PFA’s information security management system achieved certification to ISO 27001 standards in 2015.
ISO 27001 Information Security Policy Statement
PFA’s information security management system describes the company’s approach to the vital area of Information Security management, and details how we address our responsibilities in relation to it.
As a company, we are committed to preserving the confidentiality, integrity and availability of physical and electronic information assets. This allows us to conduct our business and fulfil our contractual obligations whilst maintaining security, as well as to comply with legal requirements.
ISO 27001 Information Security Management Principles
- Information is categorised and allocated to authorised persons for access from within or outside the company.
- Confidentiality of information held by PFA is reviewed and maintained.
- Integrity of information is maintained throughout the standard business practice.
- Business continuity plans are established, maintained, reviewed and tested.
- All personnel are trained on information security and are informed that compliance with the policy is mandatory.
- All breaches of information security and suspected weaknesses are reported and investigated.
- Procedures that exist to support the policy, include non-exhaustively; asset control, risk and threat assessment, business continuity plans and access control. Availability of information systems and integrity will be maintained.
ISO 27001 Information Security Objectives
- Assign appropriate security levels to staff, review assets and decide on appropriate segmentation of assets to those security levels.
- Review potential changes affecting the system in the context of information security, in advance of implementation.
- Review guidance and training given to staff relating to correspondence with external entities and clients annually.
- Review data backup procedures and training annually.
- Conduct a yearly business continuity meeting to discuss current security mitigation measures used and any newly identified threats to the business.
- Maintain a staff training program with a security refresher to be held annually.