Business Management System
ISO 27001

1. INTRODUCTION
This document is the Business Management Manual of TheTin and for the purpose of this manual will be referred to as ‘BMS Manual’.
The Manual is the property of TheTin and is a controlled document.
The purpose of the Manual is to provide an overview of TheTin, the activities it carries out and the ISMS standards of operation it conforms to.
It is not designed to act as a procedures manual, although it does carry information about where procedures information is located and the detailed information on documentation requirements for the procedures required by the respective standards.
This Manual is designed to meet the requirements of ISO 27001 and any standard which adopts the Annex SL structure.
1.1. THE ISSUE STATUS
The issue status is indicated by the version number in the footer of this document. It identifies the issue status of this Manual.
When any part of this Manual is amended, a record is made in the Amendment Log shown below.
The Manual can be fully revised and re-issued at the discretion of the Management Team.
Please note that this Manual is only valid on the day of printing.
Issue
Issue Date
Additions/Alterations
Initials
1.0
01/11/2021
Business Management Manual First Authorised Issue
JS/MR
1.2. PLAN-DO-CHECK-ACT Model
ISO 27001 requires a company to establish, implement and maintain a continuous improvement approach to manage its ISMS.PDCA (plan–do–check–act) is an
Page 3 of 18
iterative four-step management method used in business for the control and continual improvement of processes and products. TheTin uses this four-step approach as an effective project planning tool and this forms the basic framework for the implementation and management of ISO 27001.
1.3. ISMS POLICY
It is the policy of TheTin to maintain an information management system designed to meet the requirements of ISO 27001 in pursuit of its primary objectives, the purpose and the context of the organisation.
It is the policy of TheTin to:
● make the details of our policy known to all other interested parties including external where appropriate and determine the need for communication and by what methods relevant to the business management system.
● comply with all legal requirements, codes of practice and all other requirements applicable to our activities; therefore, as a company, we are committed to satisfy applicable requirements related to information security and the continual improvement of the ISMS.
● provide all the resources of equipment, trained and competent staff and any other requirements to enable these objectives to be met;
Page 4 of 18
● ensure that all employees are made aware of their individual obligations in respect of this information security policy;
● maintain a management system that will achieve these objectives and seek continual improvement in the effectiveness and performance of our management system based on “risk”.
This information security policy provides a framework for setting, monitoring, reviewing and achieving our objectives, programmes and targets.
To ensure the company maintains its awareness for continuous improvement, the business management system is regularly reviewed by “Top Management” to ensure it remains appropriate and suitable to our business. The Business Management System is subject to both internal and external annual audits.
Scope of the Policy
The scope of this policy relates to use of the database and computer systems operated by the company in pursuit of the company’s business of providing Strategy, Design and Development services to various business sectors. It also relates where appropriate to external risk sources including functions which are outsourced.
Jamie Simmonds – Managing Director
2. OVERVIEW OF THE ORGANISATION
TheTin is a full service digital creative agency. Formed in 2001 by Jamie Simmonds and Tim Harper, it focuses on providing strategic and technical services to clients who want to increase their digital presence. Typical projects include full website builds, digital rebranding, web app development and web component development.
Clients currently range from SMEs and artists through to financial services, with one of the big 4 financial services companies maintaining long standing contracts with TheTin.
TheTin comprises 4 major functions - Strategy, Project Management, Development and Design. They are managed via the Head of Delivery Élann
Page 5 of 18
Carel-Maloney and new business is led via the Head of Client Services Trevor Davis.
Jamie Simmonds is currently the sole owner and Manager of TheTin, and holds majority shares in the business.
TheTin is currently based in Soho, London and has staff throughout London and the North East. Future plans include reopening a Newcastle office.
2.1. SCOPE OF REGISTRATION
All activities Associated with Strategic Brand Consultancy, Web and Application Development internationally. This includes all the information systems which the company manages and operate as part of offering these services.
3. OBJECTIVES
We aim to provide a professional and ethical service to our clients. In order to demonstrate our intentions, Our Management Team will analyse customer feedback data, internal performance data, financial performance data and business performance data to ensure that our Objectives are being met.
Our objectives are set out in our business plan and are then disseminated to each department/project for incorporation into their management roles.
Each department is responsible for delivering its objectives and this is monitored via individual, appraisals & team meetings. TheTin’s ISMS Objectives can be found in a separate ISMS Objectives document. Whilst these are “high-level” objectives, we have further analysed and categorised these into our Risk & Opportunities Matrix. In some cases, this may allow for specific objectives being set across different functions. This shows how we measure and set targets in meeting the “high level” objectives.
4. CONTEXT OF THE ORGANISATION
4.1. UNDERSTANDING THE ORGANISATION AND ITS CONTEXT
The context of the organisation is demonstrated within this Business Management System and all associated processes connected with the services offered. Legislation and regulatory compliance regarding Information Security of the services offered can be found on a stand-alone Legal Register document. The organisation’s legal responsibilities and obligations are monitored by the
Page 6 of 18
Senior Management Team on a regular basis and updated as and when necessary.
4.2. UNDERSTANDING THE NEEDS AND EXPECTATION OF INTERESTED PARTIES
An interested party can be an individual or group of people that are affected by the organisation’s activities. TheTin has identified the following interested parties and their information requirements
Interested Parties
Information Requirements
Directors
Ensure that the business continues to function in a profitable manner without hindrance and bureaucracy. Reporting systems and functions are effective in assisting informed business decisions. Business implements and manages a robust Information Security Management System.
Employees
Requires a secure working environment, job satisfaction, sufficient training, and guidance from leadership so that they can perform their duties in an efficient and secure manner.
Clients
Any data that is handled by TheTin is processed in secure and transparent manner. TheTin is expected to have a robust ISMS system to ensure that the security requirements are aligned. High quality delivery and meeting of all contractual obligations.
Suppliers/ Contractors
Requires clear instructions and effective communication regarding any products or services required. Established methods to ensure that both parties have a secure working environment.
Accountants
TheTin expects it accountants to act
Page 7 of 18
as verification mechanism to shareholders and other interested parties that the accounts are a true reflection of the period and finances have been accounted for in-line with the governing/regulatory framework in place. The accountants require TheTin to update the accountants with all the necessary information in a timely manner and work in partnership to ensure accurate bookkeeping. Both parties also expected to advise each other in case of a legislative change that may affect their duties.
Company Solicitors / Lawyers
The company solicitors/Lawyers expect TheTin to work in partnership towards resolving any legal issues and provide the required information and supporting documents. Secure methods to transfer confidential information can be provided by either party. They also require TheTin to update them with all the necessary information so as to efficiently and provide legal guidance to the company in a timely manner.
Governing and Regulatory Bodies
Requirements of the governing and Regulatory bodies are to be closely monitored and acted upon quickly if there is change/update. TheTin plan would need to utilise the legal register and ensure that all of the applicable legislations and regulations are carefully considered.
Shareholders
Expect transparency in all company activities. Active reporting of company progress and consulting for all wider business plans and to set corporate objectives.
4.3. DETERMINING THE SCOPE OF ISMS
Page 8 of 18
The scope of the system covers all the core and supporting activities of the company. The activities and arrangements of all personnel including any sub-contractors also fall within the scope of the system.
4.4. ISMS SYSTEMS AND PROCESSES
The organisation has established, implemented, maintained and will continually improve an information security management system in accordance with ISO27001. This Business Manual provides information as to how we meet these requirements, with reference to key processes and policies, as appropriate.
Page 9 of 18
5. LEADERSHIP
5.1. LEADERSHIP & COMMITMENT
TheTin’s Top Management Team is committed to the development and implementation of an Information Security Management System which is compatible with the strategic direction and the context of the organisation, the whole system is frequently reviewed to ensure conformance to ISO 27001. Responsibility has been assigned to ensure that the ISMS conforms to the requirements of the respective standard and the provision to report on performance to the Senior management team has been defined.
The designated Senior Management Representative(s) will ensure that TheTin staff are aware of the importance of meeting customer as well as statutory and regulatory requirements, and overall, to contribute to achieving TheTin’s Information Security Policy and Objectives which are aligned with the organisation’s strategic direction.
Page 10 of 18
The Senior Management Team is responsible for implementing this system and ensuring the system is understood and complied with at all levels of the organisation.
In summary, the Senior Management Team will ensure that:
5.1.1. LEADERSHIP AND COMMITMENT FOR THE BUSINESS MANAGEMENT SYSTEM
● The company has a designated Senior Management Representative who is responsible for the maintenance and review of the Management System.
● The ongoing activities of TheTin are reviewed regularly and that any required corrective action is adequately implemented and reviewed to establish an effective preventative process.
● Measurement of our performance against our declared Information Security Objectives is undertaken.
● Resources needed for the system are available and employees have the necessary training, skills and equipment to effectively carry out their work.
● Internal audits are conducted regularly to review progress and assist in the improvement of processes and procedures.
● Objectives are reviewed and, if necessary amended, at regular Management Review meetings and the performance communicated to all staff.
● The information security policy and objectives are established in line with the strategic direction of the organisation and that intended outcome(s) are achieved.
● The management system is integrated into the organisations business processes.
● Communication covering the importance of the effective management system and conformance to the management system requirements is in place.
● Continual improvement is promoted.
● The contribution of persons involved in the effectiveness of the management system is achieved by engaging, directing and supporting persons and other management roles within their area of responsibility.
5.2. ISMS POLICY
The ISMS Policy of TheTin is located within section 1.3 of this Manual.
5.3. ORGANISATION ROLES, RESPONSIBILITIES AND AUTHORITIES
TheTin has an organisation chart in place, employee contracts together with job descriptions to ensure that the appropriate personnel are in place to cover the
Page 11 of 18
whole context of the organisation and strategy of the business. Our Operations Manager (this role is carried out by Michael Reed) is responsible for randomly sampling records to ensure that all required data has been captured, and that data is accurate and complete.
Name
Role
Responsibilities
JAMIE SIMMONDS
Managing Director (Senior Management Team)
Overall oversight of BMS along with provision of guidance.
ÉLANN CAREL-MALONEY
Head of Delivery
(Senior Management Team)
Provide guidance and support the ISMS on all aspects.
TREVOR DAVIS
Head of Client Services
(Senior Management Team)
Responsible for keeping the other members of the Senior management informed on relevant ISMS matters. Ensure that Clients are aware of ISMS policies in line with TheTin’s policies. Also monitor the performance of ISMS.
MICHAEL REED
Operations Manager
(ISO 27001 PROJECT MANAGER)
Provide guidance, help define ISMS objectives and overall monitoring of ISMS activities. Liaise with other members of the Senior Management Team and conduct the operational side of all ISMS activities.
DAVID ROBINSON
Senior Strategist
Support the Operations Manager in all ISMS activities
CHARLIE HUNTER
Senior PM
Support the Operations Manager in all ISMS activities
CHRIS ZORYK
Senior BE Developer
Support the Operations Manager in all ISMS activities
OLLIE RHODES
Senior FE Lead & Architect
Support the Operations Manager in all ISMS
Page 12 of 18
activities
DAN DIXON
Senior Lead Interactive
Support the Operations Manager in all ISMS activities
TheTin Organisation Chart is available as a separate document.
6. PLANNING FOR THE BUSINESS MANAGEMENT SYSTEM
6.1. ACTIONS TO ADDRESS OPERATIONAL RISK AND OPPORTUNITIES
We have identified the risks and opportunities that are relevant to our Business Management system from an operational perspective. This also links to section 4.1 and 4.2 of this manual and also provides information on low-level objectives. This 'Risk Management’ (RM) document is separate to this manual. Within each of the areas the risks are identified together with a rating as to the importance of the risk. The associated consequence & mitigation of the risk is also noted together with any new opportunities that we have identified. Where applicable, we have identified measurable objectives and these can be found in a separate document ‘ISMS Objectives’
The controls identified in this document feed into our risk treatment plan (Statement of Applicability), which has been designed and implemented using the main headings within the standard (Annex A, Table A.1 – control objectives and controls) as a guide to establish that all controls required have been considered and that there are no omissions. The document identifies controls to mitigate risks following the process of identification, analysis and evaluation. The SOA document is separate to this Manual.
6.1.1. INFORMATION SECURITY RISK ASSESSMENT
In accordance with our ‘Risk Management’ matrix referenced in 6.1, above, we have assessed any typical / likely Information Security threats based on their potential effects on Confidentiality, Integrity and Availability (CIA) attributes. The risks are identified in the following assets/asset groups/key business areas:
● Legislation, Regulation & Compliance
● Hardware
● Software
● Information (in physical or electronic form)
● Infrastructure
● People
● Outsourced services
Page 13 of 18
All typical / likely threats have been assessed based on their potential effects on Confidentiality, Integrity and Availability (CIA attributes) using a ratings scale of;
Very Low - 1, Low – 2, Medium – 3, High 4 and Very high – 5 and expressed across key areas of Probability and Impact. Following this analysis, appropriate controls have been identified, which feed into our Statement of Applicability, as described in section 6.1.2, below. Key evaluation criteria use is 1 – Accept risk, 2 - Apply controls, 3 - Avoid risk, 4 – Transfer the risk.
6.1.2. INFORMATION SECURITY RISK TREATMENT
The approach to our risk treatment plan has been designed and implemented using the main headings within the standard (Annex A, Table A.1 – Control objectives and controls) as a guide to establish that all controls required have been considered and that there are no omissions.
The document identifies controls to mitigate risks following the process of identification, analysis and evaluation described in section 7 and is directly linked to the aspects of the organisation.
The SOA document is separate to this Manual and conforms to the requirements as defined within clause 8.3 of the ISO 27001 standard.
Please see below documents as demonstrations:-
● Risk Management
● Statement of Applicability
6.2. ISMS OBJECTIVES AND PLANNING TO ACHIEVE THEM
The ISMS Objectives can be found on the ISMS Objectives document and the methods of achieving the objectives is located within section 3 of this Manual.
7. SUPPORT
7.1. RESOURCES
TheTin determines and provides the resources needed for the establishment, implementation, maintenance and continual improvement of the management system.
We ensure that the below elements are taken into account when completing an evaluation:
● The capabilities of, and constraints on, existing internal resources;
Page 14 of 18
● What needs to be obtained from external providers
7.2. COMPETENCE
All employees have the training and skills needed to meet their job requirements. All employees are monitored on an ongoing basis to identify any training and development needs. Competences and training needs are identified / satisfied by using:
Please see below “hyperlinked documentation as demonstration of compliance:
● Job descriptions which set out the competences required
● Contracts of employment which set out contractual and legal requirements
● Induction checklists to ensure / check understanding
● Appraisal reviews to monitor performance
● Development plans to set objectives
● Tests of understanding
● A training / competency matrix
7.3. AWARENESS
We ensure that all employees are aware of all policies and their contribution to the effectiveness of the Management System through:
● Email
● Employee Handbook
● Awareness Training
● Induction
7.4. COMMUNICATION
For internal staff TheTin’s intranet (SharePoint) is a source of information and is updated regularly to ensure that all information is correct. This is accessible by all staff. Confidential information is passed on to the relevant person through the hierarchical chain. For external persons, the company website is a source of information and is updated regularly to ensure that information to up-to-date. Client mail shots are sent out regularly to provide additional services etc.
7.5. DOCUMENTED INFORMATION
7.5.1. GENERAL
Page 15 of 18
TheTin demonstrates documented compliance to ISO 27001(or any other standard in line with Annex SL Structure) through this Business Management System Manual (which includes processes & procedures) on an electronic system which is available on the company intranet (Sharepoint) drive to all employees. All information is read only and only accessible via the document owner for amendment.
7.5.2. CREATING AND UPDATING
The creation of documentation to support the Business Management System is primarily the responsibility of the designated “Senior Management Representative”.
Identification will be sought by a document number, date and author. To aid the approval and suitability of documents, the Managing Director of TheTin authorises the release and delegates any training required to the “Senior Management Team”.
7.5.3. CONTROL OF DOCUMENTED INFORMATION
All documentation is controlled by version and date and is listed on a “Master Document List”.
TheTin has Kaspersky Cloud+ antimalware solution in place to avoid the loss of confidentiality, improper use or loss of integrity. TheTin’s systems are fully cloud based and also uses Cisco Meraki Systems Manager to secure its IT infrastructure. Remote Working Policy and BYOD policy are in place. Regular backups are taken as per the Backup Policy.
Control of documents can be seen on the Master Document List and encompasses the following elements:-
● Distribution, Access, Retrieval and use
● Storage and preservation, including preservation of legibility
● Control of changes
● Retention and disposition
Documents can be retrieved by authorised personnel from the storage locations specified in the Master Document List. Customer records are identified by customer name and project name.
On or after the retention period stated, the relevant records will be reviewed by Top Management and will either remain in-situ, be archived or destroyed.
Page 16 of 18
If records are to be destroyed, they will be disposed of in a controlled manner; sensitive hard copies will be shredded and soft copies will be deleted from the system. If records are to be archived, they will be identified and stored appropriately
Please see below document as demonstration of compliance:
● Master Document List
8. OPERATION
8.1. OPERATIONAL PLANNING AND CONTROL
TheTin has determined the requirements and controls implemented for all processes needed to meet Information Security requirements and has implemented the actions described in section 6.1 of this manual. We will also implement plans to achieve ISMS objectives, as highlighted in sections 3 and 6.2 of this manual. We retain documented information to the extent necessary to have confidence that the processes have been carried out as planned. We shall control any planned changes and will review the consequences of unintended changes, taking action to mitigate any adverse effects.
8.2. INFORMATION SECURITY RISK TREATMENT
In line with the criteria established in section 6.1.2 of this manual, we perform ISMS risk assessments at planned intervals or when significant changes are proposed or occur. The risk treatment is incorporated within Risks & Opportunities – See Clause 6.1. Documented information of the results of risk assessments is retained.
9. PERFORMANCE EVALUATION
9.1. MONITORING, MEASUREMENT, ANALYSIS AND EVALUATION
Monitoring is based on risk and is linked to the risk & opportunities register together with the risk assessments which are carried out. This is also monitored through internal audits (section 9.2) and management review (section 9.3) to ensure the effectiveness of the management system.
9.2. INTERNAL AUDIT
An internal audit schedule is prepared on an annual basis and covers the requirements of the ISO27001 standard. Internal audits are carried out through “risk or claused based” auditing.
Page 17 of 18
Appropriate personnel are allocated to complete the internal audits and must record appropriate evidence for completeness. All audits completed must be authorised by Senior Management as complete once any non-conforming areas have been dealt with (without any undue delay). Internal audit documentation must be kept and filed appropriately.
Please see below document as demonstration of compliance:
● Internal Audit Report / Non-conformance Report
● Internal Audit Schedule
9.3. MANAGEMENT REVIEW
Management reviews take place on a bi-annual basis. The attendees present are “Senior Management” and any other appropriate persons of the business.
All inputs / outputs are fully documented and minuted in line with the requirements of the specific ISO standard in which TheTin wish to be certified. Any actions arising from the meeting must be completed without any undue delay and appropriate evidence filed with the Management review documentation.
Please see below document as demonstration of compliance:
● Management Review - 01.11.2021
10. IMPROVEMENT
10.1. NONCONFORMITY AND CORRECTIVE ACTION
Should a non-conformity occur, including those arising from complaints, internal audits & external 3rd party assessment, TheTin will designate the appropriate “Senior Management” representative to ensure that corrective action including root cause analysis is completed and implemented to avoid any further occurrences. This is then analysed and should the risk to the business pose to be “high” then this is then entered onto the “RM document” (See Clause 6.1) to assist in mitigating the risk to the business.
Should any non-conformances occur or be identified then an internal audit report / non-conformance report must be completed to ensure that a full analysis of the problem is resolved. A summary of all actions will be maintained within the Management Action Log (MAL). The corrective action plan summary must be completed, as this then forms part of the Management Review meeting.
Please see below document(s) as demonstration of compliance:
Page 18 of 18
● Internal Audit Report / Non-conformance Report
● Management Action Log
10.2. CONTINUAL IMPROVEMENT
Continual Improvement will be ongoing through various elements of the Business Management System which is encompassed within this document. The list below is not exhaustive: -
● RM Document – Evaluated at several stages (clause 5.1, 6.1)
● ISMS Policy / Objectives
● Planning of Changes
● Training Matrix
● Customer Satisfaction
● Internal Audits
● 3rd Party External Audits
● Management Review