Skip to content

Trust Centre / CF-POL-001

Information Security Policy

Master policy of CompleteFlow's Information Security Management System, setting out the governance framework under which all subordinate policies, plans, and operational controls operate.

Document
CF-POL-001
Version
1.0
Classification
External / Customer-shareable
Last reviewed
2026-02-27
Owner
Director and Information Security Officer, CompleteFlow Ltd
Next review
2027-02-27

1. Purpose

This Information Security Policy ("ISP") sets out CompleteFlow Ltd's commitment to the protection of information assets entrusted to it by customers, employees, contractors, and partners. It is the master policy of CompleteFlow's Information Security Management System (ISMS) and provides the governance framework under which all subordinate policies, plans, and operational controls operate.

The ISP is aligned with the controls described in ISO/IEC 27001:2022 Annex A.

2. Scope

This policy applies to:

  • All CompleteFlow Ltd information assets, in any form (electronic, physical, verbal)
  • All CompleteFlow customer data processed by CompleteFlow under any contractual arrangement
  • All CompleteFlow employees, directors, and contractors (collectively "personnel")
  • All sub-processors engaged by CompleteFlow to deliver services to customers (as listed in the Architecture and Security Overview, Section 9)
  • All systems, devices, networks, and services used to process CompleteFlow customer data, including those operated by sub-processors and cloud providers within CompleteFlow's defined data perimeter
  • All locations from which personnel access CompleteFlow customer data, including offices, home working environments, and travel locations

3. Policy statement

CompleteFlow Ltd is committed to:

  • Protecting the confidentiality, integrity, and availability of all information assets entrusted to it, in accordance with the sensitivity of the data and the contractual commitments made to customers
  • Complying with applicable laws and regulations, including the UK General Data Protection Regulation, the Data Protection Act 2018, and the Computer Misuse Act 1990
  • Honouring contractual security commitments made to customers, including those set out in Master Services Agreements, Data Processing Agreements, and the Architecture and Security Overview
  • Operating an Information Security Management System aligned with ISO/IEC 27001:2022, with a defined path to certification
  • Continuous improvement of security controls, policies, and practices in response to changes in threat landscape, technology, business needs, and regulatory requirements
  • Transparency with customers regarding security posture, incidents, sub-processor relationships, and changes to controls

CompleteFlow does not regard information security as a compliance exercise. It is treated as a foundational requirement for operating in the regulated sectors that CompleteFlow serves, and a precondition for customer trust.

4. Roles and responsibilities

4.1 Director and Information Security Officer

The role of Director and Information Security Officer is held by a named member of the CompleteFlow board. The role carries overall accountability for:

  • Approval of this ISP and all subordinate policies
  • Approval of the risk management framework and acceptance of residual risk
  • Approval of the sub-processor list and any additions or changes
  • Authorisation of access to customer data
  • Final accountability for incident response and customer notification
  • Resourcing of the information security programme

4.2 Privacy Contact

The Director and Information Security Officer also acts as CompleteFlow's named Privacy Contact for the purposes of UK GDPR and customer enquiries. The Privacy Contact handles:

  • Data subject rights requests
  • Customer enquiries regarding data protection and privacy
  • Liaison with the UK Information Commissioner's Office
  • Privacy impact assessments

4.3 Statutory Data Protection Officer

CompleteFlow has assessed the requirement for a statutory Data Protection Officer under Article 37 of the UK GDPR. Based on current scale and processing activities, CompleteFlow is not legally required to appoint a statutory DPO. CompleteFlow will reassess this requirement upon any of the following triggers:

  • Aggregate processing exceeds 5,000 data subjects across all customer deployments
  • Onboarding of any customer whose contract requires a named statutory DPO
  • Material change to processing activities introducing systematic monitoring or large-scale processing of special category data
  • Any guidance from the ICO indicating that statutory appointment is required

Until such a trigger applies, the Privacy Contact role described in Section 4.2 fulfils the equivalent operational function.

4.4 All personnel

Every individual covered by the scope of this policy is responsible for:

  • Reading, understanding, and complying with this ISP and the subordinate policies relevant to their role
  • Completing required information security training (see Section 7)
  • Reporting suspected security incidents promptly in accordance with the Incident Response Plan
  • Using CompleteFlow-issued devices and accounts for any work involving CompleteFlow customer data
  • Protecting credentials, devices, and physical access materials in their possession
  • Raising concerns regarding security practices, controls, or potential weaknesses without fear of reprisal

4.5 Sub-processors

Sub-processors engaged by CompleteFlow are responsible for compliance with the contractual security and data protection commitments flowed down from CompleteFlow's customer agreements. Sub-processor obligations are documented in sub-processor agreements and reviewed annually or upon material change.

5. Information security framework

This ISP sits at the top of a documented framework of subordinate policies, plans, and operational documents. The framework comprises:

5.1 Subordinate policies

  • CF-POL-002 Data Protection Policy: UK GDPR compliance, lawful basis, data subject rights, data transfers
  • CF-POL-003 Access Control Policy: authentication, authorisation, password standards, RBAC, privileged access, joiner/mover/leaver
  • CF-POL-004 Acceptable Use Policy: acceptable use of devices, accounts, networks, and AI tools
  • CF-POL-006 Data Retention and Disposal Policy: retention periods, secure deletion, customer data return on termination
  • CF-POL-007 Supplier Management Policy: sub-processor selection, onboarding, monitoring, and offboarding
  • CF-POL-008 AI Governance and Acceptable Use Policy: AI model selection, data handling, human oversight, prevention of data leakage

5.2 Operational plans

  • CF-PLAN-001 Incident Response Plan: incident classification, response procedures, customer notification, post-incident review
  • CF-PLAN-002 Business Continuity and Disaster Recovery Plan: backup posture, failover procedures, and testing schedule. Recovery objectives are agreed per customer SLA.

5.3 Reference documents

  • CF-DOC-001 Architecture and Security Overview: technical architecture, controls, sub-processors, certifications, cryptographic standards and key management
  • CF-REG-001 Risk Register: current identified risks with owners, treatments, and review dates

6. Risk management

CompleteFlow operates a risk-based approach to information security. The risk management framework comprises:

  • Risk identification: risks are identified through architecture review, customer due diligence questionnaires, incident analysis, supplier reviews, and external threat intelligence
  • Risk assessment: identified risks are assessed for likelihood and impact on a 3×3 qualitative scale (Low / Medium / High each), with reference to the sensitivity of data assets at risk and the contractual obligations potentially affected
  • Risk treatment: treatment options include mitigation (additional controls), transfer (insurance, contractual), avoidance (process change), or acceptance (with documented justification)
  • Risk register: all identified risks are recorded in CompleteFlow's risk register (CF-REG-001), with assigned owners, treatment plans, residual scoring, target scoring, and review dates
  • Risk review: the risk register is reviewed at minimum quarterly by the Information Security Officer, and at any material change to the business, threat environment, or customer base

Medium and High residual risks require explicit acceptance by the Information Security Officer. Residual risk acceptance is the responsibility of the Director and Information Security Officer.

7. People security (training, background checks, and lifecycle)

7.1 Induction

All new personnel receive information security induction before being granted access to CompleteFlow customer data. Induction covers:

  • This ISP and the subordinate policies relevant to the individual's role
  • Acceptable use of CompleteFlow systems, devices, and accounts
  • Recognition and reporting of security incidents
  • Phishing and social engineering awareness
  • Data protection responsibilities under UK GDPR
  • Specific responsibilities relating to AI tools and customer data

7.2 Ongoing training

All personnel complete annual refresher training covering current threats, policy updates, and lessons from any incidents. Additional training is delivered following any material policy change or significant incident.

7.3 Training records

Records of induction and ongoing training are maintained for each individual, including dates of completion and topics covered. Records are retained for the duration of the engagement plus three years.

7.4 Effectiveness measurement

Training effectiveness is measured through:

  • A knowledge-check assessment within the induction programme, with a minimum pass threshold required before access to customer data is granted
  • Periodic phishing simulation exercises to validate recognition and reporting behaviour; results inform targeted refresher training
  • An interview with the Information Security Officer at induction and at each annual refresher, covering role-specific responsibilities (customer data handling, acceptable use of AI tools, incident reporting, access controls), recorded alongside the training record
  • Incident root-cause analysis that considers training gaps as contributory factors and feeds back into the programme

7.5 Background checks

All personnel (including directors, employees, and sub-processor personnel working on CompleteFlow customer data) are subject to pre-engagement screening equivalent to the Baseline Personnel Security Standard (BPSS) used by UK government suppliers:

  • Identity verification (right-to-work documentation and government-issued photo ID)
  • Employment history verification (minimum three years, gaps explained)
  • Unspent criminal record check (Basic DBS or Disclosure Scotland as appropriate)
  • Professional references (minimum two, contacted directly)
  • Financial probity declaration for roles with financial or administrative access

Enhanced checks (enhanced DBS or SC clearance) are available on customer request.

Screening is completed before access to customer data is granted. No personnel access customer data on the basis of pending screening.

Rescreening is conducted every three years for all personnel with continuing access to customer data (refresh of unspent criminal record check, confirmation of continued right to work, refresh of financial probity declaration where applicable). Personnel are contractually required to notify CompleteFlow of any material change (criminal charge or conviction) that would have affected initial screening; failure to notify is grounds for termination and access revocation.

7.6 Onboarding, mover, and leaver process

Access provisioning, internal role changes, and access revocation on departure are governed by the Access Control Policy (CF-POL-003). On departure, all access is revoked on the final day of engagement, devices returned or wiped, and credentials rotated where the departing individual had knowledge of shared secrets.

8. Compliance

8.1 Legal and regulatory compliance

CompleteFlow complies with all applicable UK laws and regulations relating to information security and data protection, including:

  • UK General Data Protection Regulation
  • Data Protection Act 2018
  • Computer Misuse Act 1990
  • Privacy and Electronic Communications Regulations 2003
  • Network and Information Systems Regulations 2018 (where applicable)

Where customers operate in regulated sectors with additional sectoral requirements (for example, the Solicitors Regulation Authority Code of Conduct for legal sector clients, or Financial Conduct Authority requirements for financial services clients), CompleteFlow's services are configured to support customer compliance with those requirements as documented in the relevant Master Services Agreement.

8.2 Contractual compliance

CompleteFlow honours the security and data protection commitments made in customer contracts. Where a customer contract imposes more stringent requirements than this ISP, the customer-specific commitments apply.

8.3 Standards alignment

CompleteFlow's controls are aligned with ISO/IEC 27001:2022 Annex A. Formal certification is in active preparation; refer to the Architecture and Security Overview, Section 12, for current status.

9. Incident management

CompleteFlow maintains an Incident Response Plan (CF-PLAN-001) covering identification, containment, investigation, eradication, recovery, and post-incident review of information security incidents. At policy level:

  • All personnel are responsible for promptly reporting suspected incidents via the channels documented in the Incident Response Plan
  • The Information Security Officer holds final accountability for incident response decisions
  • Customer notification timelines and content are governed by the contractual commitments documented in the relevant Master Services Agreement and Data Processing Agreement, and by UK GDPR Article 33 obligations
  • All incidents are recorded, regardless of severity, and contribute to the continuous improvement of controls

10. Compliance monitoring and audit

10.1 Internal review

Compliance with this ISP and subordinate policies is reviewed at minimum annually by the Information Security Officer. Reviews assess:

  • Whether documented controls are operating as designed
  • Whether incidents have revealed control gaps
  • Whether changes to the business, technology, or threat landscape require policy updates
  • Customer feedback from due diligence, audits, and questionnaires

10.2 External audit

External audit takes the following forms:

  • Cyber Essentials Plus assessment: conducted by an IASME-accredited assessor on a defined cadence (refer to Architecture and Security Overview, Section 12)
  • ISO/IEC 27001 certification audit: Stage 1 and Stage 2 audits with a UKAS-accredited certification body, on a path to formal certification (refer to Architecture and Security Overview, Section 12)
  • Customer audits: customers retain audit rights as defined in their Master Services Agreement

11. Disciplinary measures

Breach of this ISP or any subordinate policy may result in:

  • For employees: disciplinary action up to and including termination of employment, in accordance with CompleteFlow's disciplinary procedures
  • For contractors and sub-processor personnel: termination of the contractual arrangement and removal of access
  • For any individual: referral to law enforcement or regulatory bodies where the breach involves a criminal offence or a breach reportable to the ICO

12. Policy review and maintenance

This policy is reviewed annually by the Information Security Officer. Interim review is triggered by:

  • Material change to CompleteFlow's services, architecture, or sub-processor list
  • New or changed legal or regulatory requirements
  • Significant security incidents indicating a control or policy gap
  • Customer feedback identifying policy weaknesses
  • Findings from internal or external audit

All changes are version-controlled and approved by the Director and Information Security Officer. Material changes are communicated to customers in advance of taking effect.

13. Document control

VersionDateAuthorChange
1.02026-04-24J. GriffinInitial approved version

This policy is approved by the Director and Information Security Officer of CompleteFlow Ltd and takes effect from the date of approval.

← Back to Trust Centre Request signed copy or further detail →