Information Security Policy

Updated 27.01.2026

A document forming part of the Immercial IMS.

Contact us

8. Information Security Policy

Document Name: Information Security Policy
Version: 1.0
Approved by: Directors, Immercial Limited
Review Frequency: Annual or upon material change

8.1 Purpose

This Information Security Policy defines Immercial Limited’s approach to protecting information assets and managing information security risks in alignment with ISO 27001 principles.

The policy is designed to be proportionate to the size, operational model, and risk profile of a specialist micro-company consultancy.

8.2 Policy Statement

Immercial Limited is committed to preserving the confidentiality, integrity, and availability of information assets that support our consultancy services, proprietary methodologies, digital tools, and client engagements.

Information security is embedded within Immercial’s Integrated Management System (IMS) and supports both operational resilience and client confidence.

8.3 Scope

This policy applies to:

  • All information assets owned, managed, or processed by Immercial

  • Digital platforms, systems, and cloud services

  • Intellectual property, benchmarks, templates, and methodologies

  • Client, commercial, and internal business information

  • Personnel and authorised users with access to Immercial systems

Public governance, data protection, and related policies published on the Immercial website form part of this policy framework by reference and are not duplicated internally.

8.4 Information Security Objectives

Immercial aims to:

  • Protect sensitive and confidential information from unauthorised access or disclosure

  • Ensure information remains accurate and reliable

  • Maintain availability of systems and data required for service delivery

  • Apply proportionate, risk-based security controls

  • Prevent, detect, and respond to information security incidents

  • Support continual improvement of security practices

8.5 Roles & Responsibilities

Senior management is responsible for:

  • Establishing and approving this policy

  • Ensuring appropriate security controls are in place

  • Reviewing information security risks and performance

All authorised users are responsible for:

  • Following documented security procedures

  • Protecting access credentials

  • Reporting suspected or actual security incidents

8.6 Key Security Principles

Information security controls are implemented based on:

  • Least privilege access

  • Role-based permissions

  • Secure configuration of devices and systems

  • Use of multi-factor authentication where supported

  • Regular review of access rights

  • Secure handling and storage of information

8.7 Incident Management

Information security incidents are identified, recorded, assessed, and addressed in accordance with the Information Security Incident Procedure. Lessons learned are used to improve controls where appropriate.

8.8 Business Continuity

Information security supports business continuity through:

  • Use of secure cloud-based systems

  • Regular data backup

  • Ability to operate remotely

  • Proportionate contingency arrangements

8.9 Review & Continual Improvement

This policy is reviewed at least annually as part of management review activities or sooner if significant changes to systems, services, or risks occur.

Immercial Limited