Imperial’s Information Security and Privacy Office resides within its Group Risk structure. The Imperial Privacy Office was established to address global ICT legislative and regulatory compliance in all of the locations in which Imperial operates, and relationships are maintained with ICT regulatory experts to account for all relevant legislation and regulations in our planning and control implementation.

Management direction is provided through information security and privacy policies, signed off by the Chief Financial Officer, representing the Board. These policies inform a centre-led Minimum Information Security Standard which is adopted within each of Imperial’s operating companies. This standard has been intentionally aligned to the Deming cycle as advocated within ISO 27001.

At the operational level, Imperial manages security matters through the Digital and IT Risk Committee which meets on a monthly basis and is chaired by the Group Risk Executive. Members of the Digital and IT Risk Committee have long-standing information security experience and IT qualifications.

The Audit and Risk Committee, a sub-committee of the Board, meets quarterly and provides oversight on matters including data privacy and cyber security. The committee comprises exclusively non-executive board members, with select management representatives of the company attending as invitees, including the Executive Vice President: Digital & IT as chair of the Digital and IT Risk Committee.

In line with our Imperial Minimum Information Security Standard, Imperial annually assesses its capabilities against the explicit requirements of ICT legislation, as well as ISO27002 and the BS10012 Data Governance Standard to assess maturity against best practice.

To ensure effective implementation of the standard, Information Security Representatives at operating company level are regularly trained, and ongoing awareness campaigns are provided to the general employee base.