1. Purpose
This policy defines the Information Security Management System (ISMS) for Tom Prichard (Holdings) Ltd T/A Prichard’s and establishes the principles, responsibilities, and controls required to protect information assets in accordance with ISO/IEC 27001:2022.
2. Scope
This policy applies to all employees, contractors, temporary staff, third parties, and information assets associated with Tom Prichard (Holdings) Ltd T/A Prichard’s, including on‑premises systems, cloud services, remote working arrangements, and third‑party managed services.
3. Leadership & Commitment
Top management is committed to establishing, implementing, maintaining, and continually improving the ISMS. Adequate resources shall be provided to support information security objectives and compliance obligations.
This policy is approved by top management and communicated to all relevant personnel and interested parties where appropriate.
4. Risk Management
Information security risks are identified and assessed within the Information Security Risk Register. Risk treatment decisions and selected controls are documented within the Statement of Applicability (SoA). Controls implemented under this policy are risk‑based and aligned with ISO/IEC 27001:2022 Annex A.
5. Information Security Objectives
Information security objectives are defined, measurable, monitored, and reviewed during management review meetings to support continual improvement.
6. Roles & Responsibilities
The IT Department acts as the ISMS operational owner and is responsible for access control, system security, incident response, monitoring, and compliance with this policy. All employees are responsible for complying with information security requirements.
7. Access Control
Access to information assets shall be granted based on the principles of least privilege and separation of duties. Multi‑factor authentication is enforced for remote and cloud access.
8. Asset Management
All information assets shall be inventoried, classified, and protected according to their sensitivity and business value.
9. Incident Management
All suspected or actual information security incidents shall be reported immediately and managed in accordance with the Incident & Non-Conformance Corrective Action Procedure (CD-B273).
10. Backup & Recovery
Backups shall be performed, encrypted, tested, and retained in accordance with documented backup procedures. Backup effectiveness is monitored and reported.
11. Monitoring & Review
Information security performance is monitored through logging, alerts, internal audits, and management reviews.
12. Continual Improvement
Nonconformities and incidents shall result in corrective actions. The ISMS shall be continually improved to enhance information security performance.
This policy is reviewed at least annually and whenever significant changes occur to the organisation, risk environment, or regulatory requirements.
13. ISMS Document References
• CD-J003 – ISMS Scope
• CD-J005 – Information Security Risk Assessment
• CD-J004 – Statement of Applicability (SoA)
• CD-J035 – Context of the Organisation
• CD-B273 – Incident & Non-Conformance Corrective Action Procedure
• CD-B282 – Documented Information Control
These documents collectively ensure that information security controls are risk-based, traceable, implemented, monitored, and continually improved in accordance with ISO/IEC 27001:2022.
Date: 6th March 2026
Tom Prichard
Managing Director