Clast Fit LTD

Effective Date: 10th of April 2024

Review Date: 10th of April 2025

1. Policy Statement

Clast Fit LTD is committed to preserving the confidentiality, integrity, and availability of all physical and digital information assets throughout our retail and office fit-out operations. This policy supports our aim to achieve and maintain compliance with ISO/IEC 27001:2022 – the international standard for information security management systems (ISMS).

2. Objectives

Our key information security objectives are to:

• Protect client, supplier, and employee data from unauthorised access, alteration, or destruction.

• Ensure continuity of service and business operations through secure and resilient IT systems.

• Comply with all relevant UK laws and regulations, including GDPR and the Data Protection Act 2018.

• Promote a culture of security awareness across all staff and subcontractors.

3. Scope

This policy applies to:

• All employees, subcontractors, and third parties who access Clast Fit LTD’s systems or handle its data.

• All information systems, communication networks, mobile devices, email, cloud services, and on-site digital tools.

• All types of information: electronic, printed, verbal, and physical.

4. Commitment to ISO 27001

Clast Fit LTD commits to:

• Establishing, implementing, maintaining, and continually improving an Information Security Management System (ISMS) in line with ISO/IEC 27001:2022.

• Identifying, assessing, and managing information security risks.

• Conducting regular internal audits, management reviews, and risk assessments.

• Documenting roles, responsibilities, and procedures related to information security.

5. Roles and Responsibilities

• Senior Management: Provide leadership, approve the ISMS strategy, and allocate resources.

• Information Security Officer: Manage and coordinate the implementation of the ISMS and monitor compliance.

• All Employees/Subcontractors: Follow all relevant security policies and report any actual or suspected breaches.

6. Key Principles

• Confidentiality: Access to data is restricted based on role and need-to-know.

• Integrity: Data is accurate, complete, and protected from unauthorised changes.

• Availability: Information systems are resilient and available when needed.

7. Controls and Measures

• Access control with multi-factor authentication for critical systems.

• Secure backup and disaster recovery procedures.

• Encryption of sensitive data at rest and in transit.

• Mobile device and remote working security protocols.

• Secure document storage and disposal practices.

• Supplier and third-party risk assessments.

8. Incident Management

All suspected or confirmed security incidents must be reported immediately to the Information Security Officer. The incident response procedure outlines investigation, containment, recovery, and communication protocols.

9. Training and Awareness

All staff will receive regular training on information security policies, acceptable use, phishing awareness, and secure handling of information.

10. Legal and Regulatory Compliance

We are committed to meeting all applicable legal, regulatory, and contractual requirements relating to information security, privacy, and data protection.

11. Monitoring and Review

This policy and the ISMS will be reviewed annually or following any significant change to the business or threat landscape. Compliance will be monitored through audits, KPIs, and ongoing performance evaluations.

12. Additional ISO 27001 - aligned documents: (for inernal use only)

1. Information_Asset_Register

2. Information_Security_Risk_Assessment

3. ISMS_Method_Statement

Signed:

Ihor Novosyletskyy

Managing Director, Clast Fit LTD

10th of April 2025