Legal

Information Security Policy

Last updated: 26 April 2026

Allied ESM takes the security of information seriously. This policy summarises our approach to protecting the confidentiality, integrity, and availability of information assets — including client data, company data, and third-party data — entrusted to us in the course of our business.

This is a public-facing summary. Allied ESM also maintains detailed internal information security procedures and standards that govern day-to-day operations.

1. Our Commitment

Allied ESM is committed to maintaining appropriate information security controls across all aspects of our business. We recognise that as an ITSM consultancy handling client data, service configurations, and sensitive business information, robust information security is not optional — it is fundamental to the trust our clients place in us.

Our approach to information security is informed by internationally recognised standards and best practice frameworks, including ISO/IEC 27001 and the UK Government's Cyber Essentials guidelines.

2. Scope

This policy applies to:

  • All Allied ESM directors, employees, and contractors
  • All information assets owned by, processed by, or entrusted to Allied ESM — including client data, project data, financial records, and intellectual property
  • All systems and platforms used in the delivery of Allied ESM services, whether operated by Allied ESM directly or by third-party providers on our behalf

3. Data We Hold

In the course of delivering our services, Allied ESM may hold or process the following categories of information:

  • Client contact and account data — names, email addresses, phone numbers, and company details of client contacts
  • Project and service data — service desk configurations, workflow designs, CMDB data, and related implementation artefacts for client Halo ITSM environments
  • Commercially sensitive information — pricing, contract terms, and business information shared in confidence by clients or partners
  • Website enquiry data — contact form submissions and email enquiries from prospective clients (see our Privacy Policy for details)

We do not collect, process, or store payment card data. We do not handle special category personal data (as defined under UK GDPR) in the ordinary course of our business.

4. Access Controls

Allied ESM applies the principle of least privilege across all systems and data:

  • Access to client data and systems is restricted to individuals who require it to perform their role
  • All team members and contractors are issued individual accounts — shared credentials are not permitted
  • Multi-factor authentication (MFA) is required for access to all business-critical systems, including email, cloud platforms, and client environments
  • Access rights are reviewed when team members change role or leave the business, and are revoked promptly upon departure
  • Contractor access to client systems is scoped to the minimum required for the engagement and removed at project completion

5. Data Handling and Storage

Allied ESM takes care in how information is stored, transmitted, and disposed of:

  • Data in transit is protected using encryption (TLS 1.2 or higher) wherever technically feasible
  • Business data is stored in reputable cloud platforms with appropriate security certifications (such as ISO 27001 or SOC 2)
  • Portable storage of sensitive client data on unmanaged personal devices is discouraged and avoided wherever possible
  • When data is no longer required, it is securely deleted or disposed of in accordance with our data retention standards and our Privacy Policy

6. Incident Management

Allied ESM maintains a process for identifying, reporting, and responding to information security incidents:

  • All team members are trained to recognise and report potential security incidents promptly
  • Security incidents are assessed for severity and escalated to a director immediately
  • Where an incident involves personal data and meets the threshold for notification under the UK GDPR, we will notify the Information Commissioner's Office (ICO) within 72 hours and affected individuals without undue delay
  • Affected clients will be notified promptly where an incident involves their data

To report a suspected security issue involving Allied ESM systems or data, please contact us immediately at info@alliedesm.com.

7. Third-Party Providers

Allied ESM uses a small number of trusted third-party platforms in the delivery of our services and operation of our business. We assess the security posture of these providers before use and prefer providers that hold recognised security certifications.

We require third-party providers who process data on our behalf to do so only under our instruction and in accordance with applicable data protection law. Where required, we put appropriate contractual arrangements in place (such as Data Processing Agreements) to formalise these obligations.

8. Business Continuity

Allied ESM takes reasonable steps to ensure the continuity of our services in the event of a disruptive incident. Our use of cloud-based platforms with built-in redundancy, combined with documented recovery procedures, supports our ability to respond to and recover from disruptions with minimal impact on clients.

9. Compliance and Review

This policy is reviewed at least annually by Allied ESM's directors, or sooner following a significant security incident, a material change to the business, or changes in applicable law or regulation.

Allied ESM complies with applicable information security and data protection legislation, including the UK GDPR, the Data Protection Act 2018, and the Network and Information Systems (NIS) Regulations where applicable.

10. Contact Us

If you have questions about our information security practices, wish to report a security concern, or need to discuss our security posture as part of a due diligence process, please contact us:

  • Email: info@alliedesm.com
  • Post: Allied ESM Ltd, 3rd Floor, 86–90 Paul Street, London, EC2A 4NE, United Kingdom

Related policies

Privacy Policy Modern Slavery Statement Terms & Conditions