Security Policies

Information Security Policy

Last reviewed 17 January 2025.

Introduction

This policy describes the objectives, and commitments to meeting those objectives, that BTL Group Ltd trading as Surpass Assessment and its wholly owned subsidiary, Surpass Assessment Inc (collectively, the Group) has set to maintain the confidentiality, integrity and availability of its data.

An Information Security Policy is a requirement of ISO 27001:2022 Standards. Section 5.2.

Scope

This policy applies to all employees, contractors and third parties that access, process or manage information on behalf of the Group.

This policy applies to the Group and geographical areas where it operates unless specific local exclusions apply, in which case the exclusion(s) shall be clearly stated in this section. In such cases where applicable legislation exists in more than one territory or geographical area, the more restrictive shall apply, and shall be clearly stated in this section.

Exceptions to this policy must be agreed in writing with the Information Security Manager and recorded in the Surpass Risk Register.

Objectives

The objectives of this policy are to outline the Group’s intent to:

• Protect the information assets that the Group handles, stores, exchanges, processes and has access to and ensure the ongoing maintenance of their confidentiality, integrity and availability.
• Ensure controls are implemented that provide protection for information assets and are proportionate to their value and the threats that they are exposed to.
• Ensure the Group complies with all relevant legal, customer and other third-party requirements relating to information security.
• Continually improving the Group’s Information Security Management System and its ability to withstand threats that could potentially compromise information security.

Policy statement

The Group has committed to achieving the objectives above by:

• Implementing and maintaining an Information Security Management System that meets the requirements of ISO 27001:2022 and all applicable regulatory requirements.
• Systematically identifying security threats and the application of a risk assessment procedure that identifies appropriate control measures for implementation.
• Regularly reviewing security threats and the testing/auditing of the effectiveness of control measures.
• Maintaining a risk treatment plan that is focused on eliminating or reducing security threats.
• The maintenance and regular testing of business continuity plans for all critical services.
• Having a clear definition of responsibilities for implementing and managing the IMS.
• Establishing information security objectives at relevant functions and levels.
• Provisioning appropriate information, instruction and training so that all employees are aware of their responsibilities and legal duties and can support the implementation and management of the IMS.
• The implementation and maintenance of a suite of supporting documents that provide detail on how the objectives of this policy are achieved, and guidance on how to achieve them.
• Ensuring that the adherence to this policy is a condition of employment for all colleagues.
• Implementing measures to ensure all organisations working for and on behalf of the Group who access or process any of the Group’s data meet all applicable information security requirements.
• Ensuring that this policy is available to interested parties, and significant and relevant changes to the policy are communicated.
• Implementing measures to ensure all information security incidents are reported to the Information Management team.
• Handling violations of this policy in line with the company’s Disciplinary Policy.

Review

This policy will be reviewed by the board at least annually and when significant changes to the business impact the Information Security Management System.