Information Security Policy

Wayfinder Consulting Ltd

1. Purpose & Scope

This policy sets out how Wayfinder Consulting Ltd protects the confidentiality, integrity, and availability of information it holds, including customer data. It applies to all business activities, systems, and devices used to deliver services.

2. Roles & Responsibilities

Wayfinder Consulting Ltd is a sole-director company. The Director is responsible for ensuring compliance with this policy, maintaining appropriate security controls, and reviewing the policy annually.

3. Data Classification & Handling

• Customer data is treated as confidential.

• Data is only collected, processed, and stored for legitimate business purposes.

• Data is not disclosed to third parties unless legally required or with customer consent.

• All handling of personal data complies with the UK GDPR and Data Protection Act 2018.

4. Access Control

• All business accounts are protected with strong, unique passwords.

• Multi-factor authentication is enabled where supported.

• Devices are set to lock automatically after periods of inactivity.

5. Device & System Security

• Business laptops and mobile devices are encrypted.

• Security patches and updates are applied promptly.

• Antivirus and firewall protections are in place.

• Only authorised business devices are used to access customer systems.

6. Cloud & Third-Party Services

• Trusted cloud service providers, including Microsoft 365 and Exact Online, are used for data storage, communication, and processing.

• These providers are selected for their compliance with recognised international security standards (e.g. ISO 27001, GDPR compliance).

• Additional providers may be used where appropriate, provided they meet equivalent security and compliance standards.

7. Communication Security

• Email is used responsibly with awareness of phishing risks.

• Sensitive data is only transmitted using secure, encrypted channels where appropriate.

8. Backup & Business Continuity

• Critical business data is backed up regularly to secure cloud storage.

• Backups are tested periodically for recovery.

• In the event of a disruption, services can be restored promptly using backups and cloud services.

9. Incident Response

In the event of a suspected data breach or security incident:

1. Contain the incident to prevent further impact.

2. Investigate and document what occurred.

3. Notify affected customers promptly if their data may have been impacted.

4. Comply with any legal or regulatory reporting requirements.

10. Policy Review

This policy is reviewed annually, or sooner if there are significant changes to business operations, systems, or applicable legislation.

________________________________________

Approved by

Tony Richardson, Director

Wayfinder Consulting Ltd

________________________________________

Disclaimer

This Information Security Policy is provided for transparency and reference only. It describes the principles and practices that Wayfinder Consulting Ltd follows to safeguard information. It does not create contractual obligations between Wayfinder Consulting Ltd and any other party, unless expressly incorporated into a written agreement.