The purpose of the ISMS Policy is to protect CX Index’s information assets from all threats, whether internal or external, deliberate or accidental.

The senior management of CX Index have approved the Information Security Policy and fully support the objectives of that policy.

It is the policy of CX Index to ensure that:

1. Information should be made available with minimal disruption to staff, clients and authorised parties as required by the relevant business process
2. The integrity of this information will be maintained
3. The Confidentiality of information will be assured in accordance with its classification
4. Regulatory, contractual and legislative requirements will be met
5. Business Continuity plans will be produced to counteract interruptions to business activities and to protect critical business processes from the effects of major failures or disasters.
6. Information security education, awareness and training will be made available to staff
7. All breaches of information security, actual or suspected, will be reported to, and investigated by the appropriate staff members and management.
8. Appropriate access control will be maintained and information is protected against unauthorised access.
9. Where appropriate, policies, procedures and guidelines not limited to Information Security will be made available in both hardcopy and online format through an intranet system to support the ISMS Policy.

The Internal Audit function has direct responsibility for ensuring the ISMS operates in accordance with the intent of this policy.

All managers are directly responsible for implementing the ISMS Policy within their units, and for adherence by their staff.

It is the responsibility of each member of staff to adhere to the ISMS Policy.

Information security is managed through CX Index’s risk management framework which will be maintained in line with ISO 27005.

The ISMS will be managed in line with CX Index’s risk appetite which states that risks of medium level or above must be effectively managed for all assets except the source code for the web application for which risks of low level or above must be effectively managed.