Information Security Policy (ISO/IEC 27001:2022)
1. Purpose
This policy establishes OAL’s Information Security Management System (ISMS) intent and principles to protect the confidentiality, integrity, and availability of information across our laboratory, digital platforms (including LIMS/portals), cloud services, and supplier ecosystem, in accordance with ISO/IEC 27001 and applicable law (UK GDPR, Data Protection Act, client contracts, and sector requirements).
2. Scope
Applies to all OAL employees, contractors, temporary staff, and third parties who access OAL information or systems. In scope are:
- On‑premise systems (e.g., LIMS, Instrument softwares, PCs, servers, networking equipment).
- Cloud services (e.g., email, file storage/backup, collaboration tools).
- Websites and portals (e.g., oilanalysislab.com, learnoilanalysis.com, customer portals).
- End‑user devices (laptops, workstations, mobiles, tablets, removable media).
- Information in any form (digital, paper, voice, images, samples/report PDFs).
3. Overall ISMS Objective
Show the clients we care about keeping them safe. Do the right thing with client data ensuring it is managed in a manner as would be expected by the client in a safe and responsible manner.
4. Overall ISMS Objectives
- Maintain service availability to ≥ 99% during business hours.
- Reduce, remove or mitigate high‑risk vulnerabilities within 30 days of identification.
- 100% of staff complete security & privacy training within probationary period.
5. Information Security Principles
- Risk‑based: Identify, assess and mitigate risk.
- Defence‑in‑depth: Layered organisational, physical, and technical controls.
- Least privilege & need‑to‑know: Access is restricted and reviewed.
- Secure by design & by default across systems, code, and processes.
- Legal & contractual compliance with national legislation, licenses, and client obligations.
- Continuous improvement via audits, monitoring, and corrective actions.
6. Access Control & Identity Management
- Unique user IDs for relevant systems with MFA when required.
- Admin privileges are separate accounts; session timeouts on shared systems.
7. Asset Management
- Maintain an information asset register including classification, owner, location, backup regime, and retention.
- Tag all laptops/servers/network gear; record custody; report loss/theft immediately.
8. Operations Security
- Change Management: All production changes via documented request, impact assessment, approval, testing, and rollback plan.
- Internal communication: All communication between staff on customer samples and data to be performed in encrypted communication channels with end to end encryption.
9. Backup & Recovery
- On site, offsite and cloud backups are retained at all times.
- Daily backups of most systems, Realtime backups of specific lab data outputs
10. Development & Change (Secure SDLC)
- Code repositories with branch protection, QA and multi-environment usage.
13. Supplier & Cloud Security
- Perform supplier due diligence proportional to risk (security questionnaire, certifications, DPAs, sub‑processor lists).
- Contracts must include confidentiality, data protection, incident notification, and right to audit clauses.
- Maintain a supplier register with risk ratings and review cycles.
11. Physical & Environmental Security
- Controlled access to labs/server rooms; visitor logging and escorts.
- Clean desk/clear screen; lockable storage for sample paperwork and media.
- Environmental controls appropriate to equipment; UPS for critical systems.
- Shedding of all paperwork.
12. Mobile, Remote Work & BYOD
- Company devices preferred
- Public Wi‑Fi only via VPN
- No home printing, store only in approved cloud/file systems.
13. Data Protection & Privacy (UK GDPR)
- At all times comply / exceed the requirements of UK regulations regarding data security.
- All data breaches, parties notified effected upon discovery of the breach.
14. Awareness & Training
- Mandatory induction training on information security
- Mandatory training for home workers on information security.
15. Measurement, Audit & Management Review
- KPIs and internal audits at least annually against ISO 27001 and Annex A controls.
- Nonconformities tracked with corrective actions; management review minutes recorded and actions monitored.
16. Enforcement
- Breaches of this policy may result in disciplinary action up to and including termination and legal action.
24. References
- ISO/IEC 27001:2022, ISO/IEC 27002:2022
- UK GDPR, Data Protection Act 2018
- Contracts with clients and suppliers
Statement of Applicability (SoA) – Summary Mapping (extract)
A detailed SoA is maintained separately. This extract shows how OAL addresses the ISO/IEC 27001:2022 Annex A control themes.
| Theme | Examples of Controls Implemented |
|---|---|
| Organisation | Policies, roles, risk mgmt, SoA, asset inventory, supplier mgmt, incident mgmt, BCM/DR, compliance. |
| People | Screening, JML, awareness, disciplinary, NDAs, role‑based access reviews. |
| Physical | Facility access control, visitor mgmt, equipment security, secure storage and disposal. |
| Technological | Access control, MFA, encryption, logging/monitoring, vulnerability mgmt, backup, secure dev, malware protection, network segmentation. |
(Full control‑by‑control status, justification, and references reside in the SoA register.)
Appendix A – Data Retention (extract)
- Customer test data & reports: Retain ≥ 7 years (or per contract/regulation).
- HR records: Per legal requirements (typically 6 years after employment).
