Information Security

Purpose

This policy states ISER’s commitment to the security of information entrusted to it. It applies to all information assets within the scope of ISER’s certification to the international ISO/IEC 27001:2022 Information Security standard, as defined in the ISER ISMS Scope Statement.

Information Security Policy

ISER is an intellectually open, research-driven academic department of the University of Essex in which information — in particular that provided by others — is a critical resource. Information, along with the personnel who manage and process it, are our most valuable assets. The information we use exists in many forms: on paper, digitally, in films and podcasts, and in spoken conversation. Information must always be appropriately protected regardless of how it is stored or communicated.

Information security is concerned with protecting three core properties:

  • Confidentiality — information is available only to those authorised to access it.
  • Integrity — information remains accurate and complete, and is protected from unauthorised modification.
  • Availability — information is accessible to authorised individuals when they need it.

Effective information security is achieved through appropriate management practices in compliance with legislative, University and contractual requirements.

ISER is responsible to the stakeholders who supply us with information for management and research purposes. Our stakeholders include:

  • The University of Essex
  • Our funders, clients and data suppliers
  • Our academic and survey partners
  • Our survey participants

Our stakeholders expect us not only to meet their service requirements, but also to value their information as highly as they do and to meet the information security requirements they demand of us. We are committed to meeting these expectations and to providing our stakeholders with the confidence that we are doing so, through our business continuity arrangements and our Information Security Management System (ISMS).

To achieve this, ISER’s information security objectives are:

  1. To maintain an ISMS that is certified as compliant with the ISO/IEC 27001:2022 standard. The scope of the ISMS is defined in the ISER ISMS Scope Statement.
  2. To provide cost-effective protection of all ISER’s information assets, whether digital or paper-based, created by ISER or provided and controlled by others, and to dispose of them securely at the end of their life.
  3. To ensure that all ISER personnel are aware of and act in compliance with the ISMS, relevant legislation, and University and contractual requirements, and that they understand their individual responsibility for protecting the confidentiality, integrity and availability of the information they handle.
  4. To ensure that members of ISER with specific responsibilities under the ISMS — including Information Risk Owners and technical staff — are aware of those responsibilities and act in accordance with them.
  5. To respond quickly and effectively to information security incidents, communicating with affected stakeholders and improving our information security management as a result.

ISER will continually improve its ISMS through regular internal and external audits and timely correction of non-conformities; through modifications to the ISMS in response to new threats and opportunities; and through a regular process of management review that will take place at least once a year. The management review will, as required, set additional information security objectives and ensure that they are communicated to the relevant parties.

This policy is reviewed at least annually. The management review may also trigger a review of this policy outside the annual cycle.

Document Version: 6.0 / Date: 25/03/2026