DraftIndicative placeholder for the section owner — amend, replace, or confirm as the first definitive version.
Doc owner: Head of Product
Information Security Management Plan
Purpose
This plan sets out how Allied manages information security risks across its systems, data, and operations. It provides a framework for protecting the confidentiality, integrity, and availability of information assets.
Scope
This plan applies to:
- All Allied staff, contractors, and third parties with access to Allied systems or data
- All information assets, whether digital or physical
- All environments, including production, development, and corporate systems
Roles and responsibilities
| Role | Responsibility |
|---|---|
| Head of Product (plan owner) | Maintains this plan, coordinates risk assessments, and reports to leadership on security posture |
| Asset owners | Identify and classify assets under their control; apply appropriate controls |
| All staff | Follow this plan, report incidents promptly, and complete required training |
| Third parties | Comply with Allied security requirements as defined in their agreements |
Risk management
- Maintain a register of information security risks.
- Assess each risk for likelihood and impact at least annually.
- Apply controls proportionate to the risk level.
- Review the risk register when significant changes occur (new systems, incidents, or organisational changes).
Incident response
- Report suspected security incidents to the Head of Product immediately.
- The Head of Product assesses severity, coordinates containment, and determines notification requirements.
- Record all incidents and their outcomes in the incident log.
- Conduct a post-incident review for any incident rated high severity or above.
Access control
- Grant access on the principle of least privilege — staff receive only the access needed for their role.
- Review access rights when staff change roles or leave the organisation.
- Require multi-factor authentication for all remote access and privileged accounts.
- Disable accounts promptly when no longer required.
Data retention
- Retain information assets only as long as there is a documented business or legal need.
- Asset owners define and record retention periods for data under their control.
- Dispose of data securely when its retention period expires, using methods appropriate to the classification level.
- Review retention schedules at least annually alongside the risk register.
Training and awareness
- All staff complete information security awareness training within their first month and annually thereafter.
- Role-specific training is provided for staff with elevated access or security responsibilities.
- The Head of Product communicates relevant threats and guidance as needed.
Review and audit
- This plan is reviewed at least annually by the Head of Product.
- Internal audits of security controls are conducted on a schedule agreed with leadership.
- Findings from audits and incidents feed back into the risk register and this plan.