Information Security

We make extensive use of the latest information technology tools to manage our business effectively. Our global team recognizes the value of maintaining high standards of security to avoid loss or corruption of data is critical.

We are a member of the British Computer Society (BCS) and The Chartered Institute for IT (Information Technology) and uphold the BCS Code of Conduct. This sets out important standards governing a member’s actions in relation to public interest, competence, integrity and professional responsibilities. We continue to improve our alignment with, and measure our performance against, the USA National Institute of Standards and Technology (NIST) Cyber Security Framework.


Our IT Governance Structure

The governance of our information security is overseen by our Board, but policy actions are the responsibility of our IT Steering group. The group reviews our information security strategy and objectives. It also agrees on standards and develops any information security related capital programs. They provide a quarterly written report and an annual presentation to the Board.

Reporting into the IT steering group is our IT leadership team, which is responsible for proposing strategy and implementing information security systems alongside managing training and security standards.

Our Legal Compliance team also provides important input and insight into the IT steering group. They review our global information security policies and procedures to confirm they are aligned with international data protection requirements.

Managing Information Securely in 2022

1,602 employees completed our Cyber Security Awareness Training module.

1,602 employees completed our Cyber Security Awareness Training module.

1,767 employees completed our Christmas Phishing Attack Awareness module

Digital Transformation

Innospec’s digital transformation continued throughout 2022. During the year we successfully migrated our primary data center, systems and applications into Microsoft Azure. We also launched our Optimus program to implement a new global enterprise resource planning (ERP) software package, SAP’s S/4HANA, over the next four years. This program, when completed, will bring all our ERP, customer relationship management (CRM), planning, analytics and governance risk and compliance (GRC) capabilities, into one ecosystem for the first time. It also presents a huge opportunity for simplification and expansion of reporting across all our business operations.
  • Cyber Security
  • Information Security Training
  • Audit and Risk Assessment

Cyber security is a subset of our wider information security practices. It focuses on defending our IT systems and electronic information. New threats and vulnerabilities materialize daily, and maintenance of cyber security continues to be a challenge for all businesses globally. It is vital for organizations to combat these threats by creating a risk-aware culture and by ensuring that we have appropriate protections in place to manage cyber risks regarding identity, applications, data, and devices. We are committed to continually improving cyber security through investment in our people, processes and IT infrastructure.

Our IT management team, in liaison with internal and external stakeholders, monitors best practice and ensures our solutions comply with the relevant legislative and regulatory standards on cyber security. This team is responsible for increasing awareness and developing our security training.

Cyber Security Management Policy

In 2022, we implemented a new Global Cyber Security Management Policy framework that now underpins all our activities. To underpin the framework we have a 24/7 Security Operations Center and Endpoint Detection and Response services. We will continue to enhance our Cyber Security framework and services in response to new threats and changes in the regulatory environment.

Our alignment with the NIST Cyber Security Framework continues to mature. Our latest independent third-party assessment, undertaken in late 2022 by NCC Group, reported that our cyber security maturity level had increased within the ‘Defined’ level ranking from a score of 3 in 2021 to 3.3, a result that sits very well against our industry peers.

Cyber security in the workplace is everyone’s responsibility.

We issue regular communications to raise awareness of how to stay safe online, protect against online fraudsters and prevent organized cyber-attacks on our business. Our employees, including Board members, are given regular, mandatory training on cyber security related topics via our “KnowBe4” global training platform.

The training covers a range of topics including access control, acceptable use and cyber security threats, such as phishing. Compliance is compulsory for all employees and tracked on an individual basis. In 2022, we ran nine training and awareness campaigns and two internal phishing tests, to see how alert we are to attempts to gather sensitive information through fake emails.

Across our global IT team, we continue to embed a culture of information security best practice in all areas of IT service delivery. This approach is backed up by periodic training courses and discussions in IT’s global monthly meetings.

Audit and Risk Assessment

Our risk assessment progress has continued to gather pace aligned to our newly restructured IT risk register and Cyber Security Management Policy. Checks are performed on a periodic basis to validate the security of the applications and services we have in place to keep information secure. The results are presented to the IT Steering group and, when required, to the Board. These include:

  • Staff information security assessments
  • Penetration tests
  • Vulnerability scans
  • Independent external security reviews and audits
  • Customer cyber security reviews