Information Security Policy

Company: Tyrogen Limited (16884876)
Owner: Security / Technology Lead
Approved by: Governing Body (or delegated authority per Delegation of Authority)
Status: Draft (controlled policy)
Version: 0.2
Last updated: 2026-04-04
Next review: 2026-04-30

1) Purpose

This policy defines the information-security framework Tyrogen applies to protect the confidentiality, integrity, and availability of its information assets, systems, services, learner data, operational records, and confidential assessment materials.

Tyrogen’s arrangements ensure that information security is governed as a controlled compliance function rather than as informal technical practice. This policy therefore states the baseline security model for regulated and pre-regulated operations, while linked procedures, records, and registers evidence how the model operates in practice.

1.1 Policy role and ownership

This file is the canonical owner of Tyrogen’s security-control framework. It owns the policy position for:

• security principles and control objectives
• scope of in-scope systems, users, data, and suppliers
• baseline control requirements
• assessment-material protection expectations
• access-control expectations and recurring review requirements
• security evidence categories and record expectations
• linkage between security, continuity, incident response, supplier assurance, and regulatory scrutiny.

This file does not own the detailed operating workflow for adjacent control areas. Those are owned in their true source files:

• incident triage, containment, eradication, recovery, and closure workflow: Incident Response Playbook
• regulatory notification and Ofqual liaison workflow: Ofqual Regulator Liaison, Notifications & Undertakings
• governance-significant incident escalation and suitability/change triage: Governance Change, Suitability & Incident Management
• continuity and DR framework and testing expectations: Business Continuity and Disaster Recovery Policy
• Ofqual audit-access and evidence-production workflow: Ofqual Audit Access & Evidence Production
• live periodic access-review record: Access Review Register
• live supplier record and status tracking: Third-Party and Supplier Register.

Tyrogen’s security-governance model is therefore structured so that the policy owns the framework, linked procedures own the workflows, and live records own the operating evidence.

1.2 Ofqual and control alignment

This policy supports compliance with requirements and expectations including:

• A5 — adequate resources and arrangements
• A6 / A7 — risk identification, contingency, and incident management
• B3 / B4 — prompt notification, accurate records, and evidence readiness
• C1 — third-party control and supplier assurance where relevant
• G4 — confidentiality of assessment materials
• linked UK GDPR, records-management, and resilience controls.

2) Scope

This policy applies to:

• systems, applications, infrastructure, cloud services, endpoints, and data stores used by Tyrogen
• staff, directors, contractors, privileged users, and relevant third parties with access to Tyrogen systems or information
• information in electronic and physical form
• learner data, assessment records, controlled documents, financial and governance records, and confidential assessment materials
• security-relevant administration, monitoring, incident handling, recovery, and evidence retention activity.

The scope covers both Tyrogen’s current operating model and any future regulated awarding activity that becomes active through formal readiness and go-live approval routes. It also covers remote-first working arrangements and third-party-supported services where Tyrogen remains accountable for the security of regulated information and evidence.

3) Security principles

Tyrogen will manage information security in a way that is:

• Risk-based: controls are proportionate to sensitivity, impact, and credible threat
• Least-privilege: access is limited to what is needed for the role and current operating scope
• Auditable: material security activity is recorded, reviewable, and traceable
• Resilient: security supports continuity, backup, recovery, and learner protection
• Integrated: security controls connect to governance, supplier, incident, privacy, and evidence-production routes
• Regulator-ready: evidence can be produced accurately and securely when required.

These principles are intended to show that Tyrogen’s security baseline is not limited to technical hardening alone: it combines least-privilege access, auditable administration, resilience, and linkage to supplier and incident routes so that confidential assessment materials and learner data remain protected within the wider regulated operating model.

4) Governance and control model

4.1 Governance expectations

Tyrogen has a governed security-control model in which:

• the Security / Technology Lead owns the security framework and day-to-day control design
• the Responsible Officer is engaged where regulatory consequences, Ofqual notifications, or material evidence-production requirements arise
• the Governing Body retains oversight of material security risk, significant incidents, readiness dependencies, and major control changes
• relevant operational, assessment, compliance, finance, and DPO-function roles support control operation where the security issue overlaps their domains.

Material security risks, incidents, dependencies, or recurring weaknesses must be capable of escalation into Tyrogen’s wider governance, risk, and decision-record framework.

4.2 Control domains

Tyrogen’s control framework includes the following domains:

• access control and privileged-access management
• identity, authentication, and account lifecycle control
• secure configuration, patching, and vulnerability response
• logging, monitoring, and security-relevant evidence retention
• secure handling of confidential assessment materials
• supplier and third-party security assurance
• incident response and recovery linkage
• backup, resilience, and continuity dependencies
• secure evidence production for audit, investigation, and regulatory scrutiny.

5) Baseline control requirements

5.1 Minimum baseline controls

Tyrogen has the following minimum baseline control requirements:

• Access control: MFA for privileged access; named user access where possible; least privilege; prompt removal of unnecessary access.
• Joiners / movers / leavers: documented access provisioning, change, and removal arrangements appropriate to the role and system.
• Access reviews: recurring review of in-scope access on at least a quarterly basis, recorded in Access Review Register or an equivalent controlled record.
• Logging and auditability: security-relevant events, administrative actions, and material changes are logged or otherwise evidenced in a reviewable form.
• Vulnerability and change response: security updates, critical fixes, and material configuration weaknesses are tracked and addressed on a risk basis.
• Secure transmission and storage: proportionate controls are applied to protect sensitive information in transit and at rest.
• Supplier due diligence: relevant suppliers are assessed using proportionate security controls before enablement and through ongoing oversight where reliance continues.
• Incident readiness: suspected breaches, material weaknesses, or loss of confidentiality are escalated into the formal incident-response route without delay.

This baseline control set is intended to be the routine operating minimum for regulated activity: privileged access is protected through MFA and least privilege, access is provisioned and removed through a controlled lifecycle, reviews are carried out on a recurring basis, and logging, patching, and supplier assurance are retained as auditable evidence rather than informal practice.

5.2 Access control and recurring review

Tyrogen’s access-control model requires that access is:

• granted only where there is a defined business, compliance, or operational need
• limited to the lowest level consistent with the task to be performed
• attributable to a named accountable user wherever possible
• reviewed on a recurring basis and on trigger events such as joiner/mover/leaver changes, privilege changes, incidents, or material supplier changes
• removed, reduced, or corrected promptly where access is no longer justified.

The live access-review register in Access Review Register is the canonical operating record for recurring access certification. This policy owns the requirement to perform and retain those reviews; it does not own the live review entries themselves.

5.3 Secure administration and evidence retention

Tyrogen’s arrangements ensure that privileged administration, material configuration changes, and security-relevant remediation activity are capable of later review. Where automated logs are not the only evidential route, retained records may include change notes, incident records, access-review outcomes, DR records, supplier-assurance records, or governance records that demonstrate what changed, why, and under whose authority.

6) Assessment material and regulated-information security

Tyrogen applies enhanced protection to confidential assessment materials, item-bank content, assessment-supporting files, and other information that could affect qualification validity, fairness, learner outcomes, or public confidence if lost, disclosed, altered, or misused.

6.1 Minimum requirements

Minimum requirements include:

• confidentiality classification for draft and live assessment materials
• restricted access to assessment content and supporting assets
• separation of duties between authoring, review, approval, publication, and operational release where applicable
• auditable control over access, amendment, movement, and disposal
• secure handling of any exports, downloads, printing, or transmission where those routes are permitted
• immediate escalation into incident response where compromise or suspected compromise arises.

Confidential assessment materials are therefore subject to a tighter control posture than ordinary operational content: access is restricted, duties are separated across authoring and approval stages where applicable, changes are auditable, and any suspected compromise is pushed immediately into the incident-response route.

6.2 Relationship to operational source files

This policy sets the protection standard for confidential materials. It does not replace the more specific operating controls in qualification, assessment, item-bank, malpractice, or incident-management source files. Those linked files remain responsible for process-specific handling, investigation, and operational response.

7) Supplier and third-party security assurance

Where Tyrogen relies on third parties for hosting, payments, communications, identity, proctoring, storage, analytics, monitoring, support, or other material services, security assurance must be proportionate to risk and suitable for the role the supplier performs.

7.1 Minimum expectations

Tyrogen’s supplier-security expectations include, where proportionate:

• due diligence before enablement
• clear understanding of the service provided and the data or process affected
• documented security expectations in contract, onboarding, questionnaire, or equivalent control record
• review of material incidents, control failures, or supplier changes
• maintenance of the live supplier position in the relevant supplier register and supporting assurance records
• reassessment before a supplier is relied upon for materially different or more sensitive use.

Supplier assurance is therefore treated as an operating control rather than a procurement formality: Tyrogen expects proportionate due diligence before enablement, documented security expectations, ongoing awareness of material incidents or changes, and a retained supplier record showing why the service remains acceptable for regulated use.

7.2 Canonical record ownership

This policy owns the requirement for supplier-security assurance. The live supplier position, enabled-service status, and retained supplier records belong in Third-Party and Supplier Register and linked controlled artefacts such as Supplier Security Questionnaire and Data Processing Agreement Template where relevant.

8) Incident, continuity, and regulatory linkage

Security incidents, material weaknesses, or suspected loss of confidentiality must be handled through the linked control route rather than through informal local response.

8.1 Linked controlled documents

The principal linked documents are:

• Incident Response Playbook
• Business Continuity and Disaster Recovery Policy
• Ofqual Regulator Liaison, Notifications & Undertakings
• Governance Change, Suitability & Incident Management
• Ofqual Audit Access & Evidence Production
• Data Retention and Disposal Policy

8.2 Required linkage expectations

Tyrogen’s arrangements ensure that:

• suspected or confirmed security incidents are triaged and recorded promptly
• containment and recovery decisions can be linked to continuity and learner-protection considerations
• possible Adverse Effect and notification thresholds can be escalated to the Responsible Officer without delay
• evidential material is preserved in a form suitable for later investigation, governance review, or regulatory disclosure
• post-incident review can identify corrective and preventive actions.

This means that security events are not handled in isolation: the response route links detection, containment, evidence retention, continuity actions, and longer-term recovery so that Tyrogen can preserve both operational resilience and an auditable incident trail.

9) Records and evidence

Tyrogen retains or requires, as applicable, evidence showing that security controls are operating in practice.

9.1 Minimum evidence categories

Minimum records/evidence include:

• access review records
• incident records and post-incident reviews
• DR test records where relevant to security and resilience
• supplier due-diligence and supplier-assurance records
• evidence of significant access-control, remediation, or containment activity where appropriate
• governance or decision-log entries where a matter is materially escalated
• secure evidence-pack records where disclosure to Ofqual or another lawful recipient is required.

The retained record set is expected to show how security controls actually operate in practice, including recurring access reviews, supplier-assurance outputs, incident handling, DR evidence, and significant remediation actions where these are relevant to regulated delivery.

9.2 Evidence-production relationship

This policy requires security evidence to be retrievable, reviewable, and protectively handled. The secure production of evidence packs, redaction decisions, and transfer methods is owned by Ofqual Audit Access & Evidence Production.

10) Review, exceptions, and control maintenance

This policy is reviewed at least annually and earlier where material change arises, including:

• major system or supplier change
• material incident or recurring control weakness
• regulated go-live readiness change
• significant legal, regulatory, or governance change affecting security expectations.

Any material exception, compensating control, or temporary departure from this policy must be explicitly owned, time-bounded where appropriate, and capable of review through Tyrogen’s governance and risk routes.

11) Related documents

• Access Review Register
• Incident Response Playbook
• Business Continuity and Disaster Recovery Policy
• Data Retention and Disposal Policy
• Ofqual Audit Access & Evidence Production
• Ofqual Regulator Liaison, Notifications & Undertakings
• Governance Change, Suitability & Incident Management
• Supplier Security Questionnaire
• Data Processing Agreement Template
• Third-Party and Supplier Register

12) Change log