Unit4’s Commitment and Policy

Unit4 is a company which is committed to preserving the security of its information assets. We have identified the information

assets of the company, our customers and business partners which we need to proactively take action to protect. We promote

information security best practices and encourage vigilance over possible threats from any source. To help us achieve our aim,

we have created an information security management system which satisfies the requirements of BS EN ISO 27001 and have

sought assessment and formal registration to the Standard.

We have agreed our Information Security Objectives.

We have a clear Information Security Policy.

We insist that we are security-focused throughout the organisation.

We have identified and evaluated our Information Security risks.

We comply with relevant Legal and Regulatory requirements.

We have defined everyone’s Roles, Responsibilities & Authorities.

We have appointed a Standards Compliance Director and a Head of Compliance and Security.

We recognise that effective Internal & External Communications are paramount.

Because...... “Information Security is the Foundation of our Business”

Scope of the Information Security Management System

The Scope of our Information Security Management System is defined as -

“The Design, Development, Provision and Support of Unit4 Software Products and Associated

Consultancy, Technical and Managed IT Services. Statement of Applicability v5.”

Our Information Security Policy

It is our Policy to ensure that:

Information will be protected against unauthorised access and disclosure.

Confidentiality of information will be maintained.

Integrity of information is protected from unauthorised modification.

Regulatory and legislative requirements will be met.

Business continuity plans will be maintained and tested (as far as practicable).

All suspected breaches of information security will be reported and investigated.

We ensure adequate prevention and detection of viruses and other malicious software.

That appropriate training will be provided for all employees.

We are also committed to:

Assuring customers of full confidentiality.

Identifying, through appropriate risk assessment, the value of information assets and to understanding the

vulnerabilities and threats that may expose them to risk.

Managing such risks appropriately.

Complying with contractual requirements, procedures & practices and ISO27001.

Complying with applicable Legislation, as referenced in our Legal Register.

We will set, monitor, achieve and review measurable objectives for the maintenance and improvement of our

Information Security Management System. The ultimate forum for this will be the Management Review. Approved by Managing Director UK&I : Date: 27/09/2017

Unit4 Information Security Management Policy “To promote information security best practices and encourage vigilance over possible threats from any source

under the guidelines of ISO 27001 as Information Security is the Foundation of our Business”

Version 4.08 09/17

Info

rma

tio

n S

ecu

rity

R

esp

on

sib

ilitie

s

Unit4 communicates this policy and the obligations/responsibilities required by the Information Security Management system to all our employees on their induction into the organisation. We have displayed this Policy on internal noticeboards and have developed an area on our intranet dedicated to our Information Security Management System. The responsibility of the upkeep of the Information Security Management system lies with: Finance Director – Paul Cross - Ultimate responsibility for strategic direction, objectives and goals. Head of Compliance and Security – Joanne Higginson - Responsibility for ensuring the requirements of the standard are implemented, maintained and has responsibility for reporting on its performance. Supported by the Standards Compliance Team made up of Kirsty Dalby. To re-enforce our commitment we have nominated Information Champions across our organisation. These individuals continually assess the activities within their teams to identify improvement and wherever possible to reduce any possible threat to security of data.

Information Security Champions Customer Support Suzanne Pharoah Inside Sales Neil Georgeson Sales Sohail Bokhari Technical Support Stewart Phillips Consultancy Suzanne Holder Marketing Elise Toulman Customisation UBW Helen Mcloughlin Project Management Suzanne Holder Development David Evans Facilities Team Leader / Coordinator Finance Angela Parson Legal Anne Asher HR Kirsty Graham Pre Sales Nick Dawson Sales Admin Valerie Collins

Staff Responsibility All staff are responsible for considering how their actions can affect information security and they are encouraged to take an active role in the information security management system. In practice this means all staff:

Ensuring that any sensitive information that they are required to handle is treated appropriately.

In line with internal Policies, all confidential or sensitive information should be locked away in the appropriate project folder when it is not in use, particularly outside office hours.

Ensuring that, where practical, sensitive electronic documents are password protected.

When it is necessary to send confidential or sensitive information to a customer, supplier or other third party, that this is completed in a secure manner.

If emailing electronic files, ensure those files are password protected with the password being passed on to the recipient separately.

If files are to be copied to a mobile device, ensure they are password protected with the password being passed on to the recipient separately.

If sensitive information is being delivered by post, the package should be marked “Private and Confidential” and a signature should be required upon receipt.

Ensure once information is no longer required it is disposed of in a secure manner.

If it is necessary to archive sensitive information ensure it is clearly labelled as confidential and appropriately archived.

Unit4 Information Security Management Objectives & Targets

In order for us as a company and our staff to identify and monitor if we are successfully meeting our Information Security Management Policy, we have set Information Security Objectives and Targets across our organisation. This allows our performance to be regularly monitored and measured for success. Our Information Security and Targets are shown below:

To analyse and report on the performance of the control measurements

Review Third Party Quarterly to Ensure Effectiveness in 2017

To maintain certification to ISO 27001 for Information Security Management at all sites through 2017

Complete bi-annual security reports

To ensure a security incident will not result in a loss of custom

Begin investigation into security incidents within 1 business day during 2017

Complete third party authorisation process for all new third parties

Ensuring awareness of Information Security goals and systems for new starters

Ensuring ongoing Information Security awareness training is available and monitored

To have no significant security breaches during 2017 Ho

w d

o w

e a

ch

ieve

th

is?

Info

rma

tio

n S

ecu

rity

Op

era

tio

na

l C

on

tro

l

Below identifies the steps taken to introduce and control the Information Security Management System. Unit4 has considered the security requirements of our stakeholders and has implemented security controls to meet the expectations of the market.

Le

ga

l R

eg

iste

r

Identify Information Security Assets and Risks, Prepare compliance Control Manual

Establish POLICY, OBJECTIVES, and LEGAL & REGULATORY REQUIREMENTS

Complete STATEMENT OF APPLICABILITY, ASSET REGISTER, STAFF HANDBOOK,

BUSINESS CONTINUITY PLAN

Monitor and Measure performance

Pro

ce

du

res &

Re

co

rds

ISO 9001 (Quality Management) and ISO 27001 (Information Security Management)

Our Information Security Management System has been designed to fully integrate with our Quality Management System based on the requirements of ISO 9001. As such all our procedures for Information Security Management are held within our Quality Management System all of which are stored centrally under: http://44mossagruk/quality/Business%20Procedures/Forms/AllItems.aspx In addition we have created an area on our intranet site which is dedicated to Information Security Management System: http://44mossagruk/quality/IS/default.aspx This area is available to all staff and holds all our Information Security records and information.

Review Performance, re-evaluate Risks & Set New Improvement targets

Compliance with Legislation

To avoid breaches of any law, statutory, regulatory or contractual obligations, and of any security requirements Unit4 carry out a review of compliance with legislation annually. We have defined all relevant statutory, regulatory and contractual requirements and our approach to meeting these requirements within our Register of Information Security Legislation which can be found here: http://44mossagruk/quality/IS/Shared Documents/6. IS Legal Register/Register of Information Security Legislation.docx We ensure compliance on the use of material in respect of which there may be intellectual property rights and on the use of proprietary software products. Records are protected from loss, destruction and falsification and data protection and privacy is ensured and supported by the Unit4 Data Protection Policy which can be found via the link below: http://www.unit4.com/about/ethics Managers ensure that all security procedures within their area of responsibility are carried out correctly to achieve compliance with security policies and standards which in turn helps us to comply with legislative requirements. Changes in legislation requirements will be reflected in the Register of Information Security Legislation.

Cro

ss r

efe

ren

ce

be

twe

en

ou

r In

form

atio

n S

ecu

rity

Ma

na

ge

me

nt

Syste

m a

nd

IS

O 2

70

01

Info

rmatio

n S

ecurity

Managem

ent R

equirem

ents

4.1

U

nd

ers

tan

din

g t

he

Org

an

isa

tio

n a

nd

it

s co

nte

xt

5

.3 O

rga

nis

ati

on

al ro

les,

re

spo

nsi

bil

itie

s a

nd

au

tho

riti

es

7.3

A

wa

ren

ess

9

. P

erf

orm

an

ce

eva

lua

tio

n

4.2

U

nd

ers

tan

din

g t

he

ne

ed

s a

nd

e

xp

ecta

tio

ns

of

inte

rest

ed

pa

rtie

s 6

. P

lan

nin

g

7.4

Co

mm

un

ica

tio

n

9.1

Mo

nit

ori

ng

, m

ea

sure

me

nt,

a

na

lysi

s a

nd

eva

lua

tio

n

4.3

De

term

inin

g t

he

sco

pe

of

the

in

form

ati

on

se

cu

rity

ma

na

ge

me

nt

syst

em

6

.1 A

cti

on

s to

ad

dre

ss r

isk a

nd

o

pp

ort

un

itie

s 7

.5 D

ocu

me

nte

d I

nfo

rma

tio

n

9.2

In

tern

al A

ud

it

4.4

In

form

ati

on

se

cu

rity

ma

na

ge

me

nt

syst

em

6

.2 I

nfo

rma

tio

n s

ecu

rity

ob

jecti

ve

s a

nd

p

lan

nin

g t

o a

ch

iev

e t

he

m

8.

Op

era

tio

n

9.3

Ma

na

ge

me

nt

Re

vie

w

5.

Le

ad

ers

hip

7

. S

up

po

rt

8.1

Op

era

tio

na

l P

lan

nin

g a

nd

co

ntr

ol

10

. Im

pro

ve

me

nt

5.1

Le

ad

ers

hip

an

d c

om

mit

me

nt

7.1

Re

sou

rce

s 8

.2 I

nfo

rma

tio

n s

ecu

rity

ris

k

ass

ess

me

nt

10

.1 N

on

co

nfo

rmit

y a

nd

co

rre

cti

ve

a

ctio

n

5.2

po

licy

7

.2 C

om

pe

ten

ce

8

.3 I

nfo

rma

tio

n s

ecu

rity

ris

k t

rea

tme

nt

10

.2 C

on

tin

ua

l Im

pro

ve

me

nt

4. C

on

text

of

the

Org

anis

atio

n

5. L

ead

ersh

ip

6.

Pla

nn

ing

7. S

up

po

rt

8.

Op

erat

ion

9.

Per

form

ance

Ev

alu

atio

n

10.

Per

form

ance

Ev

alu

atio

n

4.

1 4.

2 4.

3 4.

4 5.

1 5.

2 5.

3 6.

1 6.

2 7.

1 7.

2 7.

3 7.

4 7.

5 8.

1 8.

2 9.

1 9.

2 9.

3 10

.1

10.2

ISM

S P

olic

y M

anu

al

Stat

emen

t o

f A

pp

licab

ility

Ass

et R

egis

ter

& R

isk

Ass

essm

ent

Bu

sin

ess

Co

nti

nu

ity

Pla

n

IS H

and-

bo

ok

Lega

l Reg

iste

r

Inte

rnal

Tra

inin

g/Tr

ain

ing

Rec

ord

s

Rec

ruit

men

t p

roce

ss

Ind

uct

ion

Pro

cess

Inte

rnal

Au

dit

Pro

cess

Man

agem

ent

Rev

iew

P

roce

ss/M

on

thly

rep

ort

ing

Inci

den

t R

epo

rtin

g

Imp

rove

men

t N

oti

ce P

roce

du

re

Qu

alit

y W

ork

Pro

ced

ure

Au

tho

rise

d S

up

plie

r P

roce

du

re

Stan

dar

ds

Co

mm

un

icat

ion

Pro

ced

ure

IS O

per

atio

nal

Co

ntr

ol P

roce

du

re

Exte

rnal

Do

cum

ent

Co

ntr

ol

Pro

ced

ure

IS/B

CM

Co

ntr

ol o

f R

eco

rds

Pro

ced

ure

Stat

isti

cs p

roce

du

re

Mea

sure

men

t o

f co

ntr

ol

effe

ctiv

enes

s