1. Purpose

    Information is one of Clever Centre Ltd’s most valuable assets. It is critical to delivering our mission of helping businesses reduce energy use, cut carbon, and participate in the clean energy transition.

    This policy sets out how we protect information from theft, misuse, loss, corruption, or unauthorised access. Information security incidents can cause reputational damage, financial loss, and non-compliance with laws such as the UK GDPR.

    This policy sits alongside our Data Protection Policy and Information Risk Management procedures, and provides the high-level outline for our security controls.

    Objectives

    Clever Centre Ltd’s information security objectives are that:

    1. Information risks are identified, assessed, and managed within an agreed risk tolerance.
    2. Development and procurement of IT systems always consider information security.
    3. Authorised users can securely access and share information to perform their roles.
    4. Security controls (physical, procedural, technical) balance usability and protection.
    5. Legal, regulatory, and contractual obligations relating to information security are met.
    6. All staff and partners understand their responsibilities regarding information security.
    7. Information security incidents are reported, investigated, and acted on to improve resilience.

    Scope

    This policy and supporting controls apply to:

    • All information held, processed, or communicated by Clever Centre Ltd, in any format.
    • All staff, contractors, consultants, and third parties who access Clever Centre Ltd information or systems.
    • All information processing assets including hardware, software, networks, and data.

    Policy Statement

    Clever Centre Ltd is committed to ensuring the protection of information assets through:

    • Confidentiality – information is accessible only to authorised individuals.
    • Integrity – information is accurate, complete, and reliable.
    • Availability – information and systems are accessible to authorised users when needed.

    We will implement an Information Security Management System (ISMS) aligned to ISO 27001 and other relevant standards.

    Key Controls

    1. Policies & Governance
    • A suite of supporting information security procedures will accompany this policy.
    • Responsibilities will be defined at Board, management, and operational levels.
    • An Information Security Officer will oversee implementation and reporting.
    1. Human Resources Security
    • All staff will be trained on acceptable use and information security responsibilities.
    • Security expectations will be built into contracts and role descriptions.
    • Misuse or breaches of policy will be addressed under disciplinary procedures.
    1. Asset Management
    • All information and technology assets will be documented and classified.
    • Owners will be identified for each asset, responsible for its protection and lifecycle management.
    • Retention and disposal schedules will be defined and applied.
    1. Access Control
    • Access to information and systems will be role-based and reviewed regularly.
    • Strong authentication will be required, with enhanced controls for privileged accounts.
    • A joiner/mover/leaver process will ensure timely updates to access rights.
    1. Cryptography
    • Encryption will be used to protect data at rest and in transit where appropriate.
    • Guidance will be provided to staff on the proper use of cryptographic tools.
    1. Physical & Environmental Security
    • Offices and IT facilities will be secured against unauthorised access.
    • Sensitive information will be stored securely and protected against environmental risks.
    1. Operations Security
    • Malware protection, vulnerability management, and system logging will be applied.
    • Formal change control will manage updates to critical systems.
    • Backups will be maintained and tested.
    1. Communications Security
    • Network security controls will safeguard internal and external communications.
    • Secure methods will be used for transferring sensitive information.
    1. Supplier Relationships
    • Information security requirements will be included in supplier contracts.
    • Supplier access to information will be risk-assessed, monitored, and reviewed.
    1. Incident Management
    • All staff must report suspected or actual security incidents immediately.
    • Incidents will be investigated, lessons learned, and corrective actions taken.
    1. Business Continuity
    • Critical processes will be protected through continuity and disaster recovery planning.
    • Business impact analyses and resilience testing will support preparedness.
    1. Compliance
    • All information security activities must comply with UK law (including Data Protection Act 2018 and UK GDPR), industry standards (e.g. PCI-DSS if relevant), and contractual requirements.
    • Compliance will be verified through audits, penetration tests, and internal checks.

    Compliance & Review

    • Compliance with this policy will be monitored and reported to senior management.
    • This policy will be reviewed annually, or sooner if required by legislation, technology, or business changes.

    📄 Approved by the Board of Clever Centre Ltd – April 2025