Document Name: A.
5 Information Security policies
Version: 1.0
Document Version Control:
Version Author Date Review Affected Approver
(Owner) Sections
Document Change Control:
Issue Date Version Description Requested by Changed by
A.5 Information Security policies
1|Page
�The Information Security Policies are established to ensure that information security controls
remain current as business needs evolve and technology changes. This policy is published and
communicated to all employees and relevant external parties.
A.5.1 Management Direction for Information Security
The Chief Information Officer is responsible for establishing, issuing and monitoring information
security policies.
Control Objective: To provide management direction and support for information security in
accordance with business requirements and relevant laws and regulations.
A.5.1.1 Information Security Policy
A Corporate Information System Security Policy document approved by the management exists.
Information security policy has been published and communicated to all employees COMPANY
NAME through the Intranet and mails, training and induction programs. The Information
Security Policy contains operational policies, standards, guidelines and metrics intended to
establish minimum requirements for the secure delivery of our Products/ services. Secure
service delivery requires the assurance of confidentiality, integrity, availability and privacy of
information assets through:
• Management and business processes that include and enable security processes;
• Ongoing employee awareness of security issues;
• Physical security requirements for information systems;
• Governance processes for information technology;
• Defining security responsibilities;
• Identifying, classifying and labelling assets;
• Ensuring operational security, protection of networks and the transfer of information;
• Safe-guarding assets utilized by third parties;
• Reporting information security incidents and weaknesses;
• Creating and maintaining business continuity plans; and,
• Monitoring for compliance.
2|Page
�The Chief Information Officer recognizes that information security is a process, which to be
effective, requires executive and management commitment, the active participation of all
employees and ongoing awareness programs.
A.5.1.2 Review of the policies for information security
The Information Security Policy must be reviewed on an annual basis and updated when
required. The Purpose is to ensure information security policies remain current with evolving
business needs, emerging risks and technological changes.
COMPANY NAME is responsible for the creation, maintenance and updating of the policy.
Information System Security Committee approves the policy prior to release. The review and
evaluation of ISMS policy is conducted at least once in a year. The review guidelines state that
the policy is to be reviewed against its effectiveness, compliance to business process, and
compliance to technology changes. The Chief Information Officer is responsible for reviewing
information security policies, standards and guidelines on an annual basis.
Policies and standards reviews must be initiated:
• In conjunction with legislative, regulatory or policy changes which have information
security implications;
• During planning and implementation of new or significantly changed technology;
• Following a Security Threat and Risk Assessment of major initiatives (e.g., new
information systems or contracting arrangements);
• When audit reports or security risk and controls reviews identify high risk exposures
involving information systems;
• If threat or vulnerability trends produced from automated monitoring processes
indicate the probability of significantly increased risk;
• After receiving the final report of investigation into information security incidents;
• Prior to renewing third party access agreements which involve major programs or
services;
• When industry, national or international standards for information security are
introduced or significantly revised to address emerging business and technology issues;
and,
• When associated external agencies (e.g., Information and Privacy Commissioner,
Ministry on Information Technology) issue reports or identify emerging trends related to
information security.
3|Page
