Document Version: 1.0
Date: February 11, 2026
Related: Information Security Policy
This document tracks improvements to information security that are not yet fully implemented. The Information Security Policy is written to reflect current intent and working practices; items here are deferred or in progress so we can close the gap over time.
| Status | Item |
|---|
| Pending | Achieve Cyber Essentials certification (or formally adopt as target). Policy currently states we use the scheme as a guideline and are working towards alignment. |
| Pending | Confirm and document alignment with all five technical controls: firewalls, secure configuration, user access control, malware protection, security update management. |
| Status | Item |
|---|
| Pending | Establish and document a regular review schedule for this policy (e.g. at least annually). |
| Pending | Establish risk identification and risk review cadence (Section 4). |
| Pending | Formalise malware update, backup/recovery test, and vulnerability management cadences (Section 10). |
| Pending | Establish supplier compliance review cadence (Section 14). |
| Status | Item |
|---|
| Removed | Formal security awareness training is not currently required; the team are technical founders with relevant background. Revisit if the team grows to include non-technical roles or if a client/audit requires documented training. |
| Status | Item |
|---|
| — | Add further items as gaps are identified (e.g. after incident reviews, audits, or client questionnaires). |
- Status: Use
Pending, In progress, Done, or Removed (for things we explicitly decided not to do).
- When something is completed: Update the main Information Security Policy to reflect it, then mark the row here as
Done (and optionally add a short note or date).
- When adding items: Prefer one row per concrete action or outcome so progress is easy to track.