What we do
Oakland’s Information Security Policy can be read below but is also available as documented pdf at the link and can be shared with interested parties as necessary.
All subordinate policies and controls adhere to this policy and are contained within this online ISMS environment and can be made available as specific documents where required.
The Information Security Policies that are appropriate to the organisation can be found within A.5.1: Policies for information security and then considered throughout this ISMS environment illustrating the detailed controls and processes in place. The complementary security objectives are expressed within 6.2: Information security objectives of the standard requirements.
The policies within this specific ISMS environment and overarching system linked to this environment demonstrate a commitment to satisfy the applicable requirements and continual improvement of the management system.
Information Security Policy
Oakland provides Data Strategy, Data Governance, Data Platform, Data Analytics, and Quality & Operational Excellence consultancy services to organisations across the public and private sector in the UK and worldwide. This policy covers all activities within the business.
Oakland are committed to the development and continual improvement of Information Security and Data Protection and its supporting Information Security Management System in order to provide:
- Assurance with legal, regulatory and contractual obligations
- Reputation management
- Protection of critical assets
- Protection of Personal Data as defined by GDPR
Within Oakland , the terms ‘Information Security’ and ‘Data Protection’ are intended to be the pro-active protection of information and data in all its forms which is under the control of Oakland.
Information has always been critical to Oakland – both internal data and that of our clients. With the increase in our data services, we are accessing more client information and designing/managing cloud-based information systems. Information security has therefore become a critical requirement of Oakland and so we have developed a set of Policies for Information Security which are approved by management, published and communicated to employees and relevant external parties. These take into account:
- Business strategy;
- Regulatory, legislation and contractual needs, and any other applicable requirements; and
- Current and projected information security threats.
Information Security is defined as the “preservation of Confidentiality, Integrity and Availability of information”.
In addition, other properties such as authenticity, accountability, non-repudiation and reliability can also be involved as deemed appropriate to the situation and circumstances.
Information Security Policies are in place to protect Oakland’s informational assets against internal, external, deliberate or accidental threats and vulnerabilities.
“We deem the management of external threats as is important for us, so we have in place these controls”
“We understand that a key risk to our ISMS can come in the form of Human error, we have put in place controls and measures. It is our intention to monitor and improve our information security.” Having considered these risks and our policies we have created a set of IS objectives to
help us continually improve our information security. We will provide this policy to interested parties on request.
Information Security Objectives
The core objective of Information Security is to ensure the continuity of service of Oakland and minimise the risk of damage by preventing security incidents and managing security threats and vulnerabilities. In line with this Policy and all supporting Information Security Policies Oakland shall ensure that it:
- Reduces the risk of security events by negligence or human error;
- Reduces the risk of security events by external threats;
- Reduces the likelihood of a data breach that will affect our clients, customers, employees and other stakeholders.
These are 3 strategic IS objectives will be reviewed annually at Management review. Each strategic objective will have specific targeted objectives including timing, ownership and measures. Those specific objectives will be approved at board level and shall be subject to monthly reporting and review.
General Data Protection Regulation (GDPR)
Oakland are committed to the protection of data, both personal and company and see Information Security Management as being the enabler of this. GDPR, and the six principles within it are of key importance to Oakland and it is our intention to ensure that all processes and practices associated to Information Security, are aligned to GDPR in achieving its aim of reducing the likelihood and/or impact of a data breach on Data Subjects.
Everyone working for Oakland has a duty of care for safeguarding the Confidentiality, Integrity and Availability of written, spoken and digital information and are required to comply with this and related Information Security Policies.
All aspects of the security program will be routinely audited to ensure compliance on an annual basis.
The objective of this Policy is to provide clear direction and support for an Information Security framework within Oakland. This is the primary Policy to which all other supporting Policy and Standards documents are subordinate. This Policy will facilitate measurement against and compliance with, ISO 27001:2013.
Scope of the Management System
The Information Security Management System applies to all permanent, temporary, and contract staff within Oakland and the scope of the ISMS applies to:
- the provision of Data Strategy, Data Governance, Data Platform, Insights & Analytics, and Quality & Operational Excellence services to organisations located worldwide.
and the following internal functions:
- HR, management, sales and marketing, IT, finance
operated from the Leeds site, client sites, and via remote homeworking.
Where outsourced services are provided to Oakland, then reliance is placed upon contractual and legal obligations for the management of information. As a minimum, the service provider is expected to adhere to the UK Data Protection Act 2018 and GDPR for Personal Data.
The application of the Policy does not apply to clients of Oakland, who are expected to have their own Information Security Policy.
Document Management
This document will be made available throughout the business. It will be reviewed for update:
- When specific changes (e.g. Organisational, legal, regulatory) have occurred;
- Annually, within 30 days of the anniversary of this document’s initial issue;
- In response to any concerns raised as to the policy’s effectiveness.
Exceptions
Exceptions to the Information Security Policy require the written recorded agreement of a
member of the Management Review Team (MRT).
Continual Improvement & Corrective Action Policy
In order to continually improve the Information Security Management System (ISMS), when a non-conformity occurs Oakland will take the following steps:
- Oakland will react to the non-conformity and take appropriate action to control it, correct it, and deal with the consequences as deemed appropriate by the size, scale and nature of the non-conformity.
- Oakland will evaluate the need for action to eliminate the causes of nonconformity, in order that it does not recur or occur elsewhere.
Non-Conformities can be identified in the process of an audit or when an incident occurs. In either situation Oakland has committed to a process which will ensure:
- the non-conformity is assessed;
- the cause of the nonconformity is determined;
- an assessment is made of the likelihood that similar non-conformities exist, or could potentially occur;
- that appropriate actions to rectify are implemented; and
- effectiveness of any corrective actions taken are subject to review.
Following the identification of a non-conformity and subsequent corrective action plan, the Information Security Management System will be updated when necessary as soon as practicable.
Corrective actions undertaken are always appropriate to the effects of the non-conformities encountered.
Documented information as evidence of corrective actions is maintained, which includes the nature of the non-conformity, any subsequent actions taken, and the results of any corrective action.
This Policy
This document, and the Policies that support (found within Oakland’s ISMS online) are subject to ongoing review as part of the annual review cycle and are signed off, annually by the Managing Director of Oakland.
Policy Sign Off
Signed off by: Richard Corderoy
Role: Managing Director
Date: 05/04/2024