Information Security Policy
(Easy Read)


TMA’s Information Security Policy addresses UK and EU regulatory compliance for health technology targeting a range of internal roles and external bodies.

It emphasizes information security in all operations, defines its scope including specific exclusions, and sets objectives for protecting information assets, risk management, regulatory adherence, and continual improvement in line with ISO 27001:2018 and NHS standards.


The collection, storage, and processing of data and information are at risk of theft, loss, and corruption, exacerbated by poor training and security breaches. The organization will regularly conduct risk assessments to identify and mitigate these risks through appropriate controls.

Security Policy

The organization’s management-approved information security policy is communicated to all staff and contractual parties, with annual reviews and updates conducted by the SIRO and SMT.

Organisation of Information Security

Management commits to ensuring the confidentiality, integrity, and availability of information, with the SIRO overseeing policy and regulatory alignment, and ISO27000 standards targeted for implementation.

Human Resources Security

Security policies are communicated to all involved parties, with security responsibilities outlined in job descriptions and employment terms, and verification checks performed on new affiliations.

Asset Management

Organizational assets are to be protected, inventoried, and assigned an owner who is responsible for their maintenance and security.

Access Control

Access to information is strictly controlled based on business needs, with formal procedures for user registration and de-registration to maintain security.


Policies governing the use and lifecycle management of cryptographic keys are developed to protect information.

Physical and Environmental Security

Sensitive information facilities are housed in secure areas, with physical protections against unauthorized access and environmental threats.

Operations Security

Information processing facilities are operated securely, with detailed procedures and segregation of duties to mitigate risks of misuse.

Communications Security

Procedures ensure the secure transfer of information, protecting communication facilities and electronic messaging.

Systems Acquisition, Development, Maintenance

New and existing information systems are developed with defined security requirements and controls to address identified risks.

Supplier Relationships

Security requirements are established with suppliers, with regular monitoring and auditing of their service delivery.

Information Security Incident Management

Incidents and vulnerabilities are reported and corrected promptly, with formal procedures in place for incident reporting and escalation.

Business Continuity Management

Business continuity plans protect critical processes and ensure timely resumption in the event of information system failures or disasters, supported by impact analysis.


The organization commits to legal and regulatory compliance, with information systems designed and operated to meet these requirements and an internal audit of the ISMS conducted quarterly.