Incident Management Policy

1. Purpose 

This Incident Management Policy – External Summary provides a high‑level overview of how Phonovation Limited identifies, manages, and learns from information‑security incidents. It is intended to support customer, partner, and regulatory due‑diligence activities by describing the principles and governance underpinning incident response. 

This document does not disclose internal escalation paths, contact details, technical procedures, or sensitive operational information. Detailed incident‑response procedures, records, and evidence are maintained internally as part of Phonovation Limited’s Information Security Management System (ISMS). 

 

2. Scope 

This policy applies to information‑security incidents that may affect: 

  • Customer and partner information 

  • Personal data processed on behalf of customers 

  • Systems, services, and infrastructure supporting service delivery 

  • Business operations within the scope of the ISMS 

The policy covers incidents involving employees, contractors, and third parties where Phonovation Limited information or systems are involved. 

 

3. Definition of an Information Security Incident 

An information‑security incident is an unwanted or unexpected event, or series of events, that may compromise the confidentiality, integrity, or availability of information or information systems. 

Incidents may arise from accidental, negligent, or malicious actions and may involve technical, physical, or organisational factors. 

 

4. Incident Identification and Reporting (High‑Level) 

Phonovation Limited maintains mechanisms to enable the timely identification and reporting of suspected information‑security incidents and security events. 

Individuals who become aware of a potential incident or security weakness are required to report it promptly through established internal channels. Reporting arrangements are designed to ensure that incidents are assessed and handled without undue delay. 

 

5. Incident Classification 

Reported events are assessed and classified to support appropriate and proportionate response. Classification considers factors such as: 

  • Potential impact on confidentiality, integrity, or availability 

  • Potential impact on customers, partners, or service delivery 

  • Whether personal data or regulated data may be affected 

Incidents are categorised to distinguish between lower‑impact events and incidents requiring escalated response and coordination. 

 

6. Incident Response and Management 

Phonovation Limited applies a structured incident‑management approach designed to: 

  • Contain and mitigate the impact of incidents 

  • Investigate root causes 

  • Restore normal operations as quickly as practicable 

  • Reduce the likelihood of recurrence 

Incident response activities are coordinated in line with the severity and nature of the incident and are aligned with business‑continuity and operational‑resilience arrangements where required. 

 

7. Personal Data Breaches and Regulatory Notification 

Where an incident involves personal data, Phonovation Limited manages the incident in accordance with applicable data‑protection requirements, including the General Data Protection Regulation (GDPR). 

This includes: 

  • Assessing the risk to individuals’ rights and freedoms 

  • Notifying relevant supervisory authorities where required 

  • Supporting customer and partner notification obligations where Phonovation Limited acts as a data processor 

Regulatory and contractual notification activities are performed within applicable timeframes. 

 

8. Communication and Stakeholder Management 

Incident‑related communications are managed in a controlled and appropriate manner to ensure that: 

  • Relevant stakeholders are informed as required 

  • Communications are accurate, timely, and consistent 

  • Legal, regulatory, and contractual obligations are respected 

Detailed communication plans and contact details are maintained internally. 

 

9. Learning and Continual Improvement 

Phonovation Limited adopts a learning‑focused approach to incident management. Following the resolution of incidents: 

  • Root causes and contributing factors are reviewed 

  • Opportunities to strengthen controls and processes are identified 

  • Lessons learned are incorporated into security, operational, and resilience improvements 

This approach supports the continual improvement of the ISMS and incident‑response capability. 

 

10. Governance and Oversight 

Incident management is supported by defined roles and responsibilities within Phonovation Limited. Senior management provides oversight to ensure that incidents are managed effectively and that appropriate corrective actions are implemented. 

Incident trends and improvement actions are reviewed as part of the organisation’s broader information‑security governance and risk‑management activities. 

 

11. Policy Review 

This Incident Management Policy - External Summary is reviewed periodically to ensure it remains appropriate and aligned with: 

  • Changes in business operations or services 

  • Evolving threat and risk landscapes 

  • Applicable legal, regulatory, and contractual requirements 

Detailed internal incident‑management procedures, logs, and evidence are maintained and made available to authorised parties under appropriate confidentiality arrangements.