top of page

Information Security Management System (ISMS) Privacy Policy

1.Introduction

This document sets out the Information Security Management System (ISMS) framework for InsightSERA, a UK-based provider of secure Open-Source Intelligence (OSINT) platforms and services. It defines the company’s policies, responsibilities, and processes for managing information security across all internal operations and client-facing systems.

The ISMS ensures that sensitive data—especially client and employee information—is protected through consistent, risk-managed, and compliant practices. This policy reflects Insightsera’s commitment to continuous improvement, legal conformity, and operational integrity.

1.1 Statement of Commitment

InsightSERA is committed to implementing, maintaining, and continuously improving a robust Information Security Management System (ISMS) across all its business operations, with a particular focus on the development, deployment, and operation of its OSINT (Open-Source Intelligence) solutions.

We recognize that information is a critical asset to our business, clients, and partners. Ensuring its protection is essential to maintain operational integrity, legal compliance, stakeholder trust, and the effectiveness of our intelligence offerings.

Our commitment includes:

  • Ensuring that all information, whether belonging to the organization or its clients, is appropriately protected against unauthorized access, loss, disclosure, alteration, and destruction.

  • Applying rigorous access control, secure system design, and encrypted storage to protect data across our infrastructure—entirely operated on-premises or on fully encrypted personal InsightSERA servers.

  • Conducting regular internal audits and reviews to assess the adequacy and effectiveness of our security controls, and to identify areas for improvement.

  • Promoting security awareness across all employees and stakeholders through training, communication, and enforcement of internal policies.

  • Aligning security practices with internationally recognized standards, particularly ISO/IEC 27001, with a view to formal certification in the near future.

This policy is supported by senior management and enforced through operational processes, assigned responsibilities, and oversight mechanisms led by the company’s information security lead.

1.2 Purpose and Objectives

The purpose of this Information Security Policy is to define Insightsera’s framework for managing and securing information assets across its internal systems and InsightSERA-branded OSINT platforms. It ensures that all information is handled in a secure, reliable, and consistent manner, and that risks to the confidentiality, integrity, and availability of information are systematically managed.

This policy exists to:

  • Establish a formal foundation for information security controls, responsibilities, and procedures within InsightSERA.

  • Ensure that security measures support business goals and client service obligations, particularly within sensitive investigation and analysis environments.

  • Define roles and accountability structures necessary for effective governance and oversight of security measures.

  • Provide a baseline for legal, regulatory, and contractual compliance related to data protection and operational security.

  • Guide the implementation of technical and procedural safeguards to protect against threats—internal and external, deliberate or accidental.

The key objectives of this policy are:

  • To protect Insightsera’s and clients’ sensitive data from compromise or misuse.

  • To reduce the impact and likelihood of security incidents through preventive controls and rapid incident response.

  • To support continuous improvement in security posture through quarterly audits, feedback loops, and regular documentation reviews.

  • To facilitate secure collaboration across departments and with clients, partners, and third parties.

  • To prepare the organization for future ISO 27001 alignment and certification.

This policy applies to all InsightSERA employees, contractors, vendors, and any other personnel who interact with or manage company data, infrastructure, or OSINT platforms.

1.3 Scope and Applicability

This Information Security Policy applies to all business functions, information systems, personnel, and physical or digital assets managed by InsightSERA. It governs how information is accessed, stored, processed, transmitted, and disposed of, across both internal operations and client-facing services.

Specifically, this policy encompasses:

  • Internal Systems: All corporate data, employee records, communication systems, administrative tools, and operational procedures.

  • InsightSERA OSINT Systems: All tools, platforms, and technologies branded and operated by InsightSERA for the purpose of Open-Source Intelligence gathering, analysis, and reporting. This includes data collection from the surface web, deep web, dark web, and publicly available social platforms.

  • Users and Roles: All employees, contractors, consultants, temporary staff, and authorized third-party service providers with access to InsightSERA systems or data.

  • Infrastructure: All computing environments—whether physical or virtual—deployed on-premises or hosted on Insightsera’s encrypted internal servers. No data is processed or stored on cloud-based platforms.

  • Data Types: This includes client-provided intelligence data, operational analytics, investigation results, system logs, and employee personal data.

All personnel and entities within the defined scope are required to comply with the policies, controls, and procedures outlined in this document. Any deviation or exception must be formally approved by Insightsera's designated information security authority.

1.4 Information Security Principles

Insightsera’s approach to information security is based on a set of foundational principles designed to protect assets and support operational resilience. These principles guide all security-related decisions, implementations, and controls:

  • Confidentiality: Data is accessible only to authorized personnel based on defined roles and strict access controls. Sensitive data is encrypted both at rest and in transit.

  • Integrity: All systems and processes are designed to prevent unauthorized modification of data. Changes to configurations or datasets are logged, monitored, and auditable.

  • Availability: Systems are designed and maintained to ensure reliable access for authorized users. Downtime is minimized through infrastructure redundancy, regular maintenance, and predefined continuity plans.

  • Accountability: All access and activity within the OSINT systems and internal infrastructure are traceable through immutable audit logs. Roles and responsibilities are clearly defined.

  • Least Privilege: Users are granted only the access necessary to perform their tasks, minimizing potential exposure or misuse of information.

  • Legal and Regulatory Compliance: All security practices conform to the UK Data Protection Act 2018, GDPR, and other applicable legal standards. ISO 27001 compliance serves as the long-term alignment target.

  • Security by Design: All new services, updates, or system changes undergo risk and security assessment before deployment.

These principles are embedded in Insightsera’s security architecture, user training programs, and operational controls, ensuring a consistent and enforceable framework across the organization.

1.5 Legal and Regulatory Compliance

InsightSERA operates under a legal and regulatory framework governed primarily by UK and international standards related to information security and privacy. This policy ensures that all data handling practices, system designs, and operational procedures are aligned with these requirements.

Key compliance areas include:

  • UK Data Protection Act 2018: All personal data, including that of clients and employees, is processed in accordance with national data protection obligations. Measures are taken to safeguard against unauthorized access, misuse, or disclosure.

  • General Data Protection Regulation (GDPR): InsightSERA adheres to the GDPR where applicable, ensuring that data subjects' rights—such as consent, access, rectification, and erasure—are respected within the context of OSINT and intelligence operations.

  • Confidentiality and Data Sovereignty: All data is stored and processed within controlled environments. InsightSERA does not use third-party cloud services for client or employee information. All servers are either on-premises or operated by InsightSERA personnel using end-to-end encryption.

  • Contractual Requirements: Where InsightSERA operates under client contracts or public sector frameworks, information security clauses and compliance with agency-specific guidelines are strictly observed.

  • ISO/IEC 27001 Readiness: Although not yet certified, InsightSERA aligns its security operations and documentation with ISO 27001 standards to prepare for formal certification. This includes asset inventory, risk assessments, access controls, and audit mechanisms.

InsightSERA reviews legal and compliance requirements on an ongoing basis, ensuring its security policies evolve in line with legislative updates, technological changes, and sector-specific needs.

1.6 Risk Management Approach

InsightSERA takes a structured and proactive approach to identifying, assessing, mitigating, and monitoring risks related to information security. The risk management process is integrated into operational planning, system maintenance, and strategic decision-making.

Key elements of the risk management approach include:

  • Risk Identification: All key assets—including data, systems, personnel roles, and third-party dependencies—are reviewed to identify potential vulnerabilities and threat vectors. This includes both technical and human factors.

  • Risk Assessment: Risks are assessed based on likelihood and impact using a standard risk matrix. Priority is given to risks that could compromise confidentiality, integrity, or availability of sensitive data.

  • Controls and Mitigation: For each identified risk, appropriate technical and organizational controls are implemented. These may include access restrictions, encryption, network segmentation, operational procedures, or user training.

  • Quarterly Risk Reviews: As part of Insightsera’s internal audit program, all identified risks and associated controls are reviewed every quarter. Changes in technology, regulatory environment, or internal operations trigger additional assessments.

  • Incident Preparedness: Response plans are in place for potential security incidents, including containment, impact analysis, and remediation. All incidents are documented and reviewed to update the risk profile accordingly.

  • Management Oversight: The Head of Information Security (currently David Pinto) is responsible for the risk management process. Findings and actions are presented to senior management for validation and resource allocation.

This approach ensures that InsightSERA continuously evaluates its exposure and maintains a high standard of security readiness across its operations.

1.7 Alignment with Business Strategy

Information security is a core enabler of Insightsera’s business objectives. As an intelligence technology provider focused on secure OSINT solutions, the protection of sensitive data, operational integrity, and system reliability directly supports client trust and competitive positioning.

The ISMS is aligned with the company’s strategic goals in the following ways:

  • Client Trust and Service Integrity: Security controls are essential for protecting the data entrusted to InsightSERA by government agencies, security forces, and other sensitive clients. Maintaining a secure OSINT platform is foundational to long-term customer relationships.

  • Operational Stability: Risk-managed infrastructure and controlled access ensure system uptime and reduce the probability of incidents that can disrupt investigative processes.

  • Compliance-Ready Posture: Aligning with ISO/IEC 27001 standards supports the organization’s future certification goals and strengthens its positioning in formal procurement and public-sector tenders.

  • Internal Efficiency and Responsibility: Defined security procedures and responsibilities reduce ambiguity in daily operations and improve coordination between technical, administrative, and leadership teams.

  • Sustainable Growth: As InsightSERA scales its operations or expands into new regions, this policy ensures that information security principles remain embedded in decision-making and resource planning.

Security is not treated as a standalone requirement but as a cross-functional element of the company’s design, delivery, and governance processes.

 

2.Management Responsibilities and Tasks

InsightSERA assigns clear responsibility and accountability for information security at the management level. Oversight is led by David Pinto, who acts as the designated Information Security Lead and reports directly to senior leadership.

2.1 Role of the Information Security Lead

The Information Security Lead is responsible for:

  • Developing and enforcing security policies and standards.

  • Coordinating internal audits and risk reviews.

  • Approving system changes that may impact data protection.

  • Investigating incidents and overseeing remediation.

  • Ensuring alignment with compliance obligations and industry standards.

2.2 Management Oversight

Management is responsible for providing the resources, direction, and authority necessary to maintain the ISMS. This includes:

  • Ensuring that all staff are aware of their responsibilities related to data security.

  • Authorizing periodic security reviews and third-party assessments when required.

  • Supporting awareness training and operational readiness for incident response.

2.3 Delegated Responsibilities

Managers of key departments (e.g., development, infrastructure, and client delivery) are expected to:

  • Implement the security policies within their teams.

  • Identify operational risks and report them to the Information Security Lead.

  • Maintain documentation relevant to their processes (e.g., access controls, data retention).

  • Cooperate in internal audits and provide requested evidence or clarification.

2.4 Authority and Decision-Making

The Information Security Lead has authority to:

  • Enforce user access restrictions or revoke system credentials.

  • Halt deployments or changes that present unmitigated security risks.

  • Escalate unresolved issues to the executive level for prioritization or action.

2.5 Documentation and Communication

All management decisions relating to information security—especially those involving risk acceptance or corrective actions—are documented and retained. Updates to policies or procedures are communicated to relevant stakeholders in writing.

3.System Maintenance and Continuous Improvement Methods

InsightSERA maintains a structured, proactive approach to ensuring the ongoing effectiveness, reliability, and security of its OSINT systems and internal information processes. This includes both preventive maintenance of infrastructure and systematic improvements based on audits, feedback, and operational changes.

3.1 ISMS Maintenance Plan

The Information Security Management System is maintained through documented procedures and periodic review cycles. Core maintenance activities include:

  • Regular updates of policies and procedures.

  • Review of system logs and audit trails.

  • Verification of backup and disaster recovery mechanisms.

  • Technical checks on hardware and software used for OSINT operations.

All maintenance activities are coordinated by the Information Security Lead, with input from technical and operational staff.

3.2 Review and Update Cycles

Insightsera’s ISMS components—policies, procedures, risk assessments—are reviewed at minimum every 12 months or immediately following:

  • Major changes in IT infrastructure or OSINT system architecture.

  • Regulatory updates.

  • Security incidents or near-misses.

  • Client feedback or contractual revisions.

Revisions are documented and version-controlled. Approved changes are communicated to relevant stakeholders via internal notifications or training.

3.3 Change Management Procedures

System changes are evaluated for potential security impact prior to deployment. The change control process includes:

  • Risk assessment of proposed modifications.

  • Documentation of technical and procedural changes.

  • Approval by the Information Security Lead for changes affecting data security or system integrity.

  • Post-deployment validation and monitoring.

No system-level changes are made without formal tracking and rollback capability.

3.4 Incident Management

InsightSERA has defined procedures for identifying, reporting, and resolving security incidents. Each incident is:

  • Logged in a central register.

  • Investigated to determine root cause and impact.

  • Followed by corrective action and documentation.

  • Reviewed by the Information Security Lead and reported to management if necessary.

Lessons learned from incidents are used to update controls and processes.

3.5 Internal Audit Process

InsightSERA conducts internal information security audits quarterly. Audits evaluate:

  • Compliance with internal policies.

  • Control effectiveness.

  • Asset protection and access management.

  • Documentation completeness.

Findings are reviewed by management, and corrective actions are tracked through closure.

3.6 Management Review Meetings

At least once per year, Insightsera’s senior management convenes a formal review of the ISMS. Topics include:

  • Risk landscape and emerging threats.

  • Results of internal audits.

  • Status of corrective and preventive actions.

  • Proposed policy or infrastructure changes.

The outcome of these reviews informs strategic decisions and resource allocation.

3.7 Corrective and Preventive Actions

Whenever non-conformities or vulnerabilities are identified, InsightSERA documents and executes appropriate actions. This includes:

  • Immediate containment of the issue.

  • Root cause analysis.

  • Long-term preventive measures.

  • Confirmation of issue closure through testing or audit.

3.8 Stakeholder Feedback Integration

Feedback from employees, clients, and auditors is actively solicited and recorded. Validated feedback is used to:

  • Improve workflows or controls.

  • Adjust user training content.

  • Refine risk assessments.

This feedback loop ensures the ISMS evolves with real operational needs.

 

4.Systematic Information Security Assurance

InsightSERA is committed to a consistent, structured approach to information security that extends across all levels of the organization—from infrastructure to processes to personnel. Assurance of security is not treated as a one-time task but as an ongoing operational discipline embedded in the company’s culture and procedures.

4.1 Assurance Principles

Insightsera’s approach to information security assurance is guided by the following principles:

  • Standardization: All processes relating to data handling, access control, incident response, and audits follow documented procedures to ensure predictability and reliability.

  • Traceability: Actions within systems are logged and attributable to individuals. Each record, change, or system event is traceable through time-stamped audit logs.

  • Verification: Security controls are tested regularly through internal audits, peer reviews, and technical validation during maintenance cycles.

  • Segregation of Duties: Operational and administrative roles are separated wherever possible to reduce the risk of fraud or accidental error.

  • Documentation: All core security processes—access control, risk assessment, backup, encryption protocols—are documented and available for review.

4.2 Structured Approach to Security

Security assurance is achieved through an integrated model that includes:

  • Defined Roles and Responsibilities: Security ownership is clearly assigned. The Information Security Lead has authority to oversee implementation and verify compliance across departments.

  • Layered Security Controls: Physical, technical, and procedural safeguards protect sensitive systems and information. This includes role-based access, encrypted storage, and local-only data processing.

  • Operational Consistency: All users, systems, and departments are held to the same baseline standards, ensuring no gaps in protection due to inconsistent practice.

  • Security Reviews: All updates, deployments, or process changes are reviewed for security implications and signed off before execution.

  • Quarterly Evaluation: Internal audits every three months ensure that controls remain effective, gaps are closed, and assurance is demonstrable.

4.3 Compliance Monitoring

Ongoing compliance with this policy is supported by:

  • Scheduled reviews of adherence to internal standards.

  • Spot checks on access controls, data retention, and user activity.

  • Follow-up on audit findings to ensure timely remediation.

  • Escalation of unresolved or recurring issues to executive management.

InsightSERA treats information security as a shared organizational responsibility. Assurance is not only about compliance but about operational confidence in the systems and processes used to manage information.

 

5.Evidence of Documentation and Regular Assessment

InsightSERA maintains comprehensive, up-to-date documentation of its Information Security Management System (ISMS) and ensures that all controls, procedures, and roles are subject to regular assessment. This practice supports transparency, accountability, and continuous improvement across the organization.

5.1 Documentation Structure and Accessibility

All policies, procedures, and audit records relevant to information security are organized within a controlled documentation system. This includes:

  • Security policy and governance documentation.

  • Risk assessments and treatment plans.

  • Audit logs and reports.

  • Change management records.

  • Incident response records.

  • User access registers and privilege logs.

Documents are maintained electronically, with access restricted to authorized personnel. All updates are version-controlled and timestamped.

5.2 Document Control Mechanisms

To ensure consistency and prevent unauthorized modification, the following controls are applied:

  • Designated document owners for each key policy and process.

  • Read-only distribution of finalized documents to operational teams.

  • Periodic reviews and updates (at least annually, or as needed).

  • Archive of historical versions for traceability and compliance validation.

Only authorized individuals (typically the Information Security Lead or delegated staff) are permitted to revise official documentation.

5.3 Internal Audits

InsightSERA conducts internal security audits every quarter. Each audit includes:

  • Review of system access and control logs.

  • Verification of compliance with key policies and procedures.

  • Checks on incident handling, backups, and data lifecycle controls.

  • Evaluation of previous audit findings and actions taken.

Audit results are formally recorded and shared with management. Any gaps identified are assigned a timeline and responsible owner for resolution.

5.4 External Assessments and Certifications

Although formal ISO/IEC 27001 certification has not yet been achieved, InsightSERA prepares for eventual certification by aligning its ISMS with the standard's structure and controls.

The company remains open to client-requested assessments and can provide:

  • Security policy documentation.

  • Infrastructure and deployment overviews.

  • Summary risk assessments.

  • Evidence of internal controls and audit findings (under NDA, if required).

5.5 Audit Schedule and Criteria

Internal audits follow a fixed quarterly schedule and cover:

  • Physical security of on-premises infrastructure.

  • System configuration and update integrity.

  • Access permissions and user account management.

  • Incident tracking and response documentation.

  • Data retention and disposal practices.

Audit scope may expand based on client requirements, new system features, or previous non-conformities.

5.6 Record Keeping and Evidence Retention

InsightSERA retains security-related documentation for a minimum of three years, or longer if contractually or legally required. All logs, audit findings, and incident reports are stored securely, encrypted, and backed up.

Access to historical records is restricted and monitored.

5.7 Continual Improvement through Findings

Audit results, incident reviews, and user feedback are formally reviewed and incorporated into system improvements. Actions taken based on findings include:

  • Policy updates.

  • Training refreshers for staff.

  • Technical reconfiguration of systems or tools.

  • Revised risk controls.

This process ensures that the ISMS evolves over time and stays relevant to Insightsera’s operational and client environments.

bottom of page