Policy · ISO 27001 certified

Information Security Policy

existanze maintains an Information Security Management System (ISMS) aligned with ISO/IEC 27001 to protect the confidentiality, integrity, and availability of information we process on behalf of clients.

Summary

Certified to ISO/IEC 27001. Risk-based controls, annual audits, and a documented incident-response process protect client data end-to-end.

Policy Overview

This policy is based on ISO 27001:2013 the recognised international standard for information security. This standard ensures that the organisation complies with the following security principles:

  1. Confidentiality: all sensitive information will be protected from unauthorized access or disclosure;
  2. Integrity: all information will be protected from accidental, malicious and fraudulent alteration or destruction; and,
  3. Availability: Information services will be available throughout the times agreed with the users and be protected against accidental or malicious damage or denial of service.

«CONNECTING DOTS I.K.E.» is committed to ensuring that all these aspects of information security are complied with to fulfil its statutory functions.

Compliance with «CONNECTING DOTS I.K.E.» security policies and procedures is mandatory for all personnel.

The Chief Executive Officer (CEO) approves this policy. The Information Security Forum (ISF) has the responsibility for ensuring that the policy is implemented and adhered to.

The security policy confirms «CONNECTING DOTS I.K.E.» commitment to continuous improvement and highlights the key areas to effectively secure its information.

Policy Detail

Senior Management Team Responsibilities’ and commitment

The Senior Management Team are committed to satisfy all applicable requirements within this policy and to the continual improvement of the ISMS, and therefore have established this information security policy so that:

  1. it is appropriate to the purpose of the organization;
  2. it includes information security objectives and provides the framework for setting continual information security objectives;

This information security policy shall be available as documented information; be communicated within the organization; and be available to interested parties, as appropriate.

Leadership and commitment

Top management will continue to demonstrate leadership and commitment with respect to the information security management system by:

  1. ensuring the information security policy and information security objectives are established and are compatible with the strategic business direction of the organization;
  2. ensuring the integration of the information security management system requirements into the organization’s processes;
  3. ensuring that the resources needed for the information security management system are available;
  4. communicating the importance of effective information security management and of conforming to the information security management system requirements;
  5. ensuring that the information security management system achieves its intended outcome(s);
  6. directing and supporting persons to contribute to the effectiveness of the information security management system;
  7. Promoting continual improvement; and
  8. supporting other relevant management roles to demonstrate their leadership as it applies to their areas of responsibility.

Information Security Objectives

Information security objectives have been established and are compatible with the strategic direction of the organisation, the key objective is to work in line with the sections of the best practice standard ISO 27001:2013 detailed below. Furthermore security objectives will be set by management as an ongoing task and at ISMS Management Review Meetings and an Information Security Objectives Policy will be produced and implemented as part of the ISMS. Management Objectives for Information Security will be continually set and monitored to ensure they are achieved.

«CONNECTING DOTS I.K.E.» will seek to continually improve the information security management system in line with a PLAN-DO-CHECK-ACT to improve process embedded within its ISMS.

Organization of Information Security

The importance attached to information security within «CONNECTING DOTS I.K.E.» is demonstrated by the existence of the Information Security Forum; the function of the Information Security Forum is outlined below;

  • reviewing and progressing strategic security issues;
  • establishing relationships outside of «CONNECTING DOTS I.K.E.» with other security advisers;
  • assessing the impact of new statutory or regulatory requirements;
  • monitoring the effectiveness of the Information Security Management System;
  • recommending & endorsing changes to the ISMS;

Human Resource Security

All employees must sign up to the Staff Handbook which requires them to work in accordance with all policies and procedures which includes information security specific requirements. Furthermore an ‘Acceptable Use Policy’ ensures that employees are made aware that they are required to follow best practices regarding information security.

Asset Management

«CONNECTING DOTS I.K.E.» information must be classified according to its sensitivity and an information owner assigned. The IT Team will maintain an information asset inventory which is also updated periodically, according to its risk profile and protected accordingly.

Access Control

Employees must be aware of and must follow a number of controls and procedures, which exist to limit access to confidential information. The IT Team are responsible for both establishing and maintaining robust logical access controls.

Cryptography

Where cryptographic controls are employed by «CONNECTING DOTS I.K.E.» a policy on the use of cryptographic controls for protection of information must be developed and implemented.

Physical and Environmental Security

Staff must be aware of and must follow the detailed set of measures, controls and procedures that exist to ensure adequate control of physical security.

Operations Security

«CONNECTING DOTS I.K.E.» will ensure correct and secure operations of information processing facilities.

Communications Security

Staff must be aware that the use of technology and communications are established, controlled and managed by the IT Team. «CONNECTING DOTS I.K.E.» will ensure that security around the network, mobile and remote working are adequately protected.

Supplier Relationships

Information security requirements for mitigating the risks associated with supplier’s access to the organization’s assets must be agreed with the supplier and documented.

Information Security Incident Management

Security incident management records must be centrally maintained, updated and monitored via the Case Management System. All employees must be aware of what constitutes an actual or potential security incident, how to report the incident and who to report the incident to.

Business Continuity Management

The organization must ensure a consistent and effective approach to the management of major information security incidents, including communication on security events and weaknesses and the implications for business continuity management.

Compliance

«CONNECTING DOTS I.K.E.» must avoid breaches of legal, statutory, regulatory or contractual obligations related to information security and of any security requirements. «CONNECTING DOTS I.K.E.» must take technical and organizational measures to protect personal data against accidental or unlawful destruction, or accidental loss or alteration, and unauthorized disclosure or access.

Review

This document must be reviewed at least annually by its ‘Document Owner’.

Enforcement

Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

ISMS · v2.1

Ελληνικά