1. Purpose, scope and users
The aim of this top-level Policy is to define the purpose, direction, principles and basic rules for information security management.
This Policy is applied to the entire Information Security Management System (ISMS), as defined in the ISMS Scope Document.
Users of this document are all employees of the company, as well as relevant external parties.
2. Reference documents
- ISO/IEC 27001 standard, clauses 5.2 and 5.3
- ISMS Scope Document
- ISMS Context Spreadsheet
- Risk Assessment and Risk Treatment Methodology
- Statement of Applicability
3. Basic information security terminology
Confidentiality – characteristic of the information by which it is available only to authorized persons or systems.
Integrity – characteristic of the information by which it is changed only by authorized persons or systems in an allowed way.
Availability – characteristic of the information by which it can be accessed by authorized persons when it is needed.
Information security – preservation of confidentiality, integrity and availability of information.
Information Security Management System – part of overall management processes that takes care of planning, implementing, maintaining, reviewing, and improving the information security.
4. Managing the information security
4.1. Objectives and measurement
General objectives for the information security management system is to create a better market image and reduce the damage caused by potential incidents. We have defined a set of measurable service and security objectives aligned to our strategy and risks and these are documented within our Scope Document.
We will measure the fulfillment of all the objectives; the measurement will be performed at least once a year and will analyze and evaluate the measurement results and report them as input materials for the Management review.
4.2. Information security requirements
This Policy and the entire ISMS is be compliant with legal and regulatory requirements relevant to the organization in the field of information security, as well as with contractual obligations.
A detailed list of all our interested parties and our compliance obligations to them has been documented within our Scope Document.
4.3. Information security controls
The process of selecting the controls is defined in the Risk Assessment Process.
The selected controls and their implementation status are listed in the Statement of Applicability.
4.4. Business continuity
Business continuity management is prescribed in the Business Continuity Management Policy.
Responsibilities for the ISMS are the following:
- The Information Security Manager is responsible for ensuring that the ISMS is implemented and maintained according to this Policy, and for ensuring all necessary resources are available
- The Information Security Officer is responsible for operational coordination of the ISMS as well as for reporting about the performance of the ISMS
- Senior Management review the ISMS at least once a year or each time a significant change occurs and prepare minutes from that meeting. The purpose of the management review is to establish the suitability, adequacy and effectiveness of the ISMS.
- The Information Security Officer, together with assistance from Human Resources will implement information security training and awareness programs for employees
- the protection of integrity, availability, and confidentiality of assets is the responsibility of the owner of each asset – of which is detailed within our Asset Register.
- all security incidents or weaknesses must be reported to the Information Security Manager and can be either raised internally or through the service Desk.
- The Information Security Manager will define which information related to information security will be communicated to which interested party (both internal and external), by whom and when
- The Information Security Officer is responsible for adopting and implementing the Training and Awareness Plan, which applies to all persons who have a role in information security management
4.6. Policy communication
Information Security Officer must ensure that all employees of the company, as well as appropriate external parties are familiar with this Policy. External party communication is done through the NDA process.
5. Support for ISMS implementation
Senior Management ensure that ISMS implementation and continual improvement will be supported with adequate resources in order to achieve all objectives set in this Policy, as well as satisfy all identified requirements.
6. Validity and document management
This document is valid as of July 2020