A.5.1 Policies for information security

Purpose

The purpose of this procedure is to ensure that the organization defines, implements, and maintains an information security policy that supports security risk management and preserves the confidentiality, integrity, and availability of organizational information.

Scope

This procedure applies to the entire organization, including all organizational units and information systems.

Definitions

Information Security Policy: A document outlining the core principles and guidelines for managing information security within the organization.
Information Security: The preservation of confidentiality, integrity, and availability of information, in line with business, legal, and regulatory requirements.

Responsibility

Organization Management: Responsible for approving, publishing, and distributing the information security policy.
Information Security Officer: Responsible for developing, updating, and maintaining the information security policy, as well as ensuring its implementation across all organizational units.
All Organization Employees: Required to comply with the information security policy and participate in required training and education.

Process

1. Developing the Information Security Policy

The Information Security Officer will develop a policy based on risk assessment, including the following topics:
- Core principles of information security.
- Security objectives and general guidelines for risk management.
- Responsibilities and rights of employees regarding information security.
- Guidelines for managing information security incidents.

2. Approving the Information Security Policy

The organization's management will approve the policy and ensure it meets the business needs and regulatory requirements of the organization.

3. Publishing and Distributing the Information Security Policy

The policy will be distributed to all employees and made available for review through the organization’s portal or other designated methods.
Training and education on the new or updated policy will be provided to all employees.

4. Maintaining and Updating the Information Security Policy

The Information Security Officer will periodically review the policy and update it according to changes in risks, business needs, regulations, and technologies.
Any policy changes will be submitted for management approval and then communicated to all employees.

5. Monitoring and Control

The organization will conduct periodic audits of the implementation of the information security policy to ensure it is properly enforced and that employees are aware of and comply with it.

Notes

The organization will conduct regular risk assessments to ensure that the information security policy addresses all relevant risks.
All employees are required to report any breach of the information security policy to the Information Security Officer.

Purpose​

Scope​

Definitions​

Responsibility​

Process​

1. Developing the Information Security Policy​

2. Approving the Information Security Policy​

3. Publishing and Distributing the Information Security Policy​

4. Maintaining and Updating the Information Security Policy​

5. Monitoring and Control​

Notes​