Information Security Policy

This Information Security Policy establishes the principles, commitments, and framework by which StremarControl Ltd protects information assets. This policy is aligned to the ISO/IEC 27001:2022 standard for information security management systems (ISMS).

1. Policy Statement

StremarControl Ltd is committed to preserving the confidentiality, integrity, and availability of all information assets under its control. This includes information belonging to our organisation, our clients, our partners, and any third parties with whom we interact in the course of delivering our Microsoft 365 compliance and security operations services.

We recognise that information security is fundamental to the trust our clients place in us and to the effective delivery of our services. We are committed to managing information security risks systematically, proportionately, and in accordance with recognised international standards.

2. Scope

This policy applies to:

  • All information assets owned, controlled, or processed by StremarControl Ltd, regardless of format (digital, physical, or verbal).
  • All directors, employees, contractors, and temporary workers engaged by StremarControl Ltd.
  • All client engagements, including access to client tenants, systems, and data.
  • All technology infrastructure, including cloud services, endpoints, and communications platforms used in the delivery of our services.
  • All third-party relationships where information is shared or processed on our behalf.

3. Leadership Commitment

The Managing Director of StremarControl Ltd holds ultimate responsibility for information security and the effective operation of the ISMS. Management is committed to:

  • Establishing information security objectives aligned with business strategy and client requirements.
  • Allocating appropriate resources for the implementation and maintenance of security controls.
  • Promoting a culture of security awareness across the organisation.
  • Ensuring regular management review of the ISMS and its effectiveness.
  • Leading by example in adherence to security policies and procedures.

4. Risk Assessment

StremarControl Ltd maintains a formal risk assessment methodology to identify, analyse, evaluate, and treat information security risks. Our approach includes:

  • A documented risk assessment process conducted at planned intervals and whenever significant changes occur to our services, infrastructure, or threat landscape.
  • Identification and valuation of information assets and the threats and vulnerabilities that may affect them.
  • Assessment of risk likelihood and impact using a consistent, repeatable methodology.
  • Selection and implementation of risk treatment options (mitigate, accept, transfer, or avoid) based on risk appetite and cost-benefit analysis.
  • Maintenance of a risk register that is reviewed and updated quarterly.
  • Formal risk review as part of the annual management review cycle.

5. Access Control

Access to information and systems is controlled on the principle of least privilege. Our access control measures include:

  • Role-based access control (RBAC) ensuring that individuals only have access to the information and systems necessary for their role.
  • Multi-factor authentication (MFA) enforced for all user accounts across all business systems.
  • Privileged Identity Management (PIM) with just-in-time elevation for administrative access to client and internal environments.
  • Regular access reviews conducted quarterly to verify that access rights remain appropriate.
  • Immediate revocation of access upon role change, contract termination, or end of engagement.
  • Strong password policies enforced through technical controls, with preference for passwordless authentication methods where supported.

6. Cryptography

StremarControl Ltd employs cryptographic controls to protect the confidentiality and integrity of information:

  • Encryption at rest for all stored data, using AES-256 or equivalent encryption standards.
  • Encryption in transit for all data communications, using TLS 1.2 or higher.
  • Cryptographic key management procedures to ensure keys are generated, stored, rotated, and revoked securely.
  • Use of encrypted channels for all client communications involving sensitive or confidential information.

7. Operations Security

Operational security controls are maintained to ensure the secure and reliable operation of our services:

  • Formal change management procedures for all modifications to production systems and client environments.
  • Comprehensive logging and monitoring of system activity, authentication events, and administrative actions.
  • Centralised log collection and retention in accordance with defined retention periods.
  • Regular review of logs and alerts to detect anomalous or potentially malicious activity.
  • Malware protection deployed and maintained on all endpoints.
  • Vulnerability management including regular scanning and timely patching of identified vulnerabilities.

8. Communications Security

StremarControl Ltd implements controls to protect information in transit and to secure our communications infrastructure:

  • Network segmentation to separate business functions and limit the blast radius of potential security incidents.
  • Email protection including anti-phishing, anti-spoofing (SPF, DKIM, DMARC), and content filtering.
  • Secure data transfer controls for the exchange of sensitive information with clients, including encrypted file sharing and secure collaboration platforms.
  • Restrictions on the use of unapproved communication channels for business and client information.

9. Incident Management

StremarControl Ltd maintains documented incident management procedures to ensure the effective detection, response, and recovery from information security incidents:

  • Detection: Automated monitoring and alerting systems are in place to identify potential security events. All personnel are trained to recognise and report suspected incidents.
  • Response: A defined incident response plan sets out roles, responsibilities, containment actions, and communication protocols.
  • Reporting: Security incidents affecting client data are reported to the affected client promptly. Where required, incidents are reported to the Information Commissioner's Office within the statutory timeframe.
  • Lessons learned: Post-incident reviews are conducted for all significant incidents to identify root causes and implement corrective actions to prevent recurrence.

10. Business Continuity

StremarControl Ltd maintains business continuity and disaster recovery measures to ensure the continued delivery of services:

  • Regular backups of critical data and configurations, stored in geographically separate locations.
  • Documented disaster recovery procedures for key systems and services.
  • Recovery time and recovery point objectives defined for critical business functions.
  • Regular testing of backup restoration and disaster recovery procedures to verify their effectiveness.
  • Business continuity plans reviewed and updated annually or following significant organisational changes.

11. Compliance

StremarControl Ltd is committed to complying with all applicable legal, regulatory, and contractual obligations related to information security, including:

  • The UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
  • The Computer Misuse Act 1990.
  • Contractual obligations to clients, including those specified in engagement agreements and data processing agreements.
  • Industry standards and frameworks, including ISO/IEC 27001:2022.
  • Any sector-specific regulations applicable to our clients' industries where relevant to the delivery of our services.

12. Training and Awareness

All personnel are required to participate in information security training and awareness activities:

  • Security awareness training is provided during onboarding for all new staff and contractors.
  • Annual refresher training covering current threats, policies, and best practices.
  • Regular phishing simulations to test and reinforce awareness of social engineering threats.
  • Role-specific training for personnel with elevated access privileges or responsibilities.
  • Records of all training activities are maintained for audit and compliance purposes.

13. Policy Review

This policy is reviewed on an annual cycle, or sooner if triggered by significant changes to the business, threat landscape, or regulatory environment. The policy owner is the Managing Director of StremarControl Ltd. All amendments are approved by the Managing Director and communicated to all relevant parties.

Last updated: March 2026. StremarControl Ltd, Company No. 17022761.