BFBS Organisational Information Security Policy

Purpose

The purpose of this document is to demonstrate the management board’s commitment in BFBS to information security and to provide the overarching policy statement to which all subordinate policies and controls must comply with.

Policy

The Trustees and management of BFBS, which is headquartered at Chalfont Grove, Narcot Lane, Chalfont St Peter, Buckinghamshire, SL9 8TN, United Kingdom, operates primarily in the business of Radio and TV to Britain's Armed Forces and their families around the world. Broadcasting under the BFBS and Forces TV brands, its mission is to entertain, inform, connect and champion the armed forces, their families and veterans.

 

We are committed to preserving the confidentiality, integrity and availability of all the physical and electronic information and information-related assets to meet the purpose and goals of the organisation as summarised in our information security management system (ISMS).

The applicable requirements related to information security will continue to be aligned with the organisation’s business goals and will take into account the internal and external issues affecting the organisation and the requirements of interested parties.

Our ISMS objectives are outlined and measured in accordance with the requirements of the ISO/IEC 27001:2017 standard.

The ISMS is intended as a mechanism for managing information security related risks and improving the organisation to help deliver its overall purpose and goals.

Our ISMS environment includes our approach to risk management and provides the context for identifying, assessing, evaluating and controlling information-related risks through the establishment and maintenance of an ISMS.

The approach taken towards risk assessment and management, the Statement of Applicability (SoA) and the wider requirements set out for meeting ISO/IEC 27001:2017 standard identify how information security and related risks are addressed.

The ISMS Board is responsible for the overall management and maintenance of the risk treatment plan with specific risk management activities tasked to the appropriate owners within the organisation. Additional risk assessments may, where necessary, be carried out to determine appropriate controls for specific risks, for example during special projects that are completed within the context.

Control objectives for each of these areas are supported by specific documented policies and procedures and they align with the comprehensive controls listed in Annex A of the ISO/IEC 27001:2017 standard.

All BFBS employees, contractors, suppliers and relevant interested parties associated to the ISMS have to comply with this policy. Appropriate documentation, training and materials to support the ISMS are available for those in scope of the ISMS and communication forums are available to ensure engagement on an ongoing basis.

The ISMS is subject to review and improvement by the ISMS Board (‘CSSG’ - Cyber Security Steering Group) which is chaired by the Chief Information Security Officer (CISO) and has ongoing senior representation from appropriate parts of the organisation. Other executives and specialists needed to support the ISMS framework and to periodically review the information security policies and broader ISMS activities are invited in ISMS Board meetings or in separate review meetings to complete the relevant work as required, all of which is documented in accordance with the standard.

We are committed to achieving and maintaining certification of the ISMS to the ISO/IEC 27001:2017 standard along with other relevant accreditations against which our organisation has sought certification such as ISO 9001:2015 (Quality Management System) and the UK Cyber Essentials Plus certification.

This policy will be reviewed regularly to respond to any changes to the business, its risk assessment or risk treatment plan, and at least annually.

Policy Statement

In this policy and the related set of policies contained within our ISMS environment, “Information Security” is defined as:

 

Preserving the confidentiality, integrity and availability of information and other relevant assets of our organisation

 

preserving

This means that all relevant interested parties have, and will be made aware of, their responsibilities that are defined in their job descriptions or contracts to act in

accordance with the requirements of the ISMS. The consequences of not doing so are described in the code of conduct and relevant contractual agreements.

the confidentiality

This involves ensuring that information is only accessible to those authorised to access it and preventing both deliberate and accidental unauthorised access to the organisation’s and relevant interested parties’ information, proprietary knowledge, assets and other systems in scope.

integrity

This involves safeguarding the accuracy and completeness of information and processing methods, and therefore requires preventing deliberate or accidental, partial or complete, destruction or unauthorised modification, of either physical assets or electronic data.

and availability

This means that information and associated assets should be accessible and usable to authorised users on demand when required. The information processing facilities should be resilient, and the organisation should be able to detect and respond rapidly to security incidents or events that threaten the continued availability of assets, systems and information.

of information and other relevant assets

Information can include digital information, printed or written on paper, transmitted by any means, or spoken in conversation, as well as information stored electronically. Assets include all information-based processing devices owned by the organisation or those of relevant interested parties in scope that are processing the organisation’s related information.

of our organisation

The organisation and relevant interested parties that are within the scope of the ISMS have signed up to our information security policy and accepted to adhere to our ISMS.

Document Owner and Approval

The CEO is the owner of this policy and is responsible for ensuring that this policy is reviewed in line with the requirements set out in ISO/IEC 27001:2017.

Version 1.6