1. Introduction

Thrive Consultancy Ltd (hereafter referred to as "Thrive") is committed to maintaining the confidentiality, integrity, and availability of its information assets and ensuring the protection of sensitive information belonging to our clients, employees, and stakeholders. This Information Security Policy outlines Thrive's commitment to information security and its alignment with the principles of ISO 27001.

All employees are responsible for complying with this policy, reporting security incidents, and actively participating in security awareness and training.

2. Information Security Objectives

Thrive Consultancy Ltd establishes the following objectives for information security:

2.1. Confidentiality: We will ensure that sensitive information is only accessible to authorised individuals or entities and will prevent unauthorised disclosure.

2.2. Integrity: We will safeguard the accuracy and completeness of information by protecting it from unauthorised alteration.

2.3. Availability: We will ensure that information and information systems are available and accessible when needed by authorised individuals.

3. Information Classification

Thrive Consulting classifies information into categories based on its sensitivity and criticality. These categories include:

• Confidential: Highly sensitive information that must be protected at all costs.

• Internal: Information for internal use only, not meant for public dissemination.

• Public: Information that can be shared publicly without restriction.

4. Access Control

Access to information systems and data will be granted on a need-to-know basis. Thrive Consulting will implement strong access controls, including user authentication and authorisation mechanisms, to prevent unauthorised access.

5. Password Security

Employees and authorised users must create strong passwords, change them regularly, and keep them confidential. 

6. Data Backup and Recovery

Thrive Consulting will maintain regular data backups to ensure data integrity and availability in case of system failures or data breaches. Data recovery procedures will be in place and periodically tested.

7. Security Awareness Training

All employees and contractors will receive regular education on information security best practices, including how to recognise and respond to security threats.

8. Incident Response Plan

Thrive Consulting will maintain an incident response plan to address security incidents promptly, including data breaches. This plan will include reporting procedures and responsibilities.

9. Monitoring and review

Thrive will regularly monitor and review the effectiveness of the implementation of the policy to ensure alignment with ISO27001 principles. This policy will be reviewed periodically and updated as necessary.

Effective Date: 26th August 2023

Authorised by: Jane Dennyson, Founder Thrive Consulting Ltd