Organisation:
Shaping Tomorrow
Purpose of this document:
This policy describes how Shaping Tomorrow manages information security in line with the principles and control areas of ISO/IEC 27001, in lieu of formal certification. It is intended to provide customers and partners with assurance that appropriate security governance, controls, and processes are in place to protect information assets.
1. Information Security Objectives
Shaping Tomorrow is committed to protecting the confidentiality, integrity, and availability (CIA) of information entrusted to us by customers, partners, and employees.
Our objectives are to:
Protect customer and organisational data from unauthorised access, disclosure, alteration, or loss
Manage information security risks in a systematic and proportionate way
Ensure business continuity and platform resilience
Meet contractual, legal, and regulatory obligations
Foster a culture of security awareness across the organisation
2. Scope
This policy applies to:
All Shaping Tomorrow employees, contractors, and authorised third parties
All information assets, including customer data, intellectual property, platform data, and internal documentation
All systems supporting the Shaping Tomorrow platform, including cloud infrastructure, applications, endpoints, and networks
3. Information Security Governance (ISO 27001 Clause 5)
3.1 Leadership & Accountability
Overall responsibility for information security rests with senior management
Day‑to‑day responsibility is delegated to a nominated Information Security Lead
Information security risks are reviewed as part of management decision‑making
3.2 Policies & Framework
Shaping Tomorrow maintains a documented information security framework aligned to ISO 27001, including:
This Information Security Policy
Supporting procedures for access control, incident management, business continuity, and data protection
Regular review and improvement of controls based on risk
4. Risk Management (ISO 27001 Clause 6)
4.1 Risk Assessment
Information security risks are identified, assessed, and prioritised at least annually or following significant change
Risks are evaluated based on likelihood and impact to confidentiality, integrity, and availability
4.2 Risk Treatment
Risks are mitigated through technical, organisational, and contractual controls
Risk acceptance decisions are documented where appropriate
5. Asset Management (ISO 27001 Annex A)
Information assets are identified and classified according to sensitivity
Customer data is treated as confidential by default
Asset ownership and responsibility are clearly defined
Secure disposal processes are in place for data and equipment
6. Access Control
Access to systems and data is granted on a least‑privilege and need‑to‑know basis
Role‑based access controls are implemented
Strong authentication is enforced (including multi‑factor authentication where supported)
User access is reviewed periodically and promptly revoked upon role change or termination
7. Cryptography & Data Protection
Data in transit is protected using industry‑standard encryption (e.g. TLS)
Sensitive data at rest is encrypted where appropriate
Encryption keys are securely managed
Passwords are never stored in plain text
8. Physical & Environmental Security
Shaping Tomorrow primarily operates using secure cloud infrastructure hosted by reputable providers
Data centres are protected by provider‑managed physical security controls, including access restrictions, monitoring, and redundancy
Office and remote working practices require secure handling of devices and information
9. Operations Security
Systems are monitored for availability and security events
Logging and audit trails are enabled for key systems
Changes to production systems follow controlled change management practices
Vulnerability management includes regular patching and dependency updates
10. Supplier & Third‑Party Security
Third‑party providers are assessed for security and reliability prior to engagement
Cloud and software providers are selected based on recognised security standards (e.g. ISO 27001, SOC 2)
Data processing agreements are used where appropriate
Supplier access to data is restricted and monitored
11. Incident Management
A documented Information Security Incident Response Process is in place
Security incidents are identified, logged, investigated, and resolved promptly
Customers are notified of material incidents affecting their data in line with contractual and legal obligations
Lessons learned are used to improve controls
12. Business Continuity & Availability
The Shaping Tomorrow platform is designed for high availability and resilience
Regular backups are performed and tested
Disaster recovery arrangements are in place through cloud provider redundancy
Business continuity risks are reviewed periodically
13. Compliance & Data Protection
Shaping Tomorrow complies with applicable data protection laws, including GDPR
Personal data is processed lawfully, transparently, and for defined purposes
Data minimisation and retention principles are applied
Customers retain ownership of their data
14. Awareness & Training
All team members are required to understand and comply with this policy
Security awareness is reinforced through onboarding and periodic updates
Staff are encouraged to report security concerns without fear of reprisal
15. Monitoring, Audit & Continuous Improvement (ISO 27001 Clause 9–10)
Information security controls are reviewed regularly
Internal reviews assess effectiveness and identify improvement opportunities
Policies and procedures are updated in response to new risks, incidents, or business changes
16. Statement of Alignment with ISO/IEC 27001
While Shaping Tomorrow is not currently ISO/IEC 27001 certified, we:
Operate an information security management framework aligned to ISO 27001 principles
Apply controls consistent with ISO 27001 Annex A
Maintain documented policies, risk assessments, and operational procedures
Are committed to continuous improvement of our security posture
This document, alongside supporting procedures and evidence, is provided to demonstrate our approach to information security and our commitment to protecting customer data.
Document Owner: Edward Chanter, Information Security Lead
Review Frequency: Annually or upon significant change
Last Review: 1 December 2025