Skip to main content
Information Security Policy

Summary of all written information security policy elements

Lauren Rolfe avatar
Written by Lauren Rolfe
Updated over a week ago



Information can exist in many forms which can be created, transmitted or stored electronically, printed, written on a piece of paper, shown on our website or spoken in conversations. Whatever forms the information takes, or means by which it is shared or stored, it must always be appropriately protected in accordance with the information owner.

Information Security describes activities that relate to data must protect:

  1. Confidentiality ‑ ensuring that information is accessible only to those authorised to have access.

  2. Integrity ‑ ensuring accuracy and completeness of information and processing methods.

  3. Availability ‑ ensuring that authorised users have access to information and associated assets when required.

Information Security is everyone’s responsibility and all personnel working within WeThrive must make every effort to comply with this Policy.


The purpose of this top-level Information Security Policy is to summarise all written information security policy elements including physical, administrative, legal, operational, human and technical controls or procedures. These are to ensure that:

  • The confidentiality, integrity and availability of information is protected from unauthorised access, disclosure, modification or loss.

  • Security risks are properly identified, assessed and treated.

  • An information classification scheme is in place and information labelled, handled and disposed correctly.

  • WeThrive meets all legal, regulatory requirements and standards of due care.

  • Employees and visitors know their roles and responsibilities.

  • Information security awareness is raised to all employees.

Any questions regarding the implementation of the Information Security Policy or its interpretation must be directed to the Data Protection Officer.


The scope of this policy is applicable to, and will be communicated to all employees, third parties and visitors who interact with information held by WeThrive and the information systems used to store and process it. This includes but is not limited to, any systems or data directly or indirectly connected to WeThrive’s network and to all systems, data or equipment that WeThrive owns, controls, manages, or operates.


All responsibilities for ensuring that the information security practices are being maintained will fall to each employee. The overall responsibility in maintaining the relevant policy and procedure will rest with the Data Protection Officer.

Policies with Relevance

  • Password Requirement Policy

  • Information Classification Policy

  • Bring Your Own Device (BYOD) Policy

  • Risk Framework Policy

  • Access Control Policy

  • Data Retention & Disposal Policy

  • Information Transfer Policy

  • Breach Notification Register

  • Anti-Malware Policy

  • Risk Register

Procedures with Relevance

  • Breach Notification Procedure

  • Subject Access Request Procedure

  • Complaints Procedure

  • Data Protection Impact Assessment Procedure

Did this answer your question?