IT Security Policy

Document Reference	POL_HSQE_30
Revision	1
Issue Date	4 May 2026
Next Review	4 May 2027
Status	Uncontrolled when printed

---

Purpose

A M Water Services Ltd recognises that the security of our IT systems and data is essential — to protect the personal data of our employees and subcontractors, the commercial information of our customers (Anglian, Severn Trent and others), and the operational systems that keep AMWS running. This policy sets out the basic controls every AMWS worker is expected to follow, in plain English, scaled to the realities of a 20-person operation.

Scope

This policy applies to all employees, directors, labour-supply subcontractors and authorised visitors who access AMWS IT systems — including email, cloud storage, telematics, finance systems, the Van Packs portal and personal devices used for work purposes.

Legal Requirements

This policy supports compliance with the UK GDPR and Data Protection Act 2018, the Computer Misuse Act 1990, and the AMWS contractual obligations to customers under PR24 framework agreements (including expectations around data handling and breach notification).

Policy Statement

AMWS commits to keeping IT security proportionate, practical and observable. We don't pretend to operate at ISO 27001 scale, but we do operate the basic controls listed below consistently and review them annually.

1. Who has access to what

• Access to AMWS systems is role-based. New starters get only the systems they need; leavers are revoked the same day.
• A simple access list is maintained by Leanne Mason (Director, HR/Admin). Reviewed at the annual Management Review.
• The Directors hold the master credentials for finance, telematics, and cloud storage. No shared logins between operatives.

2. Passwords and multi-factor authentication

• MFA is on for: email (Microsoft 365), cloud storage, finance system, the GitHub repo holding the IMS portals.
• Passwords are at least 12 characters and not reused across systems.
• A password manager is permitted (and encouraged for the Directors and admin); operatives' work-relevant passwords are written nowhere.
• If a password is suspected compromised, change it immediately and tell the Directors so the activity log can be checked.

3. Email and phishing

• Treat unexpected attachments and "urgent payment" emails as suspicious — pause, check the sender domain, ask the Directors before clicking.
• Don't forward customer / personal data to personal email accounts.
• Suspected phishing attempts are forwarded to the Directors and deleted; a brief log is kept in the AMWS HR/IT folder.

4. Cloud storage, backup and recovery

• Working files live on the AMWS shared cloud storage (Microsoft 365 / OneDrive). The cloud provider's backup is the primary backup.
• The IMS portals are versioned in GitHub and deployed via Cloudflare Pages — Git history is the source of truth.
• Local copies of controlled documents are working copies only; the portal is master.
• Restore-from-backup procedure documented in APP_17 — DR & Business Continuity Plan.

5. Devices — company and personal

• Company laptops / desktops — kept patched (auto-updates on); endpoint antivirus active; locked when unattended; full-disk encryption (BitLocker / FileVault) on.
• Mobile phones — protected by a screen lock (PIN, biometric or pattern). Email and cloud apps require the device password.
• BYOD — employees and subcontractors using their own phones for the WhatsApp Works group or for accessing email must keep the device locked and not store customer data outside the official apps.
• Devices are never left in unattended vehicles overnight.

6. Disposal and reuse

• End-of-life laptops and phones are factory-reset (or the disk wiped) before disposal or reuse.
• WEEE flow goes through the route in SOP 9.6 Environment in the Office and the Recycling Initiatives note.
• Storage media containing customer or personal data are wiped or physically destroyed; a brief record is kept on the IT folder.

7. Third-party IT and connections

• AMWS does not directly host customer data on its own infrastructure.
• Customer-system access (Anglian / Severn Trent portals) is via individual named credentials — not shared.
• Suppliers with IT access (e.g. Grenke for leasing, Lyreco for stationery account) are reviewed at the APP_19 Supplier Annual Review the same way as physical-goods suppliers.

8. Incident response

• A suspected IT-security incident (suspicious activity, lost device, confirmed phishing click) is reported within 24 hours to the Directors.
• Pathway:
  1. Isolate — disconnect the affected device from the network and from cloud accounts
  2. Notify — Directors first, then the cloud provider's support line
  3. Assess — what data was potentially exposed?
  4. Decide — do we have a notifiable personal-data breach under UK GDPR (72-hour ICO notification window)?
  5. Document — incident logged in APP_21 NC & Improvement Register; lessons fed into the next BCP review
• This pathway integrates with SOP 8.1 Accident, Incident & Near Miss Reporting and APP_17 BCP.

9. Training and awareness

• IT-security awareness is a standing toolbox-talk topic — added to the TBT programme on annual rotation.
• New starters receive a 10-minute IT-security briefing during onboarding (covered by the Acknowledgement Sheet).
• The Directors review their own IT-security knowledge annually as part of the Management Review.

Roles and responsibilities

Role	Responsibility
Aaron Mason (Managing Director)	Owns IT-security strategy; final decision on incidents; manages master credentials
Leanne Mason (Director, HR/Admin)	Maintains access list; manages new-starter / leaver access; runs annual access review
Sean Ashton (HSQE Consultant, Onyx)	Ensures policy + incident pathway is current; reviews annually as part of IMS review
All workers	Follow this policy; report incidents within 24 hours; keep devices locked and patched

What's deliberately NOT in this policy

This is a small-business policy, scaled to AMWS's actual risk:

• No ISMS, no Statement of Applicability — we are not seeking ISO 27001 certification. We operate basic controls and review them.
• No formal data-classification scheme — in practice AMWS handles two classes: customer / personal data (treated carefully) and operational data (treated like any business document). Adding classification labels would be procedural overhead with no risk reduction.
• No SIEM, no security operations centre — we rely on the cloud provider's built-in monitoring and on staff reporting.

If AMWS's risk profile changes (new customer with explicit ISO 27001 requirement, growth past ~50 staff, taking custody of third-party data), this policy is reviewed and the controls scaled up to match.

Review

This policy is reviewed annually or sooner if:

• A material IT-security incident occurs at AMWS or in the supply chain
• A customer requires a higher-tier control (e.g. PR24 supply-chain cyber expectations escalate)
• Government / ICO guidance changes materially
• AMWS adopts a substantially new system (e.g. a new finance package or telematics platform)

---

This document forms part of A M Water Services Limited's Integrated Management System. Paper copies are uncontrolled when printed.

---

Audit trail

Date	Action	By	Details
04/05/2026	Issue 1 drafted	Sean Ashton, HSQE Consultant	New standalone IT Security policy, scaled to AMWS's actual size and risk. Deliberately not an ISO 27001 ISMS — covers access, passwords, cloud/backup, email, devices/BYOD, disposal, third-party IT, incident response, training. Pairs with SOP 8.1 (incident reporting), APP_17 (BCP) and APP_21 (NCR/improvement register).

How this document is approved

This document is maintained under AMWS's continuous-compliance model. Substantive revisions are reviewed and signed off by the Directors at the standing weekly Director / HSQE compliance call (Sean Ashton, Onyx + Leanne Mason). Currency, cross-references and minor edits are checked at the monthly Onyx site visit. The annual Management Review (September) provides the strategic-level confirmation. Compliance is therefore continuous, not gated on a single annual meeting.