Security Policies

Information Security Policy

Last reviewed 17 January 2025.

Introduction

This policy describes the objectives, and commitments to meeting those objectives, that BTL Group Ltd trading as Surpass Assessment and its wholly owned subsidiary, Surpass Assessment Inc (collectively, the Group) has set to maintain the confidentiality, integrity and availability of its data.

An Information Security Policy is a requirement of ISO 27001:2022 Standards. Section 5.2.

Scope

This policy applies to all employees, contractors and third parties that access, process or manage information on behalf of the Group.

This policy applies to the Group and geographical areas where it operates unless specific local exclusions apply, in which case the exclusion(s) shall be clearly stated in this section. In such cases where applicable legislation exists in more than one territory or geographical area, the more restrictive shall apply, and shall be clearly stated in this section.

Exceptions to this policy must be agreed in writing with the Information Security Manager and recorded in the Surpass Risk Register.

Objectives

The objectives of this policy are to outline the Group’s intent to:

Protect the information assets that the Group handles, stores, exchanges, processes and has access to and ensure the ongoing maintenance of their confidentiality, integrity and availability.
Ensure controls are implemented that provide protection for information assets and are proportionate to their value and the threats that they are exposed to.
Ensure the Group complies with all relevant legal, customer and other third-party requirements relating to information security.
Continually improving the Group’s Information Security Management System and its ability to withstand threats that could potentially compromise information security.

Policy statement

The Group has committed to achieving the objectives above by:

Implementing and maintaining an Information Security Management System that meets the requirements of ISO 27001:2022 and all applicable regulatory requirements.
Systematically identifying security threats and the application of a risk assessment procedure that identifies appropriate control measures for implementation.
Regularly reviewing security threats and the testing/auditing of the effectiveness of control measures.
Maintaining a risk treatment plan that is focused on eliminating or reducing security threats.
The maintenance and regular testing of business continuity plans for all critical services.
Having a clear definition of responsibilities for implementing and managing the IMS.
Establishing information security objectives at relevant functions and levels.
Provisioning appropriate information, instruction and training so that all employees are aware of their responsibilities and legal duties and can support the implementation and management of the IMS.
The implementation and maintenance of a suite of supporting documents that provide detail on how the objectives of this policy are achieved, and guidance on how to achieve them.
Ensuring that the adherence to this policy is a condition of employment for all colleagues.
Implementing measures to ensure all organisations working for and on behalf of the Group who access or process any of the Group’s data meet all applicable information security requirements.
Ensuring that this policy is available to interested parties, and significant and relevant changes to the policy are communicated.
Implementing measures to ensure all information security incidents are reported to the Information Management team.
Handling violations of this policy in line with the company’s Disciplinary Policy.

Review

This policy will be reviewed by the board at least annually and when significant changes to the business impact the Information Security Management System.

Surpass Test Centre CCTV Policy

Last updated 10 April 2025.

Introduction

This policy outlines the use of Closed-Circuit Television (CCTV) within the Surpass Test Centre (Salts Mill, Victoria Rd, Saltaire, Shipley, BD18 3LF, UK) to ensure the safety and security of candidates, staff, and property, and to support the integrity of the examination process.

Scope

This policy applies to all CCTV systems operated within the test centre examination room and covers all individuals within the room, including candidates, staff, visitors, and contractors.

Objectives

To ensure a safe and secure environment for all test centre users
To deter and detect criminal activity, malpractice, or breaches of examination regulations
To support the investigation of incidents or complaints
To comply with data protection and privacy legislation

CCTV Operation

CCTV is in operation in the examination room
Cameras will not be installed in private areas such as restrooms or changing rooms.
CCTV systems are operated and monitored by authorised staff only.

Data Protection and Privacy

All footage is recorded in accordance with data protection legislation (e.g., UK GDPR, DPA 2018).
Recorded images may be used for investigation purposes or shared with relevant awarding bodies or authorities if required.
Individuals have the right to request access to their personal data captured by CCTV, subject to standard data subject access request procedures.

Retention and Storage

Recorded footage will be stored securely and retained for a period of 30 days, unless required for an ongoing investigation.
After the retention period, footage will be securely deleted or overwritten.
Requested footage will be securely deleted once any investigations have been closed.

Signage

Clear signage is displayed throughout the premises to inform all individuals that CCTV is in operation.

Access and Disclosure

Access to recorded footage is restricted to authorised personnel only.
Disclosure of footage to third parties (e.g. awarding bodies) will only be made when required or permitted through agreed processes.
A record of all disclosures will be maintained.

Review and Compliance

This policy will be reviewed annually or in response to changes in legislation or operational requirements.
Non-compliance with this policy may result in disciplinary action or legal consequences.