It is the policy of CRY to maintain an Information Security Management System (ISMS) designed to meet the requirements of ISO 27001:2017 in pursuit of its primary objectives.
CRY’s ISMS Manual describes its corporate approach to information security and details how CRY addresses its responsibilities in relation to this vital area of business. As an organisation, CRY is committed to satisfying applicable requirements related to information security and the continual improvement of the ISMS.
Information Security is the responsibility of all members of staff, not just the senior management team. As such, all CRY staff are given guidance on key Information Security policies and procedures; and are expected to demonstrate a practical application of the key objectives, where appropriate, in their daily duties.
CRY also makes details of its Information Security policies known to other interested parties, including external organisations, where appropriate. CRY determines the need for, and method of, any such communication according to the principles of its information security management system.
All CRY’s legal and regulatory obligations are included within a Legal Documents Register held by CRY. This contains details of the main financial, employment, environmental and charity legislation that is applicable to CRY. It also contains details of all CRY’s insurance policies. This document is checked on a monthly basis prior to the monthly Leadership Team meeting and reviewed three times per years at Quality Management Review meetings.
Verification of compliance with the CRY’s Information Security Management System is achieved by a continuous programme of internal audits.
The scope of this policy relates to all IT systems and hardcopy document control systems operated by CRY in pursuit of its purpose “to prevent young sudden cardiac deaths through awareness, screening and research, and supporting affected families”. It also relates, where appropriate, to external risk sources including functions which are outsourced. CRY maintains a number of procedure documents and flow charts which illustrate key business activities and their correspondence to ISMS requirements.
Any enquiries about CRY’s Information Security systems should be sent to firstname.lastname@example.org and marked for the attention of the Operations Manager.