Skip to main content
BehaviourWellbeingInsightsCommunity
Our StoryBlogFAQContact
ten points
Pricing
Book a callLog in
BehaviourWellbeingInsightsCommunity
Our StoryPricingBlogFAQ
Book a callLog in

Trust Centre

Information Security Policy

Last updated: May 21, 2025

← Trust Centre

Version: 1.0Effective Date: 01 Oct 2025Approved By: Board of DirectorsNext Review Date: 01 Oct 2026

1. Purpose

This Information Security Policy defines Ten Points Education Limited’s (“Ten Points”) approach to information security management. The purpose is to protect the confidentiality, integrity, and availability of information assets under our control, ensure compliance with legal and regulatory obligations (including UK GDPR and the Data Protection Act 2018), and provide direction for implementing, maintaining, and improving our Information Security Management System (ISMS).

2. Scope

This policy applies to:

  1. all information assets processed by Ten Points in the delivery of its services;
  2. all information systems, applications, and cloud-hosted services used to support Ten Points operations; and
  3. all employees, contractors, and third parties with access to Ten Points information or systems.

3. Leadership Commitment

  1. The Board of Directors has ultimate accountability for information security and is committed to providing the resources necessary to establish, operate, maintain, and continually improve the ISMS.
  2. Information security objectives are defined, measured, and reviewed as part of management reviews.
  3. Information security is integrated into all business processes, strategic planning, and risk management activities.

4. Information Security Objectives

Ten Points commits to:

  1. protect information against unauthorised access, disclosure, modification, or destruction;
  2. ensure the integrity and availability of data processed for schools and educational institutions;
  3. comply with all contractual, legal, and regulatory obligations;
  4. continually assess, manage, and mitigate security risks; and
  5. foster a culture of security awareness and accountability across the organisation.

5. Risk Management

  1. Ten Points operates a formal information security risk management process aligned with ISO/IEC 27005.
  2. Risks are identified, analysed, and evaluated at least annually or when significant changes occur.
  3. A risk treatment plan is maintained, assigning controls in line with ISO/IEC 27001 Annex A and customer requirements.
  4. Risks are monitored and reviewed by the Information Security Officer and escalated to the Board as required.

6. Roles and Responsibilities

  1. Board of Directors – accountable for approving this policy, setting risk appetite, and overseeing compliance.
  2. Information Security Officer (ISO) – responsible for managing the ISMS, monitoring compliance, and reporting to the Board.
  3. Data Protection Officer (DPO) – responsible for data protection compliance, working in coordination with the ISO.
  4. All Staff and Contractors – required to comply with this policy, complete training, and report incidents promptly.
  5. Third Parties and Sub-Processors – required to comply with contractual information security obligations equivalent to Ten Points’ standards.

7. Access Control

  1. Access to information and systems is based on the principle of least privilege and approved by management.
  2. Multi-factor authentication (MFA) is mandatory for access to production and administrative systems.
  3. Access rights are reviewed regularly and revoked immediately upon staff termination or role change.
  4. Privileged access is strictly controlled, logged, and subject to enhanced monitoring.

8. Data Security and Cryptographic Controls

  1. Data in transit is encrypted using TLS 1.2+; data at rest is encrypted using AES-256 or equivalent.
  2. Approved cryptographic algorithms and key lengths are documented and reviewed annually.
  3. Key management procedures ensure secure generation, storage, and rotation of encryption keys.
  4. Backups are performed regularly, encrypted, tested for restorability, and securely deleted at end of retention.

9. Device and Endpoint Security

  1. Ten Points operates a BYOD (Bring Your Own Device) model. Staff devices used to access company systems must: use strong authentication (password or biometric), auto-lock after inactivity, be kept updated with vendor security patches, and support full-disk encryption (e.g., FileVault, BitLocker, or mobile equivalents).
  2. Sensitive operations (e.g., production system access) are only conducted via secure, logged, and authorised sessions.
  3. Corporate email and administrative systems are accessed only through managed identity controls with MFA.

10. Supplier and Sub-Processor Security

  1. All suppliers and sub-processors with access to Ten Points data are required to meet equivalent information security standards.
  2. Due diligence, including security assessments and contractual agreements, is conducted before engagement.
  3. Supplier performance and compliance are reviewed regularly.
  4. A register of authorised sub-processors is maintained and made available to customers.

11. Application and Development Security

  1. Secure coding practices are followed, including peer code reviews and vulnerability scanning.
  2. Development, testing, and production environments are logically separated.
  3. Dependencies are monitored and patched to mitigate vulnerabilities.
  4. Periodic penetration testing and vulnerability assessments are performed by qualified third parties.
  5. Privacy by Design and Default principles are embedded in development lifecycles.

12. Human Resources Security

  1. All employees and contractors sign confidentiality and acceptable use agreements.
  2. Background checks, including DBS Basic Checks, are performed prior to granting system access.
  3. Staff complete annual information security and privacy training.
  4. Offboarding procedures ensure immediate revocation of access and recovery of company assets.

13. Incident Management

  1. All suspected or actual security incidents must be reported immediately to the ISO and DPO.
  2. Incidents are logged, investigated, and resolved following formal procedures.
  3. Incident response includes containment, eradication, recovery, and lessons learned.
  4. Customers and regulators are notified of notifiable incidents in line with legal and contractual requirements (e.g. ICO notification within 72 hours under UK GDPR).

14. Business Continuity and Disaster Recovery

  1. Business continuity and disaster recovery plans are established, maintained, and tested at least annually.
  2. Recovery time objectives (RTOs) and recovery point objectives (RPOs) are defined and reviewed.
  3. Critical services and data can be restored in a timely manner following disruption.

15. Logging, Monitoring, and Audit

  1. Security logs are retained, protected, and regularly reviewed for suspicious activity.
  2. Monitoring is continuous, with alerts for anomalous or unauthorised activity.
  3. Internal audits are conducted to evaluate ISMS effectiveness.
  4. Corrective and preventive actions are taken promptly in response to audit findings.

16. Continuous Improvement

  1. This policy, and the ISMS as a whole, is subject to management review at least annually.
  2. Findings from risk assessments, incidents, audits, and customer feedback are used to drive continual improvement.
  3. The ISO maintains a cycle of Plan–Do–Check–Act (PDCA) for ongoing ISMS enhancement.

Contact

Information Security Officer / Data Protection Officer
Ten Points Education Limited
Email: [email protected]

  • Home
  • Behaviour
  • Wellbeing
  • Insights
  • Community
  • Our Story
  • Blog
  • FAQ
  • Pricing
  • Contact
Get started
ten points
Trust CentreAgreement

© 2026 Ten Points Education Ltd