Policies

Published organisational policies · reviewed annually or on material change · last index update 27 May 2026

This is the canonical list of Glassbreak's organisational policies. Each policy is owned, dated, versioned, and reviewed at least annually. We publish them so that auditors, customers, and prospective workforce members can verify our written commitments without needing to ask.

Security & risk

• Information Security Policy — the top-level policy that governs how Glassbreak protects the confidentiality, integrity, and availability of information assets.
• Incident Response Policy — how Glassbreak detects, classifies, contains, and learns from security incidents and operational outages.
• Business Continuity & Disaster Recovery Plan — recovery objectives, continuity strategy, activation criteria, and tested-recovery cadence.

People

• Onboarding Policy — what happens before, on, and after a new workforce member's first day, with security and compliance check-points.
• Offboarding Policy — access revocation, asset return, knowledge transfer, and obligations that survive termination.
• Sanctions & Disciplinary Policy — how violations of these policies are investigated and what sanctions may be applied.

ISO 27001 documents

The controlled documents that constitute the Information Security Management System against ISO/IEC 27001:2022. They are published in advance of any formal certification work so that buyers and auditors can read the substance rather than wait for a certificate. The live position on the certification question is at /trust/iso-27001.

• ISMS Scope — the Clause 4 scope document: organisational context, interested parties, boundaries of the ISMS, and interfaces with external services.
• Statement of Applicability — every Annex A control across the four themes (organisational, people, physical, technological) with applicability decision and implementation reference.
• Risk Treatment Plan — the Clause 6.1.3 plan: methodology, treatment options, and the current risk register with owners and target dates.

ISMS programme documents

Supporting procedures and assessments that operationalise the ISMS across the development lifecycle, the supply chain, the audit surface, fraud-risk consideration, and the public-sector readiness question.

• Secure Development Lifecycle — phases (plan, design, implement, review, test, release, operate, retire) with the security activities required at each.
• Supply Chain Risk Management Plan — sub-processor lifecycle, software-supply-chain hygiene, CI/CD supply chain, and the criteria for replacing a sub-processor.
• Audit-log Retention & Protection Policy — categories of audit data with retention, storage, integrity protection, disposal, and customer-export detail per category.
• Fraud Risk Assessment — annual assessment across insider misuse, social engineering, sub-processor compromise, financial fraud, and related categories.
• FedRAMP SSP Summary — public-safe summary of what a future FedRAMP System Security Plan would contain. Not the SSP itself; the live position is at /trust/fedramp.

Operational procedures

Procedures that operationalise the policies above. Each is owned by the Security Officer, versioned, and reviewed at least annually on the same cadence as the policies they support.

• Clear Desk & Clear Screen Procedure — locking on step-away, paper handling, whiteboards, removable media, visitor presence, and the end-of-day routine.
• Remote Working Procedure — network choice, home-office baseline, household-member separation, travel precautions, lost-device reporting, and device hygiene.
• Endpoint Decommissioning Procedure — wipe and destruction procedures for workstations, mobile devices, hardware keys, and removable media, with attestation of wipe and certificate of destruction.
• Off-site Assets Procedure — tracking, loss reporting, return on completion, and retrieval for assets temporarily held outside Glassbreak premises.
• Internal Incident Reporting Procedure — the internal channel for workforce to raise a suspected security or compliance concern, with a defined escalation path and a no-retaliation guarantee.
• Threat Intelligence Procedure — defined sources, cadence of review, criteria for raising an internal incident, and where findings are recorded.
• Supplier Assessment Procedure — intake checklist for new sub-processors, annual re-assessment, decision authority, and records.

Cadences

Each cadence below is a controlled procedure with a defined owner, schedule, artefact template, and record-retention requirement. Together they evidence that the policies above are not just published but operated, and they produce the signed artefacts that an auditor can sample.

• Quarterly Access Review — every grant in the access register reviewed against current role, with documented interim-review triggers.
• Monthly Vulnerability Review — Dependabot, npm audit, sub-processor advisories, and internal-audit residuals reviewed each month with signed minutes.
• Annual Technical Evaluation — control-by-control re-test of the Information Security Policy with year-over-year comparison.
• Quarterly ISMS Management Review — ISO 27001 Clause 9.3 / SOC 2 monitoring review on a standing agenda, signed by the Security Officer and at least one leadership attendee.
• Annual Board-level ISMS Review — board oversight of risk acceptance, policy approval, and resource allocation.
• Internal Audit Programme — rolling schedule under which every policy and control family is internally audited at least once per certification cycle.
• Quarterly Capacity Planning — traffic trend, error-budget burn, and sub-processor quota utilisation reviewed each quarter with committed remediation.
• Daily-snapshot Remediation SLAs — time-bounded SLAs from daily-snapshot failure or audit finding to closure, with escalation path.

Related artefacts

• Data Processing Agreement — the Article 28 instrument between Glassbreak and customer controllers.
• Sub-processors — current list of approved sub-processors.
• Trust page — live attestations refreshed daily from automated probes.
• Coordinated Disclosure Policy — how to report a security issue to us.
• DPIA vendor response — pre-filled response aligned to the ICO and EDPB DPIA templates.

How these policies are maintained

• Owner — the Glassbreak Security Officer is the accountable owner for every policy on this page.
• Approval— each policy is approved by Glassbreak's leadership before publication and after each material revision.
• Review cadence — annual at minimum; sooner if triggered by a material change to the platform, the regulatory environment, a customer commitment, or an incident.
• Version control — policies live in this repository under web/src/app/(landing)/policies/ and follow the same pull-request review process as code. Every change is auditable.
• Acknowledgement — every workforce member is required to read and acknowledge each policy on joining and again on any material revision.

If you need a counter-signed PDF copy of any policy for your procurement or audit files, email compliance@glassbreak.io with the policy title and your organisation name. Returned within 1 business day.