Information Security Policy

Aims

• Maintain the confidentiality, integrity, and availability of all information that Arup processes.

• Ensure our people understand, adopt, and maintain positive information security behaviours in response to security threats.

• Keep pace with the increasing and evolving risk of cyber threats.

• Prevent attacks where practicable, and detect and respond rapidly to minimise impact where prevention is not possible.

We will

• Establish clear accountability and responsibility for information security and risk within the firm.

• Incorporate information security into relevant Arup processes, and establish new processes where needed to identify and mitigate risks through suitable control measures.

• Implement appropriate administrative, technical, and detective security controls based on threat and risk assessments.

• Align our practices with ISO 27001:2022 and other relevant industry standards and control frameworks.

• Provide training and support to ensure all personnel are aware of their obligations under this policy and can respond effectively to potential threats.

• Manage access to information in accordance with commercial, personal, financial, or other sensitivity requirements.

• Implement business and technology controls to maintain operational continuity in the event of a cyber incident or security breach.

• Conduct due diligence on third parties that process sensitive Arup data.

Governance

This policy is set by the Arup Group Limited Board and implemented across all Arup operations through policy, procedures, management systems, and learning.

It is reviewed and approved annually, or more frequently if appropriate.