensure the resilience of critical services. These plans are:

  • Documented and tested at regular intervals;
  • Aligned with client service level agreements and contractual obligations;
  • Reviewed following significant changes to our systems or operating environment.

14. Compliance

We are committed to complying with all applicable legal, regulatory, and contractual requirements related to information security, including:

  • ISO/IEC 27001:2022 Information Security Management;
  • Cyber Essentials Plus;
  • UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018;
  • Crown Commercial Service supplier requirements;
  • Applicable sector-specific requirements of our clients.

Internal and external audits are conducted regularly to verify compliance and identify areas for improvement.

15. Training and Awareness

All staff receive information security awareness training on joining the organisation and at regular intervals thereafter. Training covers topics including phishing, social engineering, password hygiene, data handling, and incident reporting.

16. Policy Review and Maintenance

This policy is reviewed at least annually by senior management, or following significant changes to the business, our systems, or the threat landscape. Updates are communicated to all relevant personnel.

Supporting procedures, guidelines, and standards are maintained within our Information Security Management System (ISMS) and are available to all staff.

17. Contact

Questions regarding this policy or information security at Talk Think Do should be directed to:

Louise Clayton, Managing Director
Talk Think Do Ltd
Patch, The Square, 2–12 Commercial Road
Bournemouth, Dorset, England, BH2 5LP
Email: [email protected]
Telephone: 01202 375647

See also our Privacy Policy, Cookie Policy, and Terms and Conditions.

Ready to transform your software?

Let's talk about your project. Contact us for a free consultation and see how we can deliver a business-critical solution at startup speed.

Book a Consultation More about us