Information Security Policy

Last Updated: 10/01/2025

GridWise DNO Services Ltd ("the Company") is committed to protecting the confidentiality, integrity, and availability of its information assets. This policy outlines the Company's approach to managing information security risks and ensuring compliance with relevant laws, including the General Data Protection Regulation (GDPR).

1. Purpose

The purpose of this Information Security Policy is to:

  • Protect the Company's information assets against unauthorised access, use, disclosure, disruption, modification, or destruction.
  • Ensure the secure operation of systems, applications, and networks.
  • Establish a framework for managing information security risks.
  • Maintain compliance with legal and regulatory requirements.

2. Scope

This policy applies to:

  • All employees, contractors, consultants, and other personnel working on behalf of the Company.
  • All information assets owned, leased, or otherwise managed by the Company, including physical, electronic, and cloud-based systems.

3. Information Security Objectives

GridWise DNO Services Ltd aims to:

  • Protect the confidentiality of sensitive data.
  • Ensure the integrity of systems and data.
  • Maintain the availability of systems and services to authorised users.
  • Mitigate the risk of data breaches and cyberattacks.

4. Roles and Responsibilities

  • Management: Responsible for providing the necessary resources to implement and maintain this policy.
  • Information Security Officer (if applicable): Oversees the implementation of the policy, conducts risk assessments, and ensures compliance with security standards.
  • Employees and Contractors: Responsible for adhering to this policy and reporting security incidents.

5. Security Measures

The Company employs the following measures to protect its information assets:

5.1 Physical Security

  • Restrict access to offices and server rooms to authorised personnel.
  • Secure physical records in locked storage cabinets.
  • Implement visitor access controls.

5.2 Access Control

  • Grant system access on a need-to-know basis.
  • Use strong passwords and enforce regular password changes.
  • Employ multi-factor authentication (MFA) for sensitive systems.

5.3 Data Protection

  • Encrypt sensitive data in transit and at rest.
  • Use secure protocols (e.g., HTTPS, SFTP) for data transmission.
  • Regularly back up critical data and store backups securely.

5.4 Network Security

  • Implement firewalls, intrusion detection systems (IDS), and intrusion prevention systems (IPS).
  • Regularly update and patch systems to address vulnerabilities.
  • Segment networks to isolate sensitive systems and reduce risk.

5.5 Device Security

  • Install antivirus and antimalware software on all devices.
  • Ensure all devices have the latest security updates.
  • Use mobile device management (MDM) to secure employee devices.

6. Security Awareness and Training

  • All employees must complete mandatory security awareness training during onboarding.
  • Regular training sessions will be conducted to address emerging threats, such as phishing and ransomware.
  • Employees are encouraged to report suspicious activities immediately.

7. Incident Management

The Company has established an incident response plan to handle security incidents, including:

  1. Identifying and containing the incident.
  2. Assessing the impact and notifying affected stakeholders.
  3. Reporting breaches to the Information Commissioner’s Office (ICO) within 72 hours, if required.
  4. Implementing measures to prevent recurrence.

8. Risk Management

  • Conduct regular risk assessments to identify vulnerabilities and threats.
  • Prioritise and mitigate risks based on their potential impact.
  • Review and update security measures as needed.

9. Compliance

The Company ensures compliance with:

  • GDPR and other relevant data protection regulations.
  • Industry standards, such as ISO 27001 (if applicable).
  • Internal security policies and procedures.

10. Policy Review

This policy will be reviewed annually or whenever there are significant changes to the Company's operations or the regulatory environment.

11. Contact Information

For questions or concerns about this policy, please contact: