...
The operation of the ISMS has many benefits for the business, including:
Protection of revenue streams and company profitability
Ensuring the supply of goods and services to customers
Compliance with legal and regulatory requirements
Vertic Pty Ltd has decided to maintain full certification to ISO/IEC 27001 in order that the effective adoption of information security best practice may be validated by an independent third party, a Registered Certification Body (RCB).
This policy applies to all systems, people and processes that constitute the organization’s organisation’s information systems, including board members, directors, employees, suppliers and other third parties who have access to Vertic Pty Ltd systems.
The following supporting documents are relevant to this information security policy and provide additional information about how it is applied:
Risk Assessment and Treatment Process
Statement of Applicability
Supplier Information Security Evaluation Process
Internet Acceptable Use Policy
Cloud Computing Policy
Mobile Device Policy
Access Control Policy
User Access Management Process
Physical Security Policy
Anti-Malware Policy
Software Policy
Technical Vulnerability Management Policy
Privacy and Personal Data Protection Policy
Details of the latest version number of each of these documents is available from the ISMS Documentation Log.
...
Vertic Pty Ltd policy regarding continual improvement is to:
Continually improve the effectiveness of the ISMS
Enhance current processes to bring them into line with good practice as defined within ISO/IEC 27001 and related standards
Achieve ISO/IEC 27001 certification and maintain it on an on-going basis
Increase the level of proactivity (and the stakeholder perception of proactivity) with regard to information security
Make information security processes and controls more measurable in order to provide a sound basis for informed decisions
Review relevant metrics on an annual basis to assess whether it is appropriate to change them, based on collected historical data
Obtain ideas for improvement via regular meetings and other forms of communication with interested parties
Review ideas for improvement at regular management meetings in order to prioritise and assess timescales and benefits
Ideas for improvements may be obtained from any source including employees, customers, suppliers, IT staff, risk assessments and service reports. Once identified they will be recorded and evaluated as part of management reviews.
...
The table below shows the individual policies within the documentation set and summarises each policy’s content and the target audience of interested parties.
POLICY TITLE | AREAS ADDRESSED | TARGET AUDIENCE |
Internet Acceptable Use Policy | Business use of the Internet, personal use of the Internet, Internet account management, security and monitoring and prohibited uses of the Internet service. | Users of the Internet service |
Cloud Computing Policy | Due diligence, signup, setup, management and removal of cloud computing services. | Employees involved in the procurement and management of cloud services |
Mobile Device Policy | Care and security of mobile devices such as laptops, tablets and smartphones, whether provided by the organization for business use. | Users of company-provided mobile devices |
Access Control Policy | User registration and deregistration, provision of access rights, external access, access reviews, password policy, user responsibilities and system and application access control. | Employees involved in setting up and managing access control |
Anti-Malware Policy | Firewalls, anti-virus, spam filtering, software installation and scanning, vulnerability management, user awareness training, threat monitoring and alerts, technical reviews and malware incident management. | Employees responsible for protecting the organisation’s infrastructure from malware |
Software Policy | Purchasing software, software registration, installation and removal, in-house software development and use of software in the cloud. | All employees |
Social Media Policy | Guidelines for how social media should be used when representing the organization and when discussing issues relevant to the organization. | All employees |
HR Security Policy | Recruitment, employment contracts, policy compliance, disciplinary process, termination | All employees |
Acceptable Use Policy | Employee commitment to organisational information security policies. | All employees |
...