Information Security Policy

Aims

• Maintain confidentiality, integrity, and availability of all information that Arup processes. 
• Ensure our people understand, adopt and maintain positive information security behaviours in response to information security threats. 
• Keep pace with the increasing and evolving risk of cyber threats. 
• Prevent attacks where practicable and aim to detect and respond rapidly to minimise impact wherever not. 

We will

• Establish appropriate accountability and responsibility for information security and risk within the firm.
• Incorporate information security into relevant Arup processes and establish new processes where required to identify risks and then mitigate those risks to an acceptable level through the implementation of suitable control measures
• Implement appropriate administrative, technical, and detective security controls, as dictated by the outcome of threat and risk assessments. 
• Ensure our information security practices align with the principles of ISO 27001:2022 and other relevant industry standards and control frameworks. 
• Provide appropriate training and support to see that all personnel are aware of the obligations set out in this policy and follow the firm’s information security requirements when identifying and dealing with potential threats. 
• Maintain access to information within the firm, where required, according to commercial, personal, financial, or other sensitivity needs. 
• Implement business and technology controls so that the firm continues to operate effectively in the case of a cyber incident or incident security breech. 
• Conduct due diligence on 3rd parties processing sensitive Arup data. 

Governance

This policy is set by the Group Board and implemented across all Arup operations through rules, procedures, training and guidance. It is reviewed and approved annually, or more frequently if appropriate.