| ISO 27001:2023 Section | Document Section |
|---|---|
| 4.3 Determining the scope of the information security management system | 1. |
| 4.4 Information security management system | (All) |
| 5.1 Leadership and commitment | 8. |
| 5.2 Policy | 2. |
| 5.3 Organizational roles, responsibilities, and authorities | 8. |
Overview
This document outlines the Information Security Policy, defining the scope of the Information Security Management System (ISMS), the associated documented procedures, and their interactions.
1. Scope
This policy establishes the structure for managing information security within \
It applies to all staff, contractors, and third-party service providers of \
2. Policy Statement
\
- Implementing a robust ISMS that complies with the standards set by ISO/IEC 27001:2023.
- Conducting periodic risk assessments to identify and mitigate potential information security threats.
- Integrating information security into all IT and business processes.
- Providing regular training and support to employees to reinforce their roles and responsibilities in safeguarding information.
- Reviewing and updating the ISMS to respond to emerging security threats and changes in the business environment.
3. Core Information Security Principles
- Confidentiality: Ensuring access to information is restricted to authorized individuals only.
- Integrity: Maintaining the accuracy and completeness of information and its processing.
- Availability: Ensuring authorized users can access information and related resources when needed.
4. Risk Management
The organization will perform routine risk assessments to detect, evaluate, and manage risks related to information security.
5. Incident Management
A structured protocol will be followed to manage and respond to security incidents, which includes procedures for reporting, investigating, and implementing mitigation measures to prevent recurrence.
6. Compliance
Adherence to this policy will be monitored and assessed as part of the performance evaluation process. Violations will lead to disciplinary actions, which could range from warnings to termination or legal consequences, depending on the severity of the infraction.
7. Policy Review
The policy will undergo a review at least once a year or following significant changes in the organization’s operations or technology to ensure its continued relevance, accuracy, and effectiveness.
8. Roles, Responsibilities, and Authorities
Describe the roles within your company. This can be visualized through an organogram (e.g., using draw.io) or listed in a table as shown below. Ensure that the required qualifications and tasks tied to involvement in the QMS are specified. If applicable, include reporting structures, authority, and access privileges.
| Role | Individuals |
|---|---|
| CEO | Steve Jobs |
| CTO | Steve Wozniak |
| ISO | Oliver Eidel |
C-level positions (CEO, CTO, CMO) form the Management team, responsible for endorsing and supporting the Information Security Policy by allocating resources and authority for its implementation.
The Information Security Officer (ISO) oversees the ISMS, ensuring the policy is enacted, monitored, evaluated, and updated as needed.
All employees must comply with the policy and report any security incidents to the designated authority.
Qualification requirements for these roles include:
- Proficiency in German and English.
- Training in information security management practices.