Information Security Policy - Business Expert
2 MIN READ
Advertising Disclosure
Business Expert is an independent comparison site. Some partners may compensate us for promotion. This never affects our impartial evaluations based on fees, customer service, and product features.

Information Security Policy

Piers Moore-Ede
Updated on 19 May 2026

BusinessExpert (UK) Limited (“BusinessExpert”, “we”, “us”) is committed to protecting the confidentiality, integrity, and availability of all information assets under our control. This policy sets out the principles and controls we apply to manage information security risks across our business.

1. Scope

This policy applies to all information assets owned or managed by BusinessExpert, including our website infrastructure, content management systems, editorial data, user data, and any third-party services we use to operate businessexpert.co.uk. It applies to all employees, contractors, and service providers who access our systems.

2. Data Classification and Handling

We classify information by sensitivity and apply proportionate controls:

  • Public — content published on businessexpert.co.uk; no access restrictions.
  • Internal — operational and editorial data used to run the site; accessible only to authorised staff.
  • Confidential — personal data, credentials, and financial records; restricted to named individuals on a need-to-know basis and handled in accordance with our GDPR & Privacy Policy.

3. Access Control

Access to systems and data is granted on the principle of least privilege. We enforce the following controls:

  • Unique accounts for each individual; no shared credentials.
  • Strong, unique passwords required for all system access; password managers are encouraged.
  • Multi-factor authentication (MFA) required for all administrative accounts and cloud services.
  • Access is reviewed and revoked promptly when an individual leaves the organisation or changes role.

4. Network and System Security

Our website and supporting infrastructure are protected by the following measures:

  • All data in transit is encrypted using TLS 1.2 or above (HTTPS).
  • Hosting is managed through enterprise-grade infrastructure with ISO 27001-aligned controls.
  • Software dependencies and content management systems are kept up to date; security patches are applied promptly.
  • Unused services and plugins are disabled or removed.
  • Automated vulnerability scanning and uptime monitoring are in place.

5. Third-Party and Supplier Security

We assess the security posture of suppliers and service providers who handle data on our behalf before engagement. Contracts with data processors include appropriate data protection terms in line with UK GDPR requirements.

6. Incident Response

We maintain an incident response procedure to identify, contain, and remediate security incidents. In the event of a personal data breach, we will notify the Information Commissioner’s Office (ICO) within 72 hours where required by law, and affected individuals without undue delay where the breach is likely to result in a high risk to their rights and freedoms.

7. Business Continuity

Critical systems and data are backed up regularly. Recovery procedures are documented and tested periodically to minimise disruption in the event of a system failure or security incident.

8. Staff Awareness and Training

All staff with access to our systems receive induction guidance on information security responsibilities. Security awareness is maintained through regular internal communications on emerging threats and best practices.

9. Compliance

This policy is designed to support compliance with:

  • UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018
  • The Computer Misuse Act 1990
  • ISO/IEC 27001 principles (where applicable)

10. Policy Review

This policy is reviewed annually or following a significant change to our systems, operations, or applicable law. The most recent version is published at this page.

If you have questions about our information security practices, please contact us.

Last reviewed: May 2026. BusinessExpert (UK) Limited, Company No. 09048387.