Information and Cyber Security Policy

This policy applies to EPIC Assist (EPIC) employees, volunteers, contractors, and all other related parties.


EPIC is committed to achieving and maintaining certification to the Information Security Management Systems (ISMS) standard ISO 27001:2013 and implementing Right Fit For Risk (RFFR) controls across our footprint. We will:

  • Ensure this policy is followed by employees, volunteers, contractors and interested parties who have access to participant and employer information and our information assets; and provide Information and cyber security awareness training to all employees and contractors at EPIC.
  • Protect the confidentiality and integrity of and availability to our participants, employers, employees, contractors, suppliers, and service providers’ information from security threats, whether internal or external, deliberate or accidental; as well as protect it against damage or loss and unauthorised use or access.
  • Provide continuous and secure services to participants and employers; and ensure business continuity is maintained and tested periodically.
  • Integrate information and cyber security in business processes and standard practices; develop and maintain operational manuals and processes to support the Information and Cyber Security policy; and review all documents related to Cyber security annually (at a minimum) or when changes occur.
  • Ensure information security objectives relating to Information security requirements are defined, monitored, measured, analysed, and evaluated periodically; and continually improve EPIC’s information security management system.
  • Meet legal and regulatory requirements and contractual security obligations pertaining to information collection, storage, processing, transmission, and disclosure.
  • Ensure vulnerability assessment and penetration testing is conducted across the EPIC environment and actioned for all risks to minimise the risk arising from a cyber-attack.
  • Report and investigate information and cyber security incidents, actual or suspected, to all relevant stakeholders.
  • Allocate appropriate resources for the review, implementation, development and maintenance of ISMS and RFFR controls.

This policy relates to:

  • Information held by EPIC as well as information supplied to us by participants, employers, contractors, or third parties.
  • Information held in any form i.e. paper (hard copy), electronic, digital, social media, cloud, web-based platform (e.g. EVO), hard disk, etc.
  • All systems and infrastructure used within EPIC – Third Party Employment System (TPES) and Third Party Supplementary IT(TPSIT) System.

Policies can be established or altered only by EPIC’s Board Of Directors.

Last update: 06 September 2021