Information Security Policy


An information security policy is the cornerstone of an information security program. As such, this information security policy reflects’s objectives for information security and the agreed upon management strategy for securing information and continual improvement.’s information security policy is its foundation for protecting’s information, systems, and people, as well as its intellectual property, customer and partner relationships, company brand, and investor value.


The purpose of the Information Security Policy is to set forth the underlying tenets, framework, and reasoning for’s Information Security Management System (ISMS) in accordance with the requirements of ISO standard ISO/IEC 27001:2013.


It is the policy of to protect the confidentiality, integrity, and availability (CIA) of the information held, in any form. This Information Security Policy is supported and complemented by other policies, procedures, standards, and ISMS documentation.’s ISMS supports the following objectives:

The risk management approach for the ISMS shall be aligned with the organization’s strategic risk management context.’s risk assessment criteria are derived from the ISO 27005 risk assessment methodology. assesses risks to information assets qualitatively by estimating the impact and likelihood of information security events within the organization.

The ISMS Manager is responsible for maintaining this Information Security Policy, supporting its objectives and advising on its implementation.

Continual improvement needs will be determined by various methods. The ISMS Manager is responsible for ensuring the improvement activity is operationalized, based on factors such as alignment with business and security objectives, needed resources, budget and technological feasibility, the improvement aligns with’s security roadmap and is approved by either the ISMS Management Steering Committee or the Executive Committee, as applicable.

Conformance at every level to the Information Security Policy and all remaining ISMS policies, standards, and procedures, is mandatory.

The Information Security Policy must be reviewed at least annually.


This Information Security policy is owned by the ISMS Manager. This Information Security policy shall be reviewed on an annual basis. Changes to this document shall be in accordance with the ISMS Document and Records Control Standard.