Information Security & Acceptable Use Policy

1. Document Goal

The Tempo Information Security Management System (ISMS) — including this policy and its supporting procedures and controls — is developed and maintained in alignment with ISO/IEC 27001:2022 and relevant industry best practices.

This document serves as the central ISMS Policy for Tempo. It outlines the objectives, scope, roles, and guiding principles for protecting Tempo’s information assets, ensuring confidentiality, integrity, and availability, and supporting the delivery of secure and compliant audit and advisory services.

It includes specific policies such as Acceptable Use, Access Control, Risk Management, Incident Handling, and Secure Remote Working. These policies govern how employees, contractors, and third parties handle information and IT assets under Tempo’s control.

The ISMS applies to all information systems, personnel, and business processes used to deliver Tempo’s services — whether on company-managed platforms or approved personal (BYOD) devices — and across all remote or client environments.

Effective information security is a shared responsibility. Every Tempo employee, contractor, and affiliate must understand and follow the requirements in this policy and its supporting documents.

Tempo has designated a senior-level official — the Data Protection Officer (DPO), Monique Duarte — to oversee the ISMS and ensure its alignment with legal, contractual, and operational needs. The DPO’s role includes promoting a security-conscious culture based on openness, integrity, and continual improvement.

Tempo’s senior management is fully committed to supporting the implementation and ongoing enhancement of the ISMS. This includes allocating appropriate financial, technical, and human resources, aligning ISMS objectives with business strategy, and engaging actively in performance reviews and risk management efforts.

1.1 Scope of the document

This document applies to all Employees, consultants, contractors and other third-parties who use Tempo information and IT assets (hereafter referred to as IT Users).

1.2 Audience and roles

  • CEO is responsible for approving the Policy, ensuring appropriate resources are allocated to implement, maintain and improve the ISMS, and providing oversight to confirm that information security objectives are aligned with Tempo’s strategic priorities.

  • The DPO is responsible for creating, reviewing, and updating the Policy at least annually or as needed in response to changes in the threat landscape, business structure, or applicable regulations.

  • The DPO reports directly to Tempo’s senior management to ensure executive visibility and support for all ISMS-related responsibilities.

  • Implementation responsibilities are defined in each segment respectively.

  • All employees are responsible for reading, acknowledging and practising requirements in this Policy segment.

1.3 System Owners

  • System owners are responsible for a specific system used to support Tempo business goals, by ensuring the system is functioning properly and is used for intended business purpose, access to the system is strictly regulated, reviewed and access granted based on least-privilege and need-to-know principles.

  • System owner role is assigned by the DPO to an individual most familiar with the system they have been assigned for and with relevant experience and training to manage the system in question.

  • Privileged access is limited to designated roles

1.4 Definitions, terms and abbreviations

“Business  Sensitive  Information” means Tempo information which is classified as “Internal” or “Confidential” will be considered as business sensitive information. It includes anything that poses a risk to the company if discovered by a competitor or general public. Such information includes trade secrets, acquisition plans, financial data and supplier and customer information, among other possibilities. For the purpose of this document, Sensitive Personally Identifiable Information (PII) and Protected Health Information (PHI) are also included.

“IT User” refers to any person authorised to access the IT tools, resources of Tempo (and those of its entities) and to make use of them: Employees(staff), contractors, temporary personnel, service provider personnel, etc.

“IT Asset” refers to any information, system or hardware that is used in the course of business activities. It can be a device such as a notebook, smartphone, network equipment, conferencing equipment and an information system such as an information or communication technology used by Tempo or authorised third party to provide a service i.e. AWS cloud hosting platform, third party applications, internally developed systems. This refers to company-owned assets, acquired third party assets and personal assets that are subject to BYOD policy in this document.

1.5 Scope of the Information Security Management System (ISMS)

Tempo’s Information Security Management System (ISMS) is established in alignment with ISO/IEC 27001 and considers internal and external factors that influence the achievement of its information security objectives.

Internal Issues include:

  • Organizational structure, roles, and responsibilities.

  • Operational processes and services offered (e.g., audits, compliance reviews).

  • Technology infrastructure and reliance on cloud platforms (e.g., Google Workspace, Zoom).

  • Staff competencies and security culture.

External Issues include:

  • Regulatory obligations (e.g., UK Data Protection Act, GDPR).

  • United Kingdom Accreditation Service (UKAS)

  • Client expectations and contractual obligations.

  • Risks from third-party service providers and subcontractors.

  • Evolving threat landscape and industry trends.

Interested Parties and their relevant expectations:

  • Employees and contractors – secure systems and data protection for effective work.

  • Shareholders – protection of business continuity, company reputation, and strategic assets.

  • Clients – confidentiality, integrity, and availability of engagement data.

  • Regulators – compliance with data protection and security laws.

  • Suppliers and third parties – clear requirements for secure collaboration.

Scope of the ISMS:
This ISMS applies to all information systems, processes, people, and technologies used by Tempo to deliver its audit and compliance services. It includes both company-owned assets and approved personal (BYOD) devices used for business purposes. The ISMS applies across all locations and remote work environments.

The scope is reviewed annually or upon significant organizational change to ensure continued relevance and adequacy.

2. General Information Security Policy

Protect Tempo’s informational and IT assets (including but not limited to all computers, mobile devices, networking equipment, software and sensitive data) against all internal, external, deliberate or accidental threats and to mitigate the risks associated with the theft, loss, misuse, damage or abuse of these systems;

Ensure information will be protected against any unauthorised access. Users shall only have access to resources that they have been specifically authorised to access. The allocation of privileges shall be strictly controlled and reviewed regularly.

Protect CONFIDENTIALITY of information. When we talk about confidentiality of information, we are talking about protecting the information from disclosure to unauthorised parties;

Ensure INTEGRITY of information. Integrity of information refers to protecting information from being modified by unauthorised parties;

Maintain AVAILABILITY of information for business processes. Availability of information refers to ensuring that authorised parties can access the information when needed.

Comply with and, wherever possible, exceed, national legislative and regulatory requirements, standards and best practices;

Develop, Maintain and Test business continuity plans to ensure we stay on course despite all obstacles that we may come across. It is about “keeping calm and carrying on!”;

Raise awareness of information security by making information security training available for all Employees. Security awareness and targeted training shall be conducted consistently, security responsibilities reflected in job descriptions, and compliance with security requirements shall be expected and accepted as a part of our culture;

Ensure that no action will be taken against any employee who discloses an information security concern through reporting or in direct contact with the DPO, unless such disclosure indicates, beyond any reasonable doubt, an illegal act, gross negligence, or a repetitive deliberate or willful disregard for regulations or procedures;

Report all actual or suspected information security breaches to dpo@tempoaudits.com

2.1 Enforcement, Exceptions and Complaints

The DPO is responsible for reviewing the effectiveness of information security policy implementation across the organisation. This includes monitoring compliance, reviewing incidents and user behaviour, and evaluating how well the policy is being followed in practice. Results of these reviews inform compliance actions, training needs, and policy updates, and support the continual improvement of the ISMS. Findings are discussed with senior management during formal Management Review meetings to ensure accountability and alignment with information security objectives.

Non-conformance to policy and standard statements in this Policy could result in disciplinary action including, but not limited to, informal or formal warnings, up to termination of contract. Any exceptions to what is governed will require written authorisation by email from the Information Security Management Leader. Exceptions granted will be issued a policy waiver for a defined period of time.

All target users of this Policy can submit complaints to its contents to the Information Security Management Leader at any point. All complaints will be filed and processed accordingly where the Information Security Management Leader will respond within 14 days of initial submission. Requests for exceptions to this policy as well as complaint submissions will be addressed to Tempo’s Data Protection Officer, Monique Duarte, at dpo@tempoaudits.com.

2.2 Information Security Objectives

Tempo has established the following SMART (Specific, Measurable, Achievable, Relevant, Time-bound) objectives in accordance with ISO/IEC 27001:2022 clause 6.2. These objectives support effective implementation and continual improvement of the ISMS. For each objective, a plan is in place to define what will be done, who is responsible, the resources required, timeframe, and how results will be evaluated.

Objective 1: Achieve ISO/IEC 27001:2022 certification by Q4 2026

  • What will be done: Conduct a gap analysis, define scope, implement required controls, complete internal audit and management review, and undergo third-party audit.

  • Responsible: Data Protection Officer (DPO);

  • Resources required: Executive oversight, staff time, external ISO consultant (if engaged), internal tools for documentation and training;

  • Timeframe: Target certification by Q4 2026;

  • Evaluation: Progress will be tracked by milestones such as gap analysis completion, policy development, internal audit, and management review;

Objective 2: Ensure 100% of employees and subcontractors complete information security training within 30 days of onboarding, and annually thereafter

  • What will be done: Provide mandatory training and ensure timely completion through monitoring

  • Responsible: DPO (in coordination with Operations)

  • Resources required: Learning platform, training content, staff and subcontractor time;

  • Timeframe: Onboarding within 30 days; annual refreshers; reviewed quarterly

  • Evaluation: Compliance monitored via training records, with quarterly reporting by the DPO

Objective 3: Conduct quarterly access reviews for all systems handling Business Sensitive Information, including accounts used by subcontractors

  • What will be done: Review user access to systems quarterly and report exceptions;

  • Responsible: System Owners (appointed by the DPO), overseen by the DPO

  • Resources required: System access logs, user account data, tracking template;

  • Timeframe: End of each calendar quarter

  • Evaluation: System owners report completion to the DPO, who documents outcomes;

Objective 4: Ensure all company-managed laptops and devices receive operating system and security updates within 14 days of release

  • What will be done: Configure automatic updates and manually check compliance;

  • Responsible: DPO

  • Resources required: Device inventory, update tracking, employee awareness;

  • Timeframe: Ongoing; reviewed monthly

  • Evaluation: Monitored through device management tools and manual checks if needed; reviewed monthly

Objective 5: Establish and implement a complete set of documented policies and procedures governing secure remote working by all subcontractors by Q3 2025

  • What will be done: Develop, approve, communicate, and verify subcontractor compliance with remote work policies

  • Responsible: DPO, with support from Managing Director

  • Resources required: Policy development effort, subcontractor communication channels, compliance records

  • Timeframe: Completed by 31 Oct 2025;

  • Evaluation: Completion tracked by policy sign-off logs, communication records, and DPO verification;

2.3 Information Security Risk Management

2.3.1 Overview and Scope

Tempo maintains an Information Security Risk Management programme aligned with ISO/IEC 27001:2022. The programme includes a structured lifecycle approach: risks are assessed, treated, accepted (if necessary), and monitored to ensure continuous protection of information assets and compliance with legal, contractual, and operational obligations. This process applies across all business operations, information assets, and third-party relationships.

2.3.2 Roles and Responsibilities

The DPO is responsible for implementing and maintaining the risk management framework. This includes ensuring that risks are documented, evaluated, and treated based on defined criteria, including the likelihood of occurrence and potential impact on Tempo’s operations, data, and obligations. Mitigation actions are tracked, and their effectiveness is reviewed periodically to support continual improvement of the ISMS.

2.3.3 Risk Assessment Process

Risk assessments are performed using a consistent and repeatable methodology that applies these criteria across all relevant information assets and processes. Risk assessment outcomes are reviewed in the context of Tempo’s objectives, compliance requirements, and operational context, and updated as needed to reflect changes in the threat landscape or business structure.

As part of the risk assessment process, each identified risk is assigned an owner responsible for ensuring it is properly evaluated and monitored. Risks are analysed based on defined criteria, including the potential impact of loss (financial, operational, reputational), likelihood of occurrence, and frequency of recurrence. Results are compared to risk acceptance thresholds, and risks are prioritised for treatment based on severity and business impact. This structured process supports consistent, evidence-based decisions across Tempo’s information security program.

2.3.4 Risk Treatment and Control Selection

Risk treatment decisions are made in accordance with the outcome of the risk assessment process. Controls are selected based on ISO/IEC 27001:2022 Annex A reference controls. Tempo maintains a Statement of Applicability (SoA) that documents all applicable controls, their implementation status, and the rationale for inclusion or exclusion.

2.3.5 Residual Risk Evaluation and Acceptance

Residual risks that remain after initial treatment are evaluated by the DPO to determine whether additional treatment is required. Where risks are deemed acceptable within the context of business operations and risk appetite, they are escalated to senior management for formal approval and documented as accepted. All residual risks, whether treated further or accepted, are periodically re-evaluated as part of the ISMS review cycle.

2.3.6 Third-Party Risk Management

Third-party risks — including those introduced by subcontractors, external service providers, and cloud-based platforms — are fully incorporated into the risk management programme. 

All third parties must be formally assessed and approved by the DPO to ensure the required level of trust before being granted access to Tempo systems, platforms, or client-scoped data. They are required to comply with Tempo’s technical, procedural, and contractual information security controls.This includes contractual data protection safeguards aligned with applicable privacy laws and client obligations, as well as ongoing oversight of privacy and security risks introduced through external access or data processing.

Key areas of risk focus include:

  • Remote working arrangements for subcontractors

  • Use of cloud services and collaboration platforms

  • Handling of client-scoped and Business Sensitive Information

  • Compliance with applicable legal, regulatory, and contractual obligations

2.3.7 Risk Monitoring and Review

The risk management process is reviewed annually and as needed to reflect changes in the business, technology, or threat landscape. It is monitored by the DPO and senior management through periodic Management Reviews, which evaluate the effectiveness of risk controls and inform continuous improvement decisions.

2.4 Information Security Audits

Tempo’s Information Security Management System (ISMS) is subject to both internal and external audits to verify the effectiveness of implemented controls, identify nonconformities, and support continual improvement.

Tempo maintains an Internal Audit Programme to plan and conduct audits at least annually. The programme defines audit frequency, scope, methods, responsibilities, and criteria, and ensures that internal audits are performed by a qualified and independent auditor. These audits assess conformity with Tempo’s policies, controls, and the requirements of ISO/IEC 27001:2022.

External audits are conducted annually to verify continued alignment with applicable information security standards and certification requirements.

All audits are conducted in a manner that protects the confidentiality, integrity, and availability of Tempo’s information assets. Access to personal or sensitive information during audits is strictly controlled and limited to what is necessary for the audit objectives.

Findings from both internal and external audits are documented, addressed through corrective actions where required, and reviewed by senior management. These findings inform risk reassessments, ISMS updates, and continual improvement activities.

2.5 Nonconformity and Corrective Action

Tempo is committed to maintaining the effectiveness of its Information Security Management System (ISMS) by promptly identifying and addressing nonconformities. A nonconformity is defined as any failure to meet ISMS requirements, including breakdowns in controls, policies, or processes.

When a nonconformity is identified, the DPO investigates the root cause and evaluates whether similar issues may exist elsewhere. Appropriate corrective actions are implemented to eliminate the cause and mitigate potential consequences. These actions may include updates to procedures, retraining of personnel, or the introduction of new controls.

Corrective actions are documented, monitored, and reviewed for effectiveness. Where necessary, risks are re-evaluated, and changes are made to the ISMS. All nonconformities and resulting actions are reviewed with senior management during Management Review meetings to support continual improvement.

All identified nonconformities and associated corrective actions are recorded in Tempo’s Improvement Register, which is maintained by the DPO as part of ISMS documentation.

2.6 Secure IT Operations and System Changes

Tempo’s information systems are composed primarily of cloud-based software tools and services used to deliver audit, compliance, and consulting services. As a service-based organization, Tempo does not develop or maintain proprietary applications or infrastructure. IT operations focus on the secure selection, use, and management of approved third-party platforms, guided by the ISMS.

2.6.1 Responsibility and Oversight

The DPO is responsible for overseeing the security and compliance of all tools, systems, and services used in Tempo’s operations. This includes the review and approval of new tools prior to adoption, maintaining the approved software list (Appendix A), and ensuring all technology use aligns with internal privacy, security, and compliance requirements.

2.6.2 System Selection and Configuration

New systems, platforms, or services must be formally reviewed and approved by the DPO through the Change Management Process prior to implementation. Tempo does not maintain in-house configuration baselines for hardware or network components, as these are not part of the operating model. Instead, information security assurance is provided through careful selection of trusted SaaS providers, validation of their security credentials, and internal controls over access and data handling.

2.6.3 Change Management

Tempo applies a formal Change Management Process for introducing or modifying systems. This includes:

  • Documenting the scope and purpose of the change

  • Assessing information security and data protection risks

  • Reviewing vendor compliance and contractual obligations

  • Maintaining a record of changes and approvals

All changes must comply with security, privacy, and business continuity requirements. Changes are approved only after verifying alignment with Tempo’s compliance obligations and operational risk posture.

2.6.4 Security Requirements for System Changes

All system changes must meet defined security requirements based on:

  • The sensitivity of the data involved

  • Tempo’s internal security and compliance policies

  • Applicable regulations and client obligations

Where relevant, decisions are informed by previous incident trends, threat intelligence, and known vulnerabilities.

2.6.5 Business Continuity Considerations

System changes are reviewed for their potential impact on operational continuity. This includes availability of core services, remote work requirements, and client access to information. Any proposed changes that could affect service delivery or contractual SLAs are escalated to senior leadership.

2.6.6 System Maintenance

While Tempo does not manage infrastructure directly, all company-managed devices are subject to maintenance requirements, including:

  • Timely software updates

  • Endpoint security controls

  • Decommissioning procedures for tools no longer in use

These activities are monitored by the DPO as part of Tempo’s ISMS and device management practices.

2.7 Human Resources Security

Tempo ensures that human resources security is embedded into hiring, onboarding, performance, and offboarding practices. These controls apply to employees, contractors, and other personnel with access to Tempo systems, client data, or confidential information.

2.7.1 Pre-Employment and Onboarding

Tempo conducts right-to-work checks and contractual screening for all staff before the start of employment or contract. Employment agreements and contractor agreements must be signed before work commences. These agreements outline responsibilities related to confidentiality, data protection, information security, acceptable use, and ethics.

In addition, Tempo verifies CPD (Continuing Professional Development) logs submitted by personnel as part of the onboarding and ongoing suitability process. These records are reviewed to confirm qualifications, experience, and ongoing competence for assigned roles.

All staff must review and acknowledge core policies including:

  • Information Security & Acceptable Use Policy (POL9)

  • Privacy Policy

  • Impartiality and Conflict of Interest Policies

  • Code of Conduct (“Tempo Principles”)

2.7.2 Acceptable Use, Confidentiality, and Ethics

All personnel are contractually bound to follow Tempo’s information security policies. Employment and contractor agreements include:

  • Acknowledgement of the Acceptable Use Policy

  • Confidentiality and non-disclosure obligations, including post-employment restrictions

  • Ethical conduct expectations via Tempo’s Principles (Appendix C of the employment agreement)

Personnel are also required to declare any conflicts of interest and avoid dual engagements without explicit approval.

2.7.3 Offboarding and Termination

Upon termination of employment or contract, individuals are issued a formal termination letter reminding them of their ongoing obligations under confidentiality and data handling clauses.

Departing staff must:

  • Confirm deletion of client and Tempo data from all personal devices and storage

  • Complete a data deletion confirmation form

  • Return any company-owned assets or documents

These steps are part of Tempo’s documented offboarding process, with responsibilities managed by the DPO and senior leadership.

2.7.4 Training and Continuing Education

Security awareness training is provided to all new hires during onboarding and is required on an annual basis for all staff. This includes awareness of threats, acceptable use, secure data handling, and client-specific compliance platform training where applicable.

In addition, all information security personnel and auditors are required to:

  • Maintain up-to-date CPD logs

  • Participate in regular continuing education related to security, auditing standards, or applicable regulations

  • Provide supporting documentation upon request

These requirements are enforced through the employment contract and monitored by the DPO.

2.7.5 Performance and Compliance Oversight

All staff are subject to performance review during the probation period and periodically thereafter. This includes assessment of professional conduct, compliance with policies, and role-based competence.

Tempo’s leadership team, supported by the DPO, oversees employee development, monitors non-compliance, and ensures that all personnel meet their contractual and policy obligations.

Non-compliance with information security policies may result in disciplinary action, including suspension or termination, in accordance with the company’s Disciplinary and Grievance Procedure (HR2), as referenced in the employment agreement and Quality Manual.

2.8 Breach and Incident Management
Tempo has established procedures for identifying, reporting, and responding to suspected or confirmed information security incidents, including data loss, unauthorised access, or policy violations.

All personnel are required to immediately report any known or suspected security incidents to the DPO via dpo@tempoaudits.com. This includes data breaches, unauthorised disclosures, device loss, or the use of unapproved tools or platforms to handle Business Sensitive Information.

The DPO is responsible for investigating reported incidents, coordinating corrective actions, and escalating to senior management when necessary. Incidents involving client data are assessed for contractual or regulatory notification requirements. Where appropriate, outcomes may trigger policy updates, staff retraining, or additional controls to support continual improvement.

All reported incidents are documented in Tempo’s Incident Log, maintained by the DPO. The log includes a description of the incident, affected systems or data, investigative actions, decisions made, and any corrective measures taken. This record supports transparency, trend analysis, and continual improvement of the ISMS.

These practices align with obligations under ISO/IEC 27001 and reinforce the responsibilities outlined in Tempo’s Acceptable Use Policy and Employment Agreements.

3. Acceptable Use of Tempo IT Assets

3.1 Roles in scope

  • Our Data Protection Officer is responsible for Implementation of this Policy segment in Tempo.

  • All IT Users are obliged to read, acknowledge and comply with the rules defined in this segment.

3.2 Basic rules

  1. Tempo’s Business Sensitive Information (see Table of definitions) and IT assets remain the sole property of Tempo. Every IT User shares a responsibility to protect it from unauthorised disclosure, loss, modification, tampering and/or destruction. This is applicable for personal devices approved to be used for business purposes.

  2. IT Users are accountable for the actions performed using their access credentials provided by the company to access Tempo Business Sensitive Information and IT assets. All access requests shall be approved by the IT Users supervisor and managed by the DPO.

  3. Only reviewed and approved software shall be used for business purposes, reviewed and approved by the DPO based on internal privacy and security requirements and applicable regulations. Full list of approved software is appended in Appendix A - List of approved software. Any requirement for new software shall be directed to the DPO for formal review and approval through Tempo’s Change Management Process.

  4. Tempo Business Sensitive Information and IT assets must be used primarily for business purposes and in accordance with the principles of need-to-know and need-to-have and least privilege.

  5. Limited personal usage of IT assets (like email, Internet, etc.) is permitted if such use is occasional, of reasonable duration, does not adversely affect the business and performance, does not violate security policies of Tempo, local and International laws, and is not otherwise prohibited by applicable legislations and regulations.

  6. All persons who have been given temporary or permanent Tempo access control tokens/cards/keys should keep them on their persons at all times while staying in Tempo premises. Giving the access control token/card/key to another person is strictly prohibited. If an access control token/card/key is lost or stolen, the IT User shall be under the obligation to immediately report the incident to the DPO at dpo@tempoaudits.com. If an access control token/card/key is forgotten, a temporary access control token/card/key will be provided at the reception desk or by the DPO. The temporary access control token/card/key is valid one day, and shall be returned at the end of working hours.

  7. For security and maintenance purposes only, authorised personnel within Tempo and/or its authorised third-parties may audit and monitor equipment, systems and network traffic.

  8. IT Users shall not tamper with any operational controls or attempt to prove any weakness in the systems without adequate authorisation. Malicious hackers, snoopers, password stealers, virus installers, data erasers, and anyone involved in such activity will be subject to disciplinary actions.

  9. IT Users are responsible to promptly report any suspicious or malicious events, theft, loss, or unauthorised access/disclosure of Business Sensitive Information and IT assets to dpo@tempoaudits.com.

  10. Special attention shall be paid so that contents which include, but are not limited to, pornographic, insulting, racist or other contents of discriminatory character are not allowed to be downloaded, distributed, visited, used or browsed using Tempo’s IT assets. Unauthorised use and copying of copyright-protected materials, including, but not limited to digitalisation and distribution of photos from magazines, books or other sources protected by copyrights of music, films and other multimedia contents protected by copyrights and installation of software for which Tempo doesn’t have a valid licence, shall be strictly prohibited.

  11. The unauthorised use or attempt to use Tempo IT assets shall not be allowed. This includes unauthorised access, processing and/or distribution of Business Sensitive Information.

  12. Disclosing one's own access parameters (e.g. username, password, PIN code) to other personnel shall not be permitted without written approval from the DPO. Unauthorised use or attempts to use other IT users’ access parameters shall be strictly prohibited. Access parameters are created per companies Acceptable and Unacceptable Use of User Accounts and Passwords segment in this document. Exceptions to these two rules can only be distributed in written form by the DPO.

  13. Every violation of and/or deviation from the rules provided herein, failure to observe them and/or abuse of rights and authority hereunder granted to IT users shall constitute a violation of work duty and, therefore, may lead to disciplinary action up to termination of contract.

3.3 Compliance with Legal Obligations

IT users are subject to specific obligations, based on applicable external and internal requirements, to protect Tempo IT assets and reputation of Tempo. IT Users are required to comply with applicable legal and regulatory provisions in this area, including those that penalise contraventions of accepted moral standards, the diffusion of defamatory or racist statements, piracy or computer fraud, non-compliance with copyright, or other similar examples of inappropriate behaviour.

  1. Violations will be investigated by Tempo’s DPO. Employees who report violations or suspected violations will be protected from retaliation.

  2. Users authorised by Tempo must comply with local and national laws and regulations that govern the use, exportation and importation of Personally Identifiable Information (PII) and Protected Health Information (PHI).

  3. Employees agree to cooperate with federal or state investigations or disciplinary proceedings.

NOTICE: All users are aware and agree that certain actions performed on company assets and networks are monitored and logged strictly for security purposes and only actions that are directly identified as a violation of policy or a direct threat in a form of malicious code or cyber attack attempt are observed. Access to these logs is restricted only to roles in charge of security at Tempo. For more information contact the DPO at dpo@tempoaudits.com.

3.4 Records Retention and Destruction
Tempo retains records in accordance with legal, regulatory, and contractual obligations, as well as business needs. Records may include audit documentation, contracts, communications, personnel files, and system logs.

Records are classified and retained according to P-14 Document and Record Control. The DPO is responsible for ensuring that retention periods are reviewed and aligned with applicable requirements.

Paper and electronic records must be securely deleted or destroyed once their retention period expires, unless legal or operational exceptions apply. Paper records must be shredded, and digital records must be deleted using secure methods. Where appropriate, deletions may be verified through manual review or audit.

Data stored in cloud platforms or managed by approved service providers is subject to the same retention and destruction requirements. Backup and archived media must be deleted or decommissioned securely at the end of its retention period, unless legal or contractual exceptions apply. The DPO is responsible for ensuring that fourth parties meet these obligations through contractual and platform-level controls.

In addition to periodic or retention-based deletion, all client data and related audit materials must be securely deleted by staff within five (5) working days of completing an audit engagement. This includes local downloads, notes, backups, and personal cloud storage. Deletion must be confirmed using the Data Deletion Confirmation Form and submitted to the DPO.

3.5 Acceptable and Unacceptable use of Email Services and instant messaging

3.5.1 Acceptable Use:

  1. Use of Tempo email addresses in public websites, forums and/or blogs is allowed for business purposes only.

  2. Always ensure emails are sent to intended recipients only. Remove unwanted attachments or information from the email trails when forwarding or responding to email messages.

  3. Validate the received emails for following before taking any action:

  4. Verify that the received emails are from trustworthy sources; i.e. verify that they are sent from a known email address by checking the source email address.

  5. If an unexpected email is received from a trustworthy address and/or contains any unexpected attachments and/or links, then validate the email by checking verbally with the sender before opening the email or clicking on any attachment or link.

  6. Report suspicious or untrustworthy emails to dpo@tempoaudits.com by means of forwarding the original email and permanently delete such emails from your inbox.

  7. Use only approved instant messaging services for business use.

3.5.2 Unacceptable Use:

  1. Open/click the attachment and/or hyperlink in suspicious or untrustworthy emails.

  2. Send emails to distribution lists without a business need.

  3. Use of public/private email services (like Gmail, Yahoo, Hotmail, etc.) to exchange Business Sensitive Information.

  4. The following are some examples of activities that are prohibited and may result in disciplinary action:

  5. Automatic forwarding of Tempo emails to non-business related email addresses.

  6. Unauthorised use, or forging, of email header information and email signatures.

  7. Originating, forwarding or distributing chain letters, offensive, junk, or unsolicited email.

  8. Transmit messages or images that may be construed as harassing, offensive or threatening to others.

  9. Usage of profanity, obscenities, or derogatory remarks in any of the email messages discussing business related matters.

  10. Sending documents, software, videos and/or audio files that violate copyright laws.

  11. Making fraudulent offers of products, items, or services using any Tempo account.

3.6 Acceptable and Unacceptable Use of Internet Services

3.6.1 Acceptable Use:

  1. Access to the Internet is neither anonymous or confidential; any action undertaken is identifiable as having originated within Tempo.

  2. IT Users may consult websites that are directly connected to and necessary for their activities. However, occasional and reasonable use, for personal reasons, of websites with respect to which the content is not contrary to the law and/or accepted moral standards and does not pose a risk to the image and reputation of the company, will be permitted if it does not hinder the accomplishment of the employees’ tasks nor the security of the IT network of Tempo.

  3. Connection to the Internet from company-provided devices shall be made via Tempo network, equipped with suitable security controls to prevent and/or detect malicious/inappropriate websites and content. Where this is not possible, IT Users shall take reasonable steps to protect themselves as well as Tempo by accessing protected networks.

  4. Usage of social media and internet services for private purposes is allowed on company devices only in a way that it does not obstruct regular business duties and is performed with the same security awareness and behaviour as with company internet services. Company social media accounts are managed by dedicated team members and should never be used without proper authorisation.

  5. Use of Internet services shall be performed prudently and in context of assigned job responsibilities.

  6. Use of Internet-based peer-to-peer file sharing services like BitTorrent, uTorrent etc. is prohibited.

  7. Use of public storage services like OneDrive, DropBox, BOX for transferring and/or storing Tempo Business Sensitive Information is not permitted. IT Users shall only use approved storage mediums for transferring and/or storing Tempo Business Sensitive Information. Users shall seek advice from the DPO (by contacting at dpo@tempoaudits.com) where there is a legitimate business need to use such services. Full list of approved software is appended in Appendix A - List of approved software.

3.6.2 Unacceptable Use:

  1. Disclose Business Sensitive Information on Internet-based or publicly accessible services like newsgroups, social media, blogging sites, forums, etc.

  2. Post text or messages on Internet sites that may be construed as harassing, offensive or threatening to others.

  3. Bypass Tempo security controls to gain access to websites, which are otherwise blocked.

  4. Downloading copyrighted or intellectual property materials, software programmes, audio, video, data files, etc. violating any copyright restrictions.

  5. Visit Internet sites that contain obscene, hateful or other objectionable materials.

  6. Use of security circumvented devices to access corporate WiFi (jailbreak, root, etc.) is strictly prohibited. Use of any smartphones not approved by the DPO to access corporate WiFi is strictly prohibited.

Note: Where there is a requirement to disclose Tempo information in public forums or services for business purposes, IT Users shall abide by requirements defined in Section – Acceptable and Unacceptable Use of Use of Business Sensitive Information below*.*

3.7 Acceptable and Unacceptable Use of Business Sensitive Information

3.7.1 Classification of Information
Tempo classifies information into three levels based on sensitivity, business value, and regulatory obligations:

  • Confidential – Information that, if disclosed, could cause significant harm to the business or clients. Examples include audit findings, client data, financial information, and sensitive personal data (PII/PHI).

  • Internal – Information intended for internal use that may cause moderate risk if shared externally (e.g. internal policies, templates, training materials).

  • Public – Information approved for public release (e.g. marketing materials, published reports).

All staff must classify data appropriately when creating or modifying documents, in accordance with P-14 Document and Record Control. The DPO is responsible for maintaining classification guidance and ensuring information is handled according to its classification — including access, storage, sharing, and disposal.

3.7.2 Acceptable Use:

  1. Classify data whenever it is created, received, or modified into appropriate classification levels in accordance with P-14 Document and Record Control.

  2. Authorisation for access to Tempo Business Sensitive Information is subject to approval from the IT User’s line management and must be formally renewed in the event of a change of position or a transfer.

  3. Tempo’s Business Sensitive Information must be stored only in systems that are provided and/or approved by Tempo. Tempo maintains an internal asset register that includes company-managed devices and all approved cloud platforms used to access, process, or store Business Sensitive Information. The DPO is responsible for keeping this register up to date and ensuring assets are reviewed periodically for security and compliance purposes.

  4. The transfer of Business Sensitive Information via physical media (e.g., USB drives, printed reports, CDs) is strictly prohibited. All data must be transferred digitally using approved cloud platforms listed in Appendix A, unless explicitly authorised by the DPO.

  5. IT Users shall share Business Sensitive Information with other users based on need-to-know principle and request access revocation when the need is no longer there.

  6. Special care shall be given to transfer of PII data - No more than 50 records shall be transmitted via collaboration platform messaging system internally to a single recipient; No PII data shall be transmitted via email outside of the TempoOS; Transfer of PII data outside of TempoOS shall be done with specific approval and in accordance with the contractual clauses and regulatory requirements meeting specific security technical requirements during the transfer. Contact the DPO for support on this matter.

  7. Before destroying or retaining company data, users must consult the DPO at dpo@tempoaudits.com.

  8. IT Users shall protect Business Sensitive Information in the form of hard copies against theft and unauthorised access by ensuring the following:

  9. Business Sensitive Information in the form of hardcopies must be adequately protected and placed in locked and secure cabinets, when not in use.

  10. Personally attend and collect the printouts immediately from the printers.

  11. Never leave copies of printouts containing Business Sensitive Information unattended in meeting rooms, desks, etc.

  12. All unwanted paper copies of sensitive information must be disposed off securely using a paper shredder.

3.7.3 Unacceptable Use:

  1. Exchanging or storing Business Sensitive Information on third-party systems or locations that are not reviewed and approved by the DPO. Full list of approved software is appended in Appendix A - List of approved software.

  2. Business Sensitive Information is left unattended or available for unauthorised individuals to access, including on desks, printers, copiers, fax machines, and computer monitors

  3. Using official business cloud storage and/or other authorised file storage and sharing systems for storing personal files related to photos, music, videos, personal documents, etc.

  4. Using business sensitive information for personal purposes and personal gain.

  5. Following are some actions that users avoid with regard to Business Sensitive Information:

  6. Record ‘confidential’ information type on answering machines/voice mail systems or ‘out of office’ messages.

  7. Disclose Business Sensitive Information without validating the identity of the recipients.

  8. Leave Business Sensitive Information at the workplace unattended.

3.8 Acceptable and Unacceptable Use of User Accounts and Passwords

3.8.1 Acceptable Use:

  1. Access to all systems handling Business Sensitive Information must be granted based on the principle of least privilege, subject to documented approval by the user’s manager and the DPO.

  2. To maintain segregation of duties, the person approving access must not be the same individual responsible for provisioning or implementing the access.

  3. All access requests and approvals must be documented and retained by the DPO for a minimum of one year. These records must be retrievable and available for audit or compliance verification upon request.

  4. All users must be assigned a unique user ID for access to systems handling Business Sensitive Information. Shared accounts are prohibited, and user credentials must be traceable to an individual. Temporary or test accounts must also be uniquely identified and approved by the DPO.

  5. User access rights are modified immediately upon role changes, transfers, or promotions to ensure the principle of least privilege is maintained. Access rights are updated in collaboration with line management and the DPO, and all changes are documented for audit purposes. The DPO is responsible for reviewing and approving role-based access changes.

  6. All access rights are reviewed quarterly by the DPO in collaboration with System Owners, as described in Section 1.4.

  7. Inactive accounts shall be disabled after 30 days of inactivity and deleted after 90 days unless required for legal or compliance purposes. 

  8. Privileged access is restricted to designated roles and is subject to Multi-Factor Authentication (MFA).

  9. All access credentials must be revoked immediately when no longer required, such as in cases of termination, role change, extended inactivity, or suspected compromise. This includes passwords, tokens, and access to cloud platforms or sensitive systems. The DPO is responsible for coordinating and documenting revocation actions. Users must also notify the DPO to request access revocation for any system or resource that is no longer required.

  10. All authentication credentials must be managed in accordance with this section.

  11. Necessary precautions shall be taken to protect your user accounts and passwords, provided to access the systems and network from unauthorised access/misuse.

  12. All account credentials (Passwords, PINs, etc.) shall be stored in the company approved password management system.

  13. All account credentials that fulfil sharing requirements (test accounts, temporary passwords) shall be shared only using the company approved password management system.

  14. Use complex passwords to access Tempo IT assets. Following guidelines shall be applied while selecting a strong password:

  15. All user-level passwords shall have at least 10 characters.

  16. All system-level passwords shall have at least 12 characters.

  17. All passwords shall contain characters from at least three of the following four groups:

    1. Uppercase letters of English alphabet

    2. Lowercase letters of English alphabet

    3. Numerical characters

    4. Special characters.

  18. All passwords shall not be formed by repeating simple patterns or by using simple sequences of characters (by repeating characters or using monotonically increasing or decreasing array of numbers).

  19. All passwords shall not be composed of well-known or easily accessible personal information.

  20. All passwords used for Tempo’s IT assets shall not be used anywhere else.

  21. PIN code shall have at least 6 numerical characters.

  22. PIN code shall not be created using simple patterns or predictable sequences of numbers (by repeating or using monotonically increasing or decreasing array of numbers).

  23. All passwords and PINs shall be rotated at least annually.

  24. IT Users must immediately change their passwords if:

  25. It is the first-time use;

  26. Password has been reset by system administrator;

  27. They know or suspect that their password has been obtained or used by others.

  28. Any disclosure or compromise of passwords must be reported to the DPO at dpo@tempoaudits.com.

3.8.2 Unacceptable Use:

  1. Share Tempo provided user account and password with others inside or outside Tempo without prior approval from the DPO.

  2. Reuse the same password across multiple systems. Use passwords that are used for personal purposes in systems like personal emails, social networks, etc. on Tempo systems.

  3. Store their passwords in any computer file, emails, and mobile phones or on paper unless electronically encrypted or physically secured.

3.9 Acceptable and Unacceptable Use of Company Workstations – Desktops and Laptops

All company-managed laptops and desktops are recorded in Tempo’s internal asset register, which is maintained by the DPO. This register includes device ownership, configuration status, and compliance with security and maintenance requirements. It is reviewed periodically to ensure that all workstations meet Tempo’s baseline controls.

3.9.1 Acceptable Use:

  1. Use workstations primarily for business purposes.

  2. Every workstation shall have an up-to date antivirus software (or be a device with inbuilt antivirus) provided and managed by Tempo and configured according to baseline security requirements defined and maintained by the DPO.

  3. Every workstation operating system and installed software shall be kept up-to-date and regularly patched.

  4. Immediately log-off or disconnect from workstations in conference rooms or meeting rooms after meetings.

  5. Never leave desktops/laptops unattended for an extended period unless it has been properly safeguarded with controls like screen lock.

  6. Only approved software (Appendix A - List of approved software) or DPO-approved software is allowed to be installed on company workstations. All software shall be from approved sources.

  7. In the event where desktop/laptop equipment are required to be sent to IT workshops for repairing purpose, the IT User of the device shall contact the DPO for guidance on securing the data on the device prior to sending.

  8. Physically secure your laptops when not in use.

  9. Company laptops must always be carried in person and not be checked in as baggage while travelling.

3.9.2 Unacceptable Use:

  1. Use of mobile phones for storing business sensitive information. Mobile phones do not guarantee data protection by company security controls.

  2. Connect removable storage media, external hard drives or USB devices to company provided desktop and/or laptops.

  3. Disabling or tampering with implemented security features such as Corporate Antivirus, Email security, Local firewall, Wireless access points etc.

  4. Using Tempo provided computing assets to engage in activities that are in violation of corporate policies and applicable local or internal laws and regulations.

  5. Dispose laptop and/or desktop equipment outside of the established process for equipment disposal. Users can contact the DPO at dpo@tempoaudits.com for the required guidance.

  6. Connect laptops to untrusted networks, like free and public Wi-Fi Hotspots without the use of company provided VPN. Home WiFi networks are considered safe if protected with a strong passphrase and at least WPA2 security protocol. It is highly recommended that VPN be used in all cases except when connected directly to the corporate WIFI network in the office.

  7. Downloading and/or installing unapproved software applications onto Tempo workstations is prohibited. If you require a software or a tool that is not listed in the Approved Software List appended in Appendix B, please contact the DPO at dpo@tempoaudits.com for requested software evaluation.

3.10 Acceptable and Unacceptable Use of Teleworking

Teleworking means that information and communication equipment is used to enable employees to perform their work outside the Tempo. Teleworking does not include the use of mobile phones outside the Tempo's premises.

Teleworking must be authorised by an employee Manager with written or verbal approval.

3.10.1 Acceptable Use:

  1. Use only approved devices for work (company laptop, approved personal device for work, …)

  2. Connect to the home WiFi network or a private mobile hotspot protected with a secure password (see Acceptable and Unacceptable Use of User Accounts and Passwords)

  3. Lock device when not in use.

  4. Use device in a separate room with appropriate space to do your work and have remote video calls.

  5. Conduct audit work and client data handling in private environments where screens and conversations cannot be overlooked or overheard.

  6. Ensure devices used for Tempo work are stored securely when not in use (e.g. in a locked room or cabinet).

  7. If a personally owned device used for Tempo work requires repair or external maintenance, all Tempo and client data must be securely deleted prior to servicing. Maintenance must only be performed by the device owner or an authorised, trusted provider. Any concerns about data security must be reported to the DPO in advance.

3.10.2 Unacceptable Use:

  1. Share company devices (and/or approved personal devices for work) with members of the household/visitors.

  2. Leave devices unattended in public spaces (coffee shops, airports, etc.).

  3. Use unsecure/open and public internet access points.

  4. Perform audit or client-facing work in public or shared spaces where confidentiality cannot be guaranteed.

3.11 Acceptable and Unacceptable Use of Personal Devices (Bring Your Own Device) For Employees

3.11.1 Acceptable Use:

  1. Register your BYOD device for approval with the DPO by providing device information and intended business use;

  2. Right to audit: By accepting this BYOD policy you accept that the DPO can audit your device for compliance requirements enlisted in this section at any point during your engagement at Tempo for security purposes. You agree to comply with providing the DPO any required system/application logs from your device in case of a security incident and need for investigation.

  3. Connect personal devices (not used for business purposes) to Tempo provided Guest Wi-Fi network;

  4. Connect to corporate applications using Tempo approved technologies only, such as VPN and with an approved BYOD device;

  5. Store all Tempo Business Sensitive Information on Tempo provided cloud storage platform;

  6. Protection of IT User’s personal devices will not be Tempo’s responsibility. However, Tempo requires that all personal devices (Laptops, Tablets, Smartphones) that are used to connect to corporate applications have the following security mechanisms enabled:

  7. Latest operating system, software and security patches with automatic updates turned on;

  8. Up to date anti-virus software;

  9. Specific Tempo provided anti-virus software installation is mandatory on an approved BYOD device in case of IT user regular access to PHI data as part of their role at Tempo;

  10. Lockscreen access control using a password, PIN or biometric as applicable;

  11. Remote locate and wipe capability implemented/turned on;

  12. Auto-lock device option set to no more than 15 minutes of inactivity;

  13. Personal firewall (Laptops only);

  14. Local storage encryption turned on;

For guidance and support in implementing these controls contact the DPO at dpo@tempoaudits.com.

3.11.2 Unacceptable Use:

  1. Connect personal laptops to Tempo’s corporate wired or wireless networks;

  2. Access corporate applications with a non-approved BYOD device;

  3. Store Tempo Business Sensitive Information on personal devices local storage;

3.12 Exceptions

Any exceptions to this standard will require written authorisation by email from the DPO. Exceptions granted will be issued a policy waiver for a defined period of time. Requests for exceptions to this policy should be addressed to the DPO at dpo@tempoaudits.com.

3.13 Governance and Enforcement

Non-conformance to this standard could result in disciplinary action including, but not limited to, informal or formal warnings, up to termination of contract.

APPENDIX A - LIST OF APPROVED SERVICES

  • Calendly

    • Provided Services: Meeting scheduling and management platform

    • Vendor Website: https://calendly.com/

    • Owner: Rob Hall

  • Canva

    • Provided Services: Cloud hosted UI/UX Design tools

    • Vendor Website: https://www.canva.com/

    • Owner: Rob Hall

  • ChatGPT

    • Provided Services: AI LLM

    • Vendor Website: https://chatgpt.com/

    • Owner: Rob Hall

  • Dropbox Sign

    • Provided Services: Digital signature platform for documents

    • Vendor Website: https://sign.dropbox.com/en-GB/

    • Owner: Rob Hall

  • GoDaddy

    • Provided Services: Domain registry

    • Vendor Website: http://godaddy.com/

    • Owner: Rob Hall

  • Google Workspace

    • Provided Services: Collaboration platform, email hosting, document management

    • Vendor Website: https://workspace.google.com/

    • Owner: Rob Hall

  • Global-Regulation (Regnet)

    • Provided Services: Legal regulation software

    • Vendor Website: https://www.global-regulation.com/

    • Owner: Rob Hall

  • Linkedin

    • Provided Services: Talent sourcing, Company news publishing platform

    • Vendor Website: https://www.linkedin.com/

    • Owner: Rob Hall

  • Loom

    • Provided Services: Screen recording software

    • Vendor Website: https://www.loom.com/home

    • Owner: Rob Hall

  • Notion

    • Provided Services: Document management, collaboration platform

    • Vendor Website: https://www.notion.so/

    • Owner: Rob Hall

  • Slack

    • Provided Services: Instant messaging and collaboration platform. Customers have their own slack tenants and are responsible for their access management.

    • Vendor Website: https://slack.com/

    • Owner: Rob Hall

  • Tally

    • Provided Services: Cloud-based form and survey solution

    • Vendor Website: https://tally.so/

    • Owner: Rob Hall

  • Udemy

    • Provided Services: eTraining platform

    • Vendor Website: https://www.udemy.com

    • Owner: Rob Hall

  • Squarespace

    • Provided Services: Website builder platform

    • Vendor Website: https://squarespace.com/

    • Owner: Rob Hall

  • Zoom

    • Provided Services: Video Conferencing platform

    • Vendor Website: https://zoom.us/

    • Owner: Rob Hall

  • 1Password

    • Provided Services: Cloudbased Password Storage

    • Vendor Website: https://1password.com/

    • Owner: Rob Hall

Management System Document Reference: POL9
Version: 2
Issue Date: 15/7/2025