ISP-01 Information security policy
Summary
This policy outlines the scope, structure, principles and means of governance for this and the entire Information Security Policy suite. It broadly defines the responsibilities for all University Members and others who have been granted access to process University data, with the goal of ensuring data remains secure and compliant with both University policy and relevant legislation.
| Control information | Control detail |
|---|---|
| Owner | Chief Digital Information Officer, IT Services |
| Author | Information Security Manager, IT Services |
| Sponsor | Chief Digital Information Officer, IT Services |
| Consulted | Information Governance and Security Advisory Board (IGSAB) |
| Approved by | University Executive Board |
| Responsible area | IT Services |
| Version | 4 |
| Approval date | 17 November 2025 |
| Effective date | 17 November 2025 |
| Interim review effective date | Not applicable |
| Full review period | 1 year |
| Date of next full review | 31 October 2026 |
| EIA completion date | Not applicable |
| DPIA completion date | Not applicable |
| SIA completion date | Not applicable |
| Reporting requirements | Not applicable |
| Applicable statutory, legal or best practice requirements | Legal requirements:
|
| Keywords | asset, compliance, data protection, freedom of information, human rights, IGSAB, information security management, information security principles |
On this page
1. Updates to this policy
1.1. This policy has been updated to align to the new University of Bristol policy management framework.
2. Introduction
2.1. This overarching policy document provides an overview of information security and lists a set of policy documents (sub-policies) which, taken together, constitute the Information Security Policy of the University.
2.2. The policy suite provides a framework for managing and protecting the University's information assets, ensuring that data is handled securely and in compliance with legal requirements. As information is a key resource for teaching, research, and administration, the policy aims to mitigate risks such as breaches of confidentiality, data loss, and unauthorised access.
2.3. It is designed to meet statutory obligations, including data protection and freedom of information laws, and to support the University's commitment to maintaining the integrity and availability of its information.
3. Scope
3.1. This policy applies to all members of the University and any individuals authorised to process, store, or handle University information on its behalf.
3.2. All sub-policies apply to all members of the University and any individuals authorised to process, store, or handle University information on its behalf except where stated otherwise within the scope of the sub-policy.
4. Definitions
4.1. A member of the University: This is defined in University Constitution: Ordinance 9, section 7.
4.2. Availability: The principle of ensuring that information is accessible to authorised users when needed.
4.3. Compliance: Adherence to the rules and regulations outlined in the Information Security Policy and relevant legislation.
4.4. Confidentiality: The principle of ensuring that information is only accessible to those with authorised access.
4.5. Information asset: An item or body of information, an information storage system or an information processing system which is of value to the University.
4.6. Information Governance and Security Advisory Board (IGSAB): A group responsible for reviewing and approving changes to sub-policies within the University's Information Security Policy.
4.7. Information Asset Owner: A designated individual responsible for the classification, protection, and appropriate use of specific university information assets.
4.8. ISO 27001: An international standard outlining best practices for managing information security risks.
4.9. Integrity: Ensuring that information remains accurate, complete, and unaltered by unauthorised parties.
4.10. Procedural documents: Detailed documents that provide instructions on how to implement the high-level requirements outlined in the sub-policies.
4.11. Sub-policy: Information Security Policies that sit below the overarching ISP-01 Information Security Policy. Each sub-policy addresses a particular aspect of information security.
4.12. Universities and Colleges Information Systems Association (UCISA) Information Security Toolkit: A set of recommendations used to structure the University's Information Security Policy, based on industry standards.
5. Responsibilities
5.1. University members: Must ensure that information is protected according to the policy, handle data responsibly based on its classification and comply with relevant legal and institutional requirements regarding the security of data.
5.2. Information Asset owners: Must define appropriate uses of information assets for which they are responsible. They must also ensure they understand and comply with information security policies, handle data appropriately according to classification, and report any security incidents or breaches promptly.
5.3. Chief Digital Information Officer (CDIO): Responsible for the production, maintenance, communication, and review of the Information Security Policy, ensuring consistency across sub-policies and compliance with relevant regulations.
5.4. Information Governance and Security Advisory Board (IGSAB): Reviews and approves sub-policies, ensuring alignment with the overarching policy, and consults with relevant groups before making changes to the policy documents.
5.5. External Partners and Contractors: Any third parties who handle University information must comply with the University's security policies and contractual arrangements, including secure data exchanges and information handling during their engagement.
6. Structure
6.1. The Information Security Policy document set is structured in accordance with the recommendations set out in the “UCISA Information Security Toolkit”, which in turn is based on the control guidelines set out in the industry standard ISO 27001.
6.2. This top-level document lists a set of sub-policy documents which together constitute the Information Security Policy of the University. All of these documents are of equal standing. Although this policy set should be internally consistent, for the removal of any doubt, if any inconsistency is found between this overarching policy and any of the sub-policies, this overarching policy will take precedence.
6.3. Each of the sub-policy documents only contains high-level descriptions of requirements and principles. They do not, and are not intended to, include detailed descriptions of policy implementation. Such details will, where necessary, be supplied in the form of separate procedural documents and standards which will be referenced from the relevant, individual sub-policy documents.
7. Information security principles
7.1. The University has adopted the following principles, which underpin this policy:
- Information will be protected in line with all relevant University policies and legislation, notably those relating to data protection, human rights and freedom of information.
- Each information asset will have a nominated owner who will be assigned responsibility for defining the appropriate uses of the asset and ensuring that appropriate security measures are in place to protect the asset.
- Information will be made available solely to those who have a legitimate need for access.
- All information will be classified according to an appropriate level of security.
- The integrity of information will be maintained.
- It is the responsibility of all individuals who have been granted access to information to handle it appropriately in accordance with its classification.
- Information will be protected against unauthorised access.
- Compliance with the Information security policy will be enforced.
8. Governance
8.1. Responsibility for the production, maintenance and communication of this top-level policy document and all sub-policy documents lies with the University’s Chief Digital Information Officer.
8.2. This top-level policy document has been approved by the University Executive Board. Responsibilities for the approval of all sub-policy documents is delegated to an Information Governance and Security Advisory Board (IGSAB). Before approving any sub-policy, the IGSAB will consult with other groups as appropriate.
8.3. Each of the documents constituting the Information Security Policy will be reviewed annually. It is the responsibility of the Chief Digital Information Officer to ensure that these reviews take place. It is also the responsibility of the Chief Digital Information Officer to ensure that the policy set is and remains internally consistent.
8.4. Changes or additions to the Information Security Policy may be proposed by any member of staff, via their Head of School or Division, to the Chief Digital Information Officer.
8.5. Any substantive changes made to any of the documents in the set will be communicated by the Information Governance and Security Advisory Board (IGSAB).
9. Sub-policy document list
- ISP-03 Compliance policy
- ISP-04 Outsourcing and third party compliance policy
- ISP-05 Human resources policy
- ISP-07 Information handling policy
- ISP-08 User management policy
- ISP-09 Acceptable use policy
- ISP-11 System management policy
- ISP-12 Network management policy
- ISP-13 Software management policy
- ISP-14 Mobile and remote working policy
- ISP-16 Encryption policy
- ISP-18 Investigation of computer use policy
- ISP-19 PCI-DSS cardholder data policy
Request this policy in an alternative format
If you need this policy in a different format, email uob-policymanager@bristol.ac.uk. In your message, include the format you need, for example: plain text, braille, BSL, large print or audio.