Coaley Peak®

Information Security Management System (ISMS) Policy

Document reference: ISO_webpage_legal-iso-isms_v1

Last modified: 24 March 2026

Policy Statement

Coaley Peak Limited is committed to maintaining a robust Information Security Management System (ISMS) aligned with the requirements of ISO 27001 and ISO 9001:2015. Our ISMS ensures the confidentiality, integrity, and availability of all information assets managed by the organisation.

Scope

This policy applies to all information assets, personnel, processes, and systems within Coaley Peak Limited. It encompasses both physical and digital information across all business operations.

Commitment to Customer Satisfaction

We are dedicated to meeting and exceeding customer expectations regarding information security. All client data is handled in accordance with contractual obligations and applicable data protection regulations.

Continuous Improvement

Coaley Peak Limited pursues continuous improvement of the ISMS through regular risk assessments, internal audits, management reviews, and corrective actions. We actively monitor emerging threats and update our controls accordingly.

Annual Audits

The ISMS undergoes formal annual audits conducted by both internal and external auditors to verify compliance with ISO 27001 and ISO 9001:2015 standards. Audit findings are reviewed by senior management and addressed through our corrective action process.

Risk Management

We maintain a comprehensive risk register and conduct regular risk assessments to identify, evaluate, and treat information security risks. Risk treatment plans are reviewed quarterly and updated as necessary.

Responsibilities

All employees, contractors, and third-party providers are responsible for adhering to this policy and supporting the objectives of the ISMS. Information security awareness training is provided to all personnel.

ISMS Policy Framework

The ISMS is underpinned by documented policies aligned to ISO 27001:2022 Annex A controls. These internal policies are reviewed annually and subject to audit. To request a copy of any policy, contact compliance@coaleypeak.co.uk.

Organisational Controls (A.5.1–A.5.37)
  • A.5.1 — Policies for information security
  • A.5.2 — Roles & responsibilities
  • A.5.3 — Segregation of duties
  • A.5.4 — Management responsibilities
  • A.5.5 — Contact with authorities
  • A.5.6 — Contact with special interest groups
  • A.5.7 — Threat intelligence
  • A.5.8 — Info security in project management
  • A.5.9 — Inventory of info & other assets
  • A.5.10 — Acceptable use of information
  • A.5.11 — Return of assets
  • A.5.12 — Classification of information
  • A.5.13 — Labelling of information
  • A.5.14 — Information transfer
  • A.5.15 — Access control
  • A.5.16 — Identity management
  • A.5.17 — Authentication information
  • A.5.18 — Access rights
  • A.5.19 — Info security in supplier relationships
  • A.5.20 — Addressing security in supplier agreements
  • A.5.21 — Managing security in ICT supply chain
  • A.5.22 — Monitoring & review of supplier services
  • A.5.23 — Info security for use of cloud services
  • A.5.24 — Incident management planning
  • A.5.25 — Assessment & decision on events
  • A.5.26 — Response to info security incidents
  • A.5.27 — Learning from incidents
  • A.5.28 — Collection of evidence
  • A.5.29 — Info security during disruption
  • A.5.30 — ICT readiness for business continuity
  • A.5.31 — Legal, statutory & regulatory requirements
  • A.5.32 — Intellectual property rights
  • A.5.33 — Protection of records
  • A.5.34 — Privacy & protection of PII
  • A.5.35 — Independent review of info security
  • A.5.36 — Compliance with policies & standards
  • A.5.37 — Documented operating procedures
People Controls (A.6.1–A.6.8)
  • A.6.1 — Screening
  • A.6.2 — Terms & conditions of employment
  • A.6.3 — Awareness, education & training
  • A.6.4 — Disciplinary process
  • A.6.5 — Responsibilities after termination
  • A.6.6 — Confidentiality & NDAs
  • A.6.7 — Remote working
  • A.6.8 — Info security event reporting
Physical Controls (A.7.1–A.7.14)
  • A.7.1 — Physical security perimeters
  • A.7.2 — Physical entry controls
  • A.7.3 — Securing offices, rooms & facilities
  • A.7.4 — Physical security monitoring
  • A.7.5 — Protecting against physical threats
  • A.7.6 — Working in secure areas
  • A.7.7 — Clear desk & clear screen
  • A.7.8 — Equipment siting & protection
  • A.7.9 — Security of assets off-premises
  • A.7.10 — Storage media
  • A.7.11 — Supporting utilities
  • A.7.12 — Cabling security
  • A.7.13 — Equipment maintenance
  • A.7.14 — Secure disposal or re-use
Technological Controls (A.8.1–A.8.34)
  • A.8.1 — User endpoint devices
  • A.8.2 — Privileged access rights
  • A.8.3 — Information access restriction
  • A.8.4 — Access to source code
  • A.8.5 — Secure authentication
  • A.8.6 — Capacity management
  • A.8.7 — Protection against malware
  • A.8.8 — Management of technical vulnerabilities
  • A.8.9 — Configuration management
  • A.8.10 — Information deletion
  • A.8.11 — Data masking
  • A.8.12 — Data leakage prevention
  • A.8.13 — Information backup
  • A.8.14 — Redundancy of info processing
  • A.8.15 — Logging
  • A.8.16 — Monitoring activities
  • A.8.17 — Clock synchronisation
  • A.8.18 — Use of privileged utility programs
  • A.8.19 — Software installation on operational systems
  • A.8.20 — Networks security
  • A.8.21 — Security of network services
  • A.8.22 — Segregation of networks
  • A.8.23 — Web filtering
  • A.8.24 — Use of cryptography
  • A.8.25 — Secure development life cycle
  • A.8.26 — Application security requirements
  • A.8.27 — Secure system architecture
  • A.8.28 — Secure coding
  • A.8.29 — Security testing in dev & acceptance
  • A.8.30 — Outsourced development
  • A.8.31 — Separation of dev, test & production
  • A.8.32 — Change management
  • A.8.33 — Test information
  • A.8.34 — Protection of systems during audit

Document reference: ISO_webpage_legal-iso-isms_v1

Last modified: 24 March 2026

Legal & Compliance·Information Security Management System (ISMS) Policy