Information Security Policy

1. Purpose 

This Information Security Policy - External Summary provides a high‑level overview of Phonovation Limited’s approach to information security and is aligned with the current Internal Information Security Policy. It is intended to support customer, partner, and regulatory due‑diligence activities by describing the principles, objectives, and governance arrangements that underpin the protection of information assets. 

This document does not disclose internal operational procedures, technical configurations, or sensitive security details. Detailed standards, procedures, and evidence are maintained internally as part of Phonovation Limited’s Information Security Management System (ISMS). 

 

2. Scope 

This policy applies to information processed, stored, or transmitted by Phonovation Limited within the scope of its ISMS, including: 

  • Customer and partner information 

  • Personal data processed on behalf of customers 

  • Operational, technical, and business information supporting service delivery 

The policy applies across relevant systems, services, personnel, and third‑party relationships involved in the delivery and support of Phonovation Limited’s services. 

 

3. Information Security Principles 

Phonovation Limited’s information security framework is based on the following core principles: 

  • Confidentiality: Information is accessible only to authorised individuals and systems. 

  • Integrity: Information is accurate, complete, and protected from unauthorised modification. 

  • Availability: Information and services are accessible when required for business and customer needs. 

These principles guide the design, implementation, and operation of security controls across the organisation. 

 

4. Information Security Objectives 

Phonovation Limited has established information security objectives that support its business strategy and customer commitments. These objectives include: 

  • Protecting information assets against unauthorised access, loss, or misuse 

  • Ensuring compliance with applicable legal, regulatory, and contractual requirements 

  • Reducing the likelihood and impact of information security incidents 

  • Supporting customer trust and confidence through effective security governance 

The effectiveness of these objectives is monitored and reviewed as part of the ISMS continual‑improvement process. 

 

5. Legal, Regulatory, and Contractual Compliance 

Phonovation Limited is committed to complying with applicable information security and data‑protection obligations, including: 

  • The General Data Protection Regulation (GDPR) 

  • Relevant national data‑protection and communications legislation 

  • Contractual security and confidentiality requirements agreed with customers and partners 

The organisation maintains documented records of applicable obligations and ensures that information security controls are designed and operated to meet these requirements. 

 

6. Information Security Controls (High‑Level) 

Information security controls are selected and implemented using a risk‑based approach aligned with ISO/IEC 27001. Controls are designed to: 

  • Prevent unauthorised access to systems and data 

  • Detect and respond to security events and incidents 

  • Protect data during storage, processing, and transmission 

  • Support secure operations across people, processes, and technology 

The specific design and operation of controls are documented internally and reviewed periodically to ensure ongoing effectiveness. 

 

7. Business Continuity and Operational Resilience 

Phonovation Limited recognises the importance of service availability and operational resilience. Business continuity and disaster‑recovery arrangements are established to: 

  • Support the continued delivery of critical services 

  • Reduce the impact of disruptive incidents 

  • Enable timely recovery following incidents affecting systems or operations 

These arrangements are reviewed and tested on a periodic basis to ensure they remain appropriate to the organisation’s risk profile and service commitments. 

 

8. Incident Management 

Phonovation Limited maintains an incident‑management framework to ensure that information security incidents are: 

  • Identified and assessed in a timely manner 

  • Managed and contained to minimise impact 

  • Investigated to determine root cause and required corrective actions 

  • Communicated appropriately in line with legal, regulatory, and contractual obligations 

Where personal data is involved, incident response activities are aligned with GDPR breach‑notification requirements. 

 

9. Third‑Party and Supply‑Chain Security 

Phonovation Limited relies on selected third‑party providers to support service delivery. Third‑party security is managed through: 

  • Risk‑based assessment during onboarding 

  • Contractual security and confidentiality requirements 

  • Ongoing oversight of third‑party performance and compliance 

Third‑party arrangements are designed to ensure that information security and data‑protection obligations are maintained throughout the supply chain. 

 

10. AI and Emerging Technology Governance 

Where artificial‑intelligence or automated systems are used, Phonovation Limited applies governance measures to ensure: 

  • Appropriate risk assessment and classification 

  • Transparency and accountability in system use 

  • Alignment with applicable regulatory requirements, including the EU AI Act 

  • Consistency with data‑protection principles 

AI and emerging‑technology use is reviewed to ensure continued compliance and responsible deployment. 

 

11. Data Protection by Design and by Default 

Phonovation Limited embeds data‑protection principles into the design and operation of systems and services. This includes: 

  • Limiting data collection to what is necessary for defined purposes 

  • Applying appropriate technical and organisational safeguards 

  • Considering privacy and security risks during system changes and new initiatives 

Where required, privacy impact or risk assessments are performed to support lawful and secure data processing. 

 

12. Governance and Continual Improvement 

Information security governance is supported by defined roles and responsibilities within Phonovation Limited. Senior management provides oversight and resources to ensure the ISMS remains effective and aligned with business objectives. 

The ISMS operates as a continual‑improvement framework. Security performance, risks, incidents, and improvement opportunities are reviewed periodically, and changes are planned and implemented in a controlled manner. 

 

13. Policy Review 

This Information Security Policy – External Summary is reviewed periodically to ensure it remains appropriate, accurate, and aligned with: 

  • Changes in business operations 

  • Evolving threat landscapes 

  • Applicable legal and regulatory requirements 

Detailed internal policies, procedures, and evidence are maintained and made available to authorised parties under appropriate confidentiality arrangements.