This policy applies to EPIC employees, volunteers, contractors, and all other related parties.
Certification
EPIC is committed to maintaining certification against the Information Security Management Systems (ISMS) standard ISO 27001:2013 across our footprint. We will:
- Ensure this policy is followed by employees, volunteers, contractors and interested parties who have access to client information and our information assets.
- Provide Information and cyber security awareness training to all employees at EPIC.
- Protect the confidentiality, integrity, and availability of information regarding clients, employees, contractors, suppliers, and service providers against threats, whether internal or external, deliberate, or accidental; as well as protect it against damage, loss and unauthorised use or access.
- Provide continuous and secure services to clients and ensure business continuity is maintained.
- Integrate information and cyber security in business processes and standard practices.
- Develop and maintain operational manuals and processes to support the Information and Cyber Security policy and review these documents annually (at a minimum) and when changes occur.
- Ensure information security objectives are defined, monitored, measured, analysed, and evaluated periodically and continually improve EPIC’s information security management system.
- Meet legal and regulatory requirements and contractual security obligations pertaining to information collection, storage, processing, transmission, and disclosure.
- Ensure vulnerability assessment and penetration testing is conducted across the EPIC’s environment and that any areas of improvement are actioned to minimise the risk arising from a cyber-attack.
- Report and investigate relevant information and cyber security incidents, whether actual or suspected.
- Allocate appropriate resources to review, implement, develop, and maintain ISMS controls.
This policy relates to:
- Information held by EPIC as well as information supplied to us by clients, contractors, or third parties.
- Information held in any form i.e. paper (hard copy), electronic, digital, social media, cloud, web-based platform (e.g. EVO), hard disk, etc.
- All systems and infrastructure used within Third Party Supplementary IT(TPSIT) Systems.
Last update: 14 May 2026
