Information Security & Breach Response Policy

Purpose

This Policy defines how The ESG Institute Limited ("the Company") protects the confidentiality, integrity and availability of information assets and how it responds to actual or suspected security incidents and personal‑data breaches. The Company follows a defence‑in‑depth approach aligned with ISO/IEC 27001, the UK National Cyber Security Centre (NCSC) guidance and applicable law.

Legal and Regulatory Framework

The Policy is issued pursuant to the Data Protection Act 2018 (Isle of Man) and the Applied GDPR, the Computer Misuse Act 1990 (Isle of Man), the Telecommunications (Security) Act 2021 (IoM) and, where relevant, the Network and Information Systems Regulations 2018 (UK) for cloud services hosted in the United Kingdom. Nothing in this Policy limits or replaces statutory obligations contained in those enactments or in contracts with clients, accrediting bodies or regulators.

Scope

The Policy applies to all information assets—regardless of format or location—and to every employee, director, officer, contractor, consultant, agency worker, volunteer, intern, third‑party service provider and visitor who accesses Company systems or data.

Information‑Security Principles

  1. Confidentiality – information is accessible only to those authorised to have access.

  2. Integrity – information and processing methods are accurate and complete.

  3. Availability – authorised users have access to information and associated assets when required.

  4. Accountability – actions can be traced to the responsible individual.

  5. Proportionality – controls are commensurate with risk and business value.

Roles and Responsibilities

  1. The ESG Institute (Board) – sets risk appetite, approves this Policy and receives assurance reports.

  2. Chief Executive – accountable for implementation and resourcing.

  3. Chief Information Security Officer (CISO) – maintains the Policy, leads risk assessments, oversees technical controls, chairs the Security Incident Response Team (SIRT) and reports quarterly to the Board.

  4. IT Manager – implements day‑to‑day technical measures, monitors systems, manages backups and patching, and supports the CISO in incident response.

  5. Data Protection Officer (DPO) – advises on data‑protection compliance, assesses breach severity, liaises with the Information Commissioner and affected individuals.

  6. Managers – ensure their teams follow security procedures, approve access requests and report incidents promptly.

  7. All Users – safeguard credentials, follow the Acceptable‑Use Rules, attend training, report suspected incidents without delay.

Acceptable‑Use Rules

  • Use Company‑issued devices and accounts for business activities; personal use must be minimal and lawful.

  • Keep passwords complex, unique and confidential; enable multi‑factor authentication where offered.

  • Do not install unauthorised software; only use approved cloud services (e.g., Microsoft 365, Teachable, Stripe, Eventbrite).

  • Encrypt sensitive files at rest and in transit; use Company‑approved VPN when working remotely.

  • Lock screens when leaving a workstation; store laptops securely; avoid public Wi‑Fi without VPN.

  • Never forward Company data to personal email or consumer storage platforms.

  • Report lost devices, phishing attempts or suspicious activity immediately to IT Service Desk.

Technical and Organisational Controls

  • Asset Management: Information assets are classified Public, Internal, Confidential or Restricted. An asset register records ownership, location and classification. Confidential and Restricted data requires encryption in transit (TLS 1.2+) and at rest (AES‑256 or equivalent).

  • Access Control: Access is granted on the principle of least privilege and role‑based access control (RBAC). Joiners, movers and leavers are processed through the Access‑Request Workflow within five working days. Privileged accounts are monitored and reviewed quarterly.

  • Endpoint and Network Security: Endpoints have centrally managed anti‑malware, host‑based firewall, disk encryption and automated patching. Network firewalls, intrusion‑detection and log‑management systems are used to detect anomalies. Remote access requires MFA.

  • Patch and Vulnerability Management: Critical security patches are deployed within fourteen days of release; high‑risk external‑facing systems within seven days. Quarterly vulnerability scans and annual penetration tests are conducted; remediation actions are tracked by the CISO.

  • Backup and Recovery: Full backups of core systems are taken nightly and stored encrypted off‑site in a separate cloud region. Recovery procedures are tested at least annually with recovery‑time and recovery‑point objectives agreed by the Executive Leadership Team.

  • Secure Development and Change Management: Changes to production systems follow the Change‑Control Procedure, including code review, testing, approval and rollback plans. Development environments are segregated from production.

  • Physical Security: Offices and on‑premise server rooms use access cards, CCTV and visitor sign‑in. Confidential documents are locked away; shredders or secure‑destruction bins are provided.

Security Incident and Breach Response

A. Definitions

A security incident is any event that compromises—or could compromise—the confidentiality, integrity or availability of information or systems. A personal‑data breach is a security incident that results in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.

B. Reporting

All users must report suspected incidents immediately via the IT Service Desk hotline [number] or incident@esginstitute.com. Out‑of‑hours, contact the on‑call SIRT lead listed on the intranet.

C. Incident‑Response Steps (SIRT)

  1. Triage – assess scope, severity, potential impact within two hours.

  2. Containment – isolate affected systems, block malicious traffic, suspend compromised accounts.

  3. Eradication – remove malicious code, apply patches, reset credentials.

  4. Recovery – restore from backups, validate system integrity, monitor closely.

  5. Notification – if personal data is involved, the DPO determines whether to notify the IoM Information Commissioner (within 72 hours of awareness) and affected individuals without undue delay.

  6. Post‑Incident Review – document root cause, lessons learned, corrective actions; update risk register.

D. Evidence Handling

Logs, images and files collected during an investigation are preserved in a tamper‑evident repository. Chain‑of‑custody is maintained for any evidence that may be required for legal proceedings.

Training and Awareness

All staff complete information‑security and data‑protection training within one month of joining and annually thereafter. Phishing‑simulation campaigns are run at least twice a year. Specialist training is provided for administrators, developers and incident‑response staff.

Compliance Monitoring

The CISO conducts internal audits, reviews access logs, checks backup reports and monitors security metrics (patch compliance, phishing‑report rate, incident MTTR). Significant findings are reported to the Executive Leadership Team and the Board Audit & Risk Committee.

Non‑Compliance and Disciplinary Action

Failure to comply with this Policy may result in disciplinary action up to and including dismissal, civil liability and criminal prosecution.

Review

This policy is to be reviewed every two years, or earlier if there are significant changes in law or our operations.

Latest update: June 30, 2025.

This Policy is non‑contractual and may be amended at the Company’s discretion.