Cyber Security Policy (Public)

Version: v1.0
Dated : 7 Nov 2025

1. Statement of intent

SpotDev Services Ltd (“SpotDev”, “we”, “our”) is committed to safeguarding the confidentiality, integrity, and availability of information that we create, process, or hold on behalf of ourselves and our clients. We operate a risk-based information security management approach aligned to ISO/IEC 27001:2022 and Cyber Essentials Plus.

We are not yet certified to ISO 27001 or Cyber Essentials Plus. We are currently undergoing assessments and anticipate:

Cyber Essentials Plus certification by 31 Dec 2025.
ISO/IEC 27001:2022 certification by 31 Mar 2026.

2. Scope

All employees, directors, temporary staff, contractors, and third parties with access to SpotDev information or systems.
All information processed by SpotDev in any form, including client data, personal data, source code, documentation, and operational records.
All systems, devices, networks, and cloud services used for SpotDev business, including but not limited to HubSpot, Microsoft 365 (SharePoint, OneDrive, Teams, Exchange), ClickUp, developer tooling, CI/CD, and hosting providers.

Client-specific requirements for stricter controls take precedence for the relevant engagement.

3. Governance and responsibilities

Executive accountability

The Chief Executive is accountable for information security and chairs security reviews.
The Systems Administrator (or Chief Operating Officer in the System Administrator's absence) is responsible for day-to-day operation of the ISMS, risk management, and incident response coordination.
The Data Protection Officer (DPO) role is fulfilled internally or via an external advisor, as appropriate, to oversee UK GDPR and Data Protection Act 2018 compliance.

Line responsibilities

Managers ensure their teams follow policy and complete mandatory training.
All personnel must protect information, follow procedures, and report incidents promptly.

4. Risk management

We identify, assess, and treat information security risks using a documented risk register and treatment plan, aligned to ISO 27001.

Risk treatment options

Avoidance
Mitigation via controls
Transfer (e.g., insurance)
Acceptance by the risk owner

Risks are reviewed at least quarterly or upon significant change.

5. Asset management

Maintain an asset inventory of information, applications, devices, accounts, and suppliers, with ownership and data classification.
Apply data classification (Public, Internal, Confidential, Restricted) and handle data accordingly.
Ensure secure onboarding and offboarding of users, with return or secure deletion of assets and access revocation within one business day.

6. Access control & identity security

Enforce least privilege and need-to-know access based on roles.
Use unique accounts, MFA for all cloud platforms, and SSO where practicable.
Apply strong authentication and centralised identity (Microsoft Entra ID).
Review privileged access at least quarterly and after role changes.
Enforce session timeouts, device lock, and automatic logoff for inactivity.
Prohibit shared credentials; use audited secrets management for service accounts and keys.

7. Cryptography & data protection

Use industry-standard encryption for data in transit (TLS 1.2+) and at rest (BitLocker/FileVault on endpoints).
Manage cryptographic keys securely and rotate them based on risk.
Back up critical data to encrypted, access-controlled locations; test restores at least twice per year.
Apply data minimisation, purpose limitation, and retention schedules, with secure disposal (e.g., cryptographic erasure for cloud resources).

8. Device & endpoint security

Company-managed devices only; register in device management (Intune) and enforce baseline configuration (disk encryption, firewall, endpoint protection, screen lock ≤10 minutes, OS/browser auto-update).
Prohibit unapproved USB storage; allow approved hardware keys for MFA.
Separate admin and user roles on endpoints; no local admin by default.
For BYOD, require MAM/MDM controls and conditional access; restrict data copy/paste and download where feasible.

9. Network & cloud security

Enforce Zero Trust principles for remote access; no implicit trust based on network location.
Restrict administrative interfaces by IP and MFA.
Use secure configurations and infrastructure-as-code with code review for cloud resources.
Segment environments (production / staging / development) and segregate client data by tenant or project.
Maintain WAF, DDoS protection, and logging/monitoring appropriate to system criticality.
Store secrets in a dedicated secrets manager; never commit secrets to source control.

10. Secure development lifecycle (SDLC)

Define security requirements and threat models for projects handling client or personal data.
Mandate peer code review and automated checks.
Protect branches with mandatory reviews and CI checks; require signed commits for privileged repos.
Maintain separate environments; prohibit direct changes in production; use CI/CD with approvals.
Manage vulnerabilities via a triage SLA:
1. Critical: 24h
2. High: 5 days
3. Medium: 30 days
4. Low: 90 days
unless a compensating control is documented.
Conduct security testing proportionate to risk (e.g., penetration testing before go-live of high-risk systems and at least annually thereafter).

11. Supplier & sub-processor management

Perform due diligence on suppliers handling SpotDev or client data (security questionnaire, certifications, penetration test summaries where appropriate).
Define data protection and security obligations contractually, including breach notification, right to audit, and deletion/return of data upon termination.
Maintain a register of sub-processors for client projects and notify clients as contractually required.
Review key suppliers at least annually.

12. Security awareness & training

All personnel complete induction training and annual refresher covering phishing, data handling, incident reporting, secure development (for developers), and privacy principles.
Conduct periodic phishing simulations and targeted training for at-risk groups.
Enforce disciplinary processes for repeated non-compliance.

13. Logging, monitoring & vulnerability management

Enable security logging for identity events, administrative actions, data access, and system changes; retain logs for an appropriate period (minimum 90 days for investigation, longer where required).
Monitor alerts from cloud/SaaS platforms and endpoint protection; triage and remediate according to severity SLAs.
Maintain a patch management process to apply OS, browser, and application updates promptly (security updates within 14 days, or sooner for actively exploited vulnerabilities).
Subscribe to threat intelligence and vendor advisories relevant to our stack.

14. Incident response & reporting

Maintain an Incident Response Plan defining severity levels, roles, communication channels, and playbooks (credential compromise, phishing, data loss, ransomware, DDoS).
Report suspected incidents immediately to security@spotdev.co.uk or via the designated Teams channel/phone escalation.
Notify affected clients without undue delay where their data or services are implicated, consistent with contractual terms and legal obligations.
For personal data breaches, assess reportability under UK GDPR and, where required, notify the ICO within 72 hours and affected data subjects without undue delay.
Conduct post-incident reviews to capture lessons learned and update controls.

15. Business continuity & disaster recovery

Maintain a BCP/DR that prioritises critical services and defines RTOs/RPOs.
Test recovery procedures at least annually, including restore tests of backups and failover of critical workloads where applicable.
Ensure supplier contracts support continuity objectives (uptime SLAs, data export).

16. Privacy & data protection (UK)

SpotDev complies with the UK GDPR and Data Protection Act 2018.
We act as processor or controller depending on engagement terms; roles are defined contractually.
We implement data subject rights processes (access, rectification, erasure, restriction, portability, and objection).
International transfers are safeguarded by appropriate mechanisms (e.g., UK IDTA/approved SCCs).
Conduct Data Protection Impact Assessments (DPIAs) for high-risk processing.
Maintain a Record of Processing Activities (RoPA) and appoint a DPO where required.

17. Physical security & secure working

SpotDev is a fully remote business.
Remote working requires private, secure environments; avoid discussing client matters in public areas.
Paper records are minimised; when used, store securely and shred when no longer required.

18. Compliance, audits & metrics

Conduct internal audits of the ISMS and control effectiveness at least annually.
Perform management reviews at least twice per year.
Track key security metrics: phishing fail rate, patch latency, MFA coverage, privileged access count, incident MTTR, backup restore success.
Prepare for external assessments for Cyber Essentials Plus and ISO/IEC 27001:2022 per the timetable stated.

19. Exceptions

Any deviation from this policy must be documented with a compensating control, an owner, a planned end date, and approval from the Security Lead and Chief Executive.

20. Enforcement

Breaches of this policy may lead to disciplinary action, contract termination, or legal action.
SpotDev reserves the right to monitor use of its systems in accordance with applicable law and contracts.

21. Communication & contact

This policy is published internally and available to clients on request.
General enquiries: security@spotdev.co.uk.
Vulnerability disclosure: please email security@spotdev.co.uk with proof-of-concept and a safe disclosure timeline; we operate a good-faith, no-penalty approach to responsible researchers.

22. Document control

Field	Value
Document title	SpotDev Cyber Security Policy (Public)
Version	v1.0
Effective date	7 Nov 2025
Next review	10 Jan 2026
Policy owner	Chief Executive (John Kelleher)
Approver	C-Suite
Status	Approved

Appendix A — Alignment to ISO/IEC 27001:2022 Annex A (summary)

A.5 Organisational controls: information security policy (this document); roles and responsibilities (Section 3); risk management (Section 4); supplier security (Section 11); project security (Sections 10 & 11); legal and contractual obligations (Sections 11 & 16); SoA maintained separately.
A.6 People controls: screening/onboarding/offboarding (Sections 5 & 6); awareness and training (Section 12); disciplinary process (Section 12).
A.7 Physical controls: physical security and secure working (Section 17).
A.8 Technological controls: access control and identity security (Section 6); cryptography (Section 7); endpoint, network & cloud security (Sections 8 & 9); operations security, logging & monitoring (Section 13); application security/SDLC (Section 10); backup and recovery (Sections 7 & 15); incident management (Section 14).

Appendix B — Cyber Essentials Plus control coverage (summary)

Boundary firewalls & internet gateways: Cloud network controls, WAF and DDoS protections where applicable (Section 9).
Secure configuration: Baselines for devices and cloud services; configuration management and IaC (Sections 8 & 9).
User access control: Unique accounts, MFA, least privilege, joiner-mover-leaver process (Sections 5 & 6).
Malware protection: Managed endpoint protection and email/web filtering (Sections 8 & 13).
Security update management: Patch SLAs and automated update policies (Section 13).
Assured testing: Independent assessment and internal audits (Sections 10, 13 & 18).

Appendix C — Definitions

Confidentiality: ensuring information is accessible only to those authorised to have access.
Integrity: safeguarding the accuracy and completeness of information and processing methods.
Availability: ensuring authorised users have access to information and associated assets when required.