Skip to main content

Information Security Policy

Last updated: 15 December 2025. Aligned with UK Cyber Essentials requirements.

Scope

This policy applies to all PAYCORE Group employees, contractors, consultants, and third parties who access Paycore systems, networks, or data. It covers all information assets including electronic data, physical records, IT systems, and communication networks.

1. Purpose and Objectives

This policy establishes the framework for protecting the confidentiality, integrity, and availability of all information assets. Our objectives include protecting personal data and sensitive business information, ensuring compliance with UK GDPR and the Data Protection Act 2018, maintaining the trust of clients and the EOR network, aligning with Cyber Essentials, and supporting security certifications.

2. Governance

Senior management has overall accountability; the Data Protection Officer advises on data protection; the IT Manager / Security Lead implements technical controls; all staff comply with the policy and complete mandatory training. The policy is reviewed at least annually.

3. Firewalls and Internet Gateways

  • All internet-connected devices protected by a properly configured firewall.
  • Default-deny inbound; only required services allowed.
  • Administrative access restricted and strongly authenticated.
  • Cloudflare for DDoS, WAF, and traffic filtering.

4. Secure Configuration

Default passwords changed before deployment; unnecessary accounts and software removed; auto-run disabled; screen lock after max 15 minutes inactivity; administrative accounts used only for admin tasks; hardened build standards.

5. Access Control

Least privilege; unique accounts per user; role-based access; quarterly access reviews; accounts unused for 90 days disabled; formal joiner/mover/leaver process.

6. Password and Authentication

Strong passwords (min 12 characters or 14+ character passphrase); MFA required on systems with personal data, financial systems, email, remote access, cloud and payroll platforms; no password reuse; account lockout after max 10 failed attempts; mandatory password manager for work credentials.

7. Patch Management

Critical/high patches within 14 days; other patches within 30 days; end-of-life software removed or isolated; automatic updates where practicable; licensed software only; quarterly software inventory.

8. Malware Protection

Anti-malware on all capable devices; auto-update and on-access scan; regular full scans; application whitelisting where feasible; email and web filtering.

9. Encryption

TLS 1.2+ in transit; AES 256 at rest; full disk encryption on laptops and portables; removable media encrypted if authorised; email encryption available for sensitive information.

10. Backup and Disaster Recovery

Daily automated backups; backups in a separate location; encrypted and access-restricted; restoration tested at least quarterly; business continuity and disaster recovery plan maintained and tested annually; RTO and RPO defined.

11. Physical Security

Restricted access to areas where personal data is processed; visitor control and escort; clean desk policy; confidential waste securely disposed; equipment wiped or destroyed before disposal.

12. Security Awareness Training

Mandatory training on join and at least annually; phishing, password security, data handling, incident reporting; simulated phishing exercises; completion recorded and non-completion escalated.

13. Incident Response

All staff report incidents immediately to IT Manager / Security Lead and DPO. Response process: Contain, Assess, Notify (ICO 72h where applicable, affected individuals, controllers), Remediate, Document, Review.

14–16. Third Parties, Remote Working, Acceptable Use

Security requirements in supplier contracts; due diligence on third parties; minimal access; monitoring and prompt revocation. Remote access via approved VPN; company or compliant devices; BYOD only if meeting standards and registered; no local storage on personal devices. Acceptable use: authorised purposes only; no credential sharing; lock screen when away; no unauthorised software or devices; report concerns. Violations may result in discipline up to termination.

17. Compliance and Audit

Internal audits at least annually; external audits as required; findings documented and remediated; compliance monitored by IT Manager / Security Lead and reported to senior management.

18. Certification and Standards

Paycore is committed to working exclusively with technology and service providers that hold recognised security certifications. Our HMRC recognised payroll platform provider holds the following certifications:

  • Cyber Essentials certified
  • GDPR compliant
  • HMRC recognised for real time information submissions
  • Cloud infrastructure hosted on AWS with enterprise grade security controls
  • Cloudflare protected for web application security and DDoS mitigation

Paycore's own commitments:

  • Full compliance with UK GDPR and the Data Protection Act 2018
  • Registered with the Information Commissioner's Office (ICO registration number: [INSERT ICO NUMBER])
  • Monthly AML and KYC compliance reviews conducted on every EOR provider in the network
  • All staff trained in data protection and information security
  • Policies aligned with the Cyber Essentials framework (this policy document reflects those controls)
  • Commitment to pursuing formal Cyber Essentials certification as the organisation grows

Document Approval

Approved by: Compliance Department. Date: 15 December 2025. Next review: 15 December 2026. For enquiries: compliance@paycoregroup.co.uk.