The confidentiality, integrity and availability of information, in all its forms, is critical to the effective operation and governance of EIP (the firm). Failure to protect the firm’s information, including client information, increases the risk of financial and reputational loss from which it may be difficult to recover.
This information security policy outlines the firm’s approach to managing information security and describes the guiding principles and responsibilities necessary to safeguard and protect the firm’s information and its information systems.
EIP is committed to the implementation of a robust Information Security Management System (ISMS) that has been designed to protect the confidentiality, integrity and availability of its information.
It is the express policy of the firm to protect the information assets of the firm and its clients from unauthorised or accidental disclosure, modification, denial of access, misuse and loss. This will require the firm to implement a strong security culture and ensure appropriate behaviours.
The key to effective information security is a positive attitude and proactive approach by every individual. All employees have a duty of care to ensure that information that they have access to and are responsible for is appropriately protected.
All employees, and as appropriate contractors and suppliers working on behalf of the firm, shall comply with all legal, regulatory and contractual requirements.
All employees, and as appropriate contractors, are required to comply with all information security policies and procedures as documented and published by the firm.
The firm is committed to continually improve the effectiveness of its Information Security Management System (ISMS), by conducting regular audits and performance reviews of measurable security objectives to ensure compliance and drive security improvements.
The policy objectives are to:
1. Maintain ISO/IEC 27001 certification by a UKAS accredited certifying organisation: Our objective is to ensure that our Information Security Management System (ISMS) remains compliant with the ISO/IEC 27001:2022 standard.
2. Manage and mitigate security risks: To effectively manage and reduce the security risks related to the theft, loss, misuse, damage, or abuse of the firm's information and its supporting information systems.
3. User awareness: Ensure all users are aware of and understand their responsibilities to protect the firm’s information.
4. Regulatory compliance: Ensure that users are aware of and comply with all current and relevant national (UK, DE, SE, US) legislation and industry regulation.
5. Protect EIP from liability or damage through the misuse of its IT systems: Implementing measures to prevent any misuse of IT systems that could lead to legal or financial repercussions for EIP.
6. Protection of confidential information: Protect client data and other confidential information provided by suppliers at a level of security commensurate with its classification, including upholding any contractual security requirements.
7. Continually improve the ISMS: Continually improve the ISMS by learning from security incidents, the results of internal audits, changes to the threat environment and technological innovation.
This policy is applicable to all Executive Members, partners, employees and third parties who have access to the firm’s information and the information systems used to store and process it. These systems include, but are not limited to, the IT network and system infrastructure, cloud services, document management system, backup systems, media (electronic and paper) and end user devices including laptops, workstations and mobile phones.
The firm’s Information Security Policy is supported by specific policies. If clients or suppliers wish to request copies of any of these policies, they should in the first instance contact the Information Security team at infosec@eip.com.