boundlesstelecom
Boundless 2.0
All legal & governance documentsLegal · governance

Information Security Policy

The top-level information security policy required by ISO 27001 - owned by the board, mandatory for everyone, and the parent of every subordinate security control.

Version
v1.0
Effective
22 April 2026
Last reviewed
22 April 2026
Jurisdiction
United Kingdom
Owner
CISO
Review cycle
Annual, plus on material change
ISO/IEC 27001:2022 A.5.1

1. Principles#

  • Security is a property of how we build and operate, not a department.
  • Encryption is a first principle, not a feature.
  • Every regulator-relevant event is signed and replayable.
  • Least privilege everywhere, by default, with audit on access.
  • Customer data is processed only for the purpose collected.

2. Scope#

All Boundless information assets, all staff and contractors, all systems and suppliers handling Boundless data.

Named owners, written charters, scheduled reviews, board oversight.

3. Control framework#

ISO/IEC 27001:2022 + Annex A controls + NCSC CAF v3.2, implemented as the 26-layer Abel control surface - see /security.

4. Ownership & review#

CISO is the executive owner. Reviewed annually by the Security & Resilience Committee, approved by the board.

5. Subordinate documents#

  • Acceptable Use Policy
  • Incident Response Plan
  • Business Continuity & DR Policy
  • Vulnerability Disclosure Policy
  • Cryptographic Standards (internal)
  • Access Control Standard (internal)

Version history

VersionDateChange
v1.022 April 2026Initial publication.

This document is published by Boundless Telecom Ltd and forms part of our public legal posture. It is a living document - we update it as the regulatory environment, our supply chain or our products change. If anything here is unclear or you'd like a counter-signed copy, contact legal@boundless.tel and we'll respond within one working day.