We have determined the resource requirements relevant to our ISMS & PIMS. We have adequate internal and external resources in place to meet our needs and ensure that relevant staff and partners are competent for their particular roles. Where required, additional training will be provided to fulfill any particular information security or data protection requirement. A Data Protection Officer has been established to promote data protection and awareness.

As well as being competent in the roles assigned, we also ensure that our internal and external resources are made aware of the information security and data protection policies, the objectives outlined in them, the contribution required for an effective ISMS and PIMS and the implications of not conforming to ISMS & PIMS requirements.


Communicating effectively and timely is critical to ensuring we meet our legislative and customer requirements. Breach reporting and subject access requests require timely communication, where not doing so could lead to action from the ICO and possible fines and penalties.

We have established our documented information needs for our ISMS & PIMS and have established a process for controlling it. Documented information shall be registered on the internal document library. Dates and issue numbers will identify the particular status of the documented information and the format that it takes.

Both internal and external documented information will be referenced, where control may reside elsewhere. The format of the documented information shall be defined as either paper form, electronic or both.

Creating and updating of company information will be strictly controlled to maintain a corporate image. Common footers, text and graphics shall be used and documented information will be identifiable through a title and description. Issue numbers, software versions shall be used to recognise the status of the information and regular audits will take place to test the effectiveness of the process.

Where records are retained their retention and disposal means will be defined. This will be recorded on the documented information library and for time critical documents in the data asset register.