Skip to main content
DraftIndicative placeholder for the section owner — amend, replace, or confirm as the first definitive version.

Doc owner: Head of Product

Information Security Management Plan

Purpose

This plan sets out how Allied manages information security risks across its systems, data, and operations. It provides a framework for protecting the confidentiality, integrity, and availability of information assets.

Scope

This plan applies to:

  • All Allied staff, contractors, and third parties with access to Allied systems or data
  • All information assets, whether digital or physical
  • All environments, including production, development, and corporate systems

Roles and responsibilities

RoleResponsibility
Head of Product (plan owner)Maintains this plan, coordinates risk assessments, and reports to leadership on security posture
Asset ownersIdentify and classify assets under their control; apply appropriate controls
All staffFollow this plan, report incidents promptly, and complete required training
Third partiesComply with Allied security requirements as defined in their agreements

Risk management

  1. Maintain a register of information security risks.
  2. Assess each risk for likelihood and impact at least annually.
  3. Apply controls proportionate to the risk level.
  4. Review the risk register when significant changes occur (new systems, incidents, or organisational changes).

Incident response

  • Report suspected security incidents to the Head of Product immediately.
  • The Head of Product assesses severity, coordinates containment, and determines notification requirements.
  • Record all incidents and their outcomes in the incident log.
  • Conduct a post-incident review for any incident rated high severity or above.

Access control

  • Grant access on the principle of least privilege — staff receive only the access needed for their role.
  • Review access rights when staff change roles or leave the organisation.
  • Require multi-factor authentication for all remote access and privileged accounts.
  • Disable accounts promptly when no longer required.

Data retention

  • Retain information assets only as long as there is a documented business or legal need.
  • Asset owners define and record retention periods for data under their control.
  • Dispose of data securely when its retention period expires, using methods appropriate to the classification level.
  • Review retention schedules at least annually alongside the risk register.

Training and awareness

  • All staff complete information security awareness training within their first month and annually thereafter.
  • Role-specific training is provided for staff with elevated access or security responsibilities.
  • The Head of Product communicates relevant threats and guidance as needed.

Review and audit

  • This plan is reviewed at least annually by the Head of Product.
  • Internal audits of security controls are conducted on a schedule agreed with leadership.
  • Findings from audits and incidents feed back into the risk register and this plan.

Rationale