Information Security Policy. 
1. Objective

To define roles and responsibilities for the performance of an effective, efficient - Information Security Management System (ISMS).

2. The Composition of the ISMS Team Committee

The team will comprise the following members & or an appropriate delegate (list of titles).
Members:

  1. Top Management.
  2. Chief Information Security Officer.
  3. Head of Department.
  4. ISMS End Users.
  5. Internal Auditors.
3. Top Management

Top management demonstrates leadership and commitment with respect to the information security management system by:

  1. Ensuring the information security policy and the information security objectives are established and are compatible with the strategic direction of the organization.
  2. Ensuring the integration of the information security management system requirements into
  3. the organization’s processes.
  4. Ensuring that the resources needed for the information security management system are available.
  5. communicating the importance of effective information security management and conforming to the information security management system requirements.
  6. Ensuring that the information security management system achieves its intended outcome(s).
  7. Directing and supporting people to contribute to the effectiveness of the information security management system.
  8. Promoting continual improvement and supporting other relevant management roles to demonstrate their leadership as it applies to their areas of responsibility.
  9. Responsibility for conducting management reviews.
  10. Ensuring that the ISMS conforms to requirements and assign reporting responsibilities in addition to those listed.
  11. Management has given the authority to each team to enforce security in their area of work.
3.1 Authority

To take financial decisions on issues related to risk.

3.2 Key Skills & Competencies
  1. Understand the business.
  2. Understand the business need for protection.
  3. Understand the business 'impact' of violation.
  4. Access to the ISMS roles & responsible documents.
4. Chief Information Security Officer (CISO)

4.1 Primary Responsibility

  1. Maintains and updates an ISMS Vulnerability dashboard to keep track of organizational weakness and present it to the management for decisions. Decisions requiring implementation are tracked with the implementation team till closure. Vulnerabilities for which there is no action taken are reported for residual risk approval to the top management.
  2. Enterprise project or program office – Verifies and performs risk assessment for any new product/project/customer acquisition.
  3. Document Controller for all ISMS-related documentation. Document owner is a separate role, CISO is not necessarily the document owner for all security policy/procedures, some of which are owned by other departments such as IT, and HR. Operations, legal, physical security, application development, and top management.
  4. Identification of new threats/vulnerabilities and reporting to relevant stakeholders in relation to enterprise information risk.
  5. Responsible for reporting full or part of the ISMS performance on a monthly basis.
  6. Ensures policy objectives are met and responsible for the supervision of records generated as per the security operation.
  7. Information Security budget preparation and submission to top management for approval.
  8. ISMS Annual program maintenance.
  9. Key point of contact for day-to-day security implementation/issues.
  10. Arranges for regular security audits as per management decision.
  11. Provides inputs to regular internal independent audits.
  12. Appoints Request for Comment (RFC) team for acceptance and adaptation of specific ISMS documentation/records.

4.2 Authority

To create additional policy, procedure, and metrics with respect to ISMS operation.

5. Key skills & Competencies
  1. Understand information assets.
  2. Understand information security including the CIA.
  3. Understand ISO 27001 control requirement.
  4. Ability to interpret policy documents (internal and external) and explain to the business 'how to implement or demonstrate compliance.
6. Head of Department/Team

Head of the department is responsible to ensure the following security processes (not exhaustive):

  1. Understand and own security/compliance responsibility as distinctive from operational/revenue generating responsibilities.
  2. Risk Owner: Each department head is the owner of the risks that are allocated to them. In ISO 27001 this is distributed by the controls to the respective owner, from a formal document – Statement of Applicability.
  3. Encourages team members to report security weaknesses or incidents relevant to any part of the organization.
  4. First point of contact within the departments for incident/weakness reporting. If a user has reported an incident/weakness he/she can classify whether such weakness/vulnerabilities should be escalated or not.
  5. Managers have the responsibility to conduct a self–assessment’ and report to top management/ISMS manager any deviation or risks. This can be policy gaps, technology gaps, and any other resource requirement.
  6. Ensures that any information processing work has segregation of duties well entrenched in the internal roles such that there is no opportunity of fraud, if applicable to the team or the process.

6.1 Authority

  1. To inform management about any new risk/vulnerability.

7. Key skills & Competencies
  1. Understand the business need for protection.
  2. Understand the business 'impact' of violation.
  3. Access to the ISMS roles & responsibility document.
8. ISMS End-Users
  1. Complies with end-user policy/procedure, namely Acceptable Usage Policy, which provides a description of each user behaviour with respect to information usage.
  2. Reports security weakness/incidents to either the head of the department or the CISO
  3. End Users do not exploit known security weaknesses.

8.1 Authority

  1. To report any new weakness/incident to the head of department/CISO

9. Key skills & Competencies
  1. Ability to communicate any security weakness/incident to supervisors/reporting manager or CISO.
  2. Ability to comply with end-user compliance requirements.
10. Internal Auditors
  1. Functions upon the directives of the top management/Security forum and carries out a regular review of ISMS, based on the defined scope.
  2. The individuals nominated should be impartial and have no material benefit in the outcome of the Internal audit, positive or negative.
  3. Makes judgment on the effectiveness of the selected policies, procedures, and records.
  4. Reports internal audit findings to the top management and recommends preventive and corrective action.
  5. Reviews implementation of the audit findings; and,
  6. An additional internal audit procedure on internal audit exists to support the role.

10.1 Authority

  1. To raise non-conformity in any aspect of ISMS operation.

11. Key skills & Competencies
  1. Ability to make judgments about the 'intent, implement and effectiveness.
  2. Pass a judgment and make a justification for the judgment.
  3. Access to the ISMS roles & responsible document.
12. Monthly ISMS Performance

Change of new ISMS role nominations.

13. Policy Review

The policy is reviewed annually and/or when significant changes occur.

14. Enforcement of Policy

This policy will be enforced by the IT Manager and/or Security Team. Violations may result in disciplinary action, which may include suspension, restriction of access, or more severe penalties up to and including termination of employment. Where illegal activities or theft of company property (physical or intellectual) are suspected, the company may report such activities to the applicable authorities.

15. Maintenance of Policy
  1. Compliance with this policy and supporting policies shall be audited on a yearly basis; exceptions identified during the audit shall be immediately and appropriately addressed.
  2. This policy shall be reviewed annually unless there is a major change in the organization or the environment affecting the organization, in which case it shall be done on a need basis.
  3. This policy shall be reviewed and revised whenever a major security risk or an incident is identified.
16. References

 ISO 27001:2022

  1. Clause 5.1 Leadership and commitment.
  2. A.5.2 - Information Security Roles and Responsibilities.
Version
Date
Revision Author
Summary of Changes
Approved By
Position
0.1
01.08.2024
Green IT Ventures
Draft

 1.0

01.10.2024

Green IT Ventures

Initial release

Jebastin Prabhaharan

CEO

DECLARATION:

This is to confirm that I have read and understood the above mentioned policy.

Click here to fill the acknowledgement form.