DOCUMENT CONTROL BLOCK

Internal Use Only Issued On: 16-Sep-24 V2.0

Information Security Policy Page 1 of 12

Information Security Policy

V2.0

This document is the property of CJDARCL, Location. Distribution may only be performed by
CJDARCL ’s ICT Department to recipients that have a valid need-to-know. The content of this
document is proprietary information and may not be distributed, disclosed, published or copied
without prior approval of the document owner.

Page 1 of 12

Classified as Internal Use Only

 DOCUMENT CONTROL BLOCK
Internal Use Only Issued On: 16-Sep-24 V2.0

Information Security Policy Page 2 of 12

DOCUMENT CONTROL

DOCUMENT INFORMATION
Document Title: Information Security Policy
Document #: V1.0
Classification: Internal Use Only
Author: Divesh Sood

VERSION CONTROL
# Version Draft or Final Date Description of By
change
1 1.0 Final 16-Sep-24 Initial Document Divesh Sood

DOCUMENT APPROVAL
# Authori Name / Designation Approval/ Date Comment
ty Rejection
1 Author Divesh Sood Approved 16-Sep-
Security GRC Senior 24
Specialist

2 Reviewe 19-Sep-
r 24

3 Approver 19-Sep-
24

Contents

Page 2 of 12

Classified as Internal Use Only

 DOCUMENT CONTROL BLOCK
Internal Use Only Issued On: 16-Sep-24 V2.0

Information Security Policy Page 3 of 12

DOCUMENT CONTROL................................................................................................
1. INTRODUCTION...................................................................................................
2. OBJECTIVES.........................................................................................................
3. SCOPE................................................................................................................
3.1. TARGET AUDIENCE..............................................................................................
3.2. REFERENCE MATERIAL.........................................................................................
4. RESPONSIBILITY AND AUTHORITY........................................................................
5. POLICY STATEMENTS...........................................................................................
5.1. GENERAL STATEMENTS........................................................................................
5.2. ESTABLISH ISMS.................................................................................................
5.3. IMPLEMENT AND OPERATE ISMS..........................................................................
5.4. MONITOR AND REVIEW OF ISMS...........................................................................
5.5. MAINTAIN AND IMPROVE ISMS.............................................................................
5.6. DOCUMENTATION................................................................................................
5.7. MANAGEMENT RESPONSIBILITY...........................................................................
5.8. ISMS INTERNAL AUDITS.......................................................................................
5.9. MANAGEMENT REVIEW OF THE ISMS..................................................................
5.10. ISMS IMPROVEMENT......................................................................................
6. ENFORCEMENT..................................................................................................
7. ASSOCIATED DOCUMENTS..................................................................................

Page 3 of 12

Classified as Internal Use Only

 DOCUMENT CONTROL BLOCK
Internal Use Only Issued On: 16-Sep-24 V2.0

Information Security Policy Page 4 of 12

1. INTRODUCTION
The purpose of this policy is to ensure Management commitment towards information security,
Quality of products & services and the Information Security Management System (ISMS). The
Management is responsible for ensuring periodic reviews of ISMS and improvements based on
the results of the reviews.

2. OBJECTIVES
The Information Security Management System Objectives of CJDARCL (CJDARCL ) Information
Security Management System (ISMS) are to:
2.1. Ensure the security of IS internal information assets and processing facilities.
2.2. Improve the security level of Client Information held within CJDARCL (CJDARCL ).
2.3. Improve employee information security awareness.
2.4. Ensure the continuity of IS essential services.
2.5. Complete the documentation of departmental processes.

3. SCOPE
This policy is directed towards the management of CJDARCL (CJDARCL ) to address the following
clauses of ISO 27001:
3.1. Information Security Management System (ISO 27001)
3.2. Leadership (ISO 27001)
3.3. Planning (ISO 27001)
3.4. Support (ISO 27001)
3.5. Operation (ISO 27001)
3.6. Performance Evaluation (ISO 27001)
3.7. Improvement (ISO 27001)
3.8. Policies for information security
3.9. Review of the Policies for information security
3.10. Management Responsibilities (ISO 27001)

Page 4 of 12

Classified as Internal Use Only

 DOCUMENT CONTROL BLOCK
Internal Use Only Issued On: 16-Sep-24 V2.0

Information Security Policy Page 5 of 12

3.11. Target Audience

The target audience for this document includes but is not limited to:
3.11.1. CJDARCL (CJDARCL ) Executive management
3.11.2. CJDARCL (CJDARCL ) Users
3.11.3. Information Security department
3.12. Reference Material
3.12.1 This guide has been created based on Standard Information Security Management
procedure based on ISO 27001:2022.
3.12.2 CJDARCL (CJDARCL ) specific detail to be incorporated during the review process

4. RESPONSIBILITY AND AUTHORITY

4.1 The Management of CJDARCL (CJDARCL ) is responsible for:
4.1.1 Ensuring that policy is communicated to all employees, contCJDARCL t/temporary
employees, and third party personnel and implemented.
4.1.2 Supporting Information security initiatives by ensuring adequate resources and
periodically reviewing the effectiveness of the security measures.
4.2 All staff including consultants, third party employees and visitors are responsible to
adhere to these policies.
Maintain Prepare /
Review Endorse Approve Publish
Register Update
ISMF
Yes Yes
Information Security
Yes Yes Yes
Officer (ISO)
Chief Information Security
Yes Yes Yes Yes Yes
Officer (CISO)

5. POLICY STATEMENTS
5.1. CJDARCL (CJDARCL shall
) ensure that Information Security is implemented in every
aspect of the organization; and that information security policies and procedures are
adhered to.
5.2. CJDARCL (CJDARCL shall) apply all reasonable, appropriate, pCJDARCL tical and effective
security measures to adequately protect its critical information and information
processing facilities.
5.3. CJDARCL (CJDARCL shall
) apply the necessary security controls required to meet its
contCJDARCL tual, legislative, regulatory, privacy and ethical responsibilities.
5.4. CJDARCL (CJDARCL shall) acknowledge the importance of ensuring information security
and commit towards supporting the information security goals and its principles.

Page 5 of 12

Classified as Internal Use Only

DOCUMENT CONTROL BLOCK
Internal Use Only Issued On: 16-Sep-24 V2.0

Information Security Policy Page 6 of 12

5.5. CJDARCL (CJDARCLshall ) establish information security objectives aligned to its

business objectives, information security requirements and pertaining risks.
5.6. CJDARCL (CJDARCL shall) develop detailed plans to measure, communicate, update and
achieve information security objectives.
5.7. All CJDARCL (CJDARCLinformation
) and associated processing facilities (hardware,
software, files, data, networks, etc.) shall only be used for official purposes.
5.8. CJDARCL (CJDARCL shall
) develop a detailed set of enforceable policies proportional
with the criticality and sensitivity of information and processing facilities.
5.9. CJDARCL (CJDARCLshall) provide its employees, contCJDARCL tors, and business
partners (whenever applicable) with the required information security awareness
knowledge, materials, and tools needed to fulfil their information security
commitments.
5.10. CJDARCL (CJDARCLmanagement
) must ensure that information security
requirements are assessed and identified during the initiation of every information
system or service project.
5.11. Any information system or service hosted or managed by CJDARCL (CJDARCL )
shall follow and comply with CJDARCL (CJDARCL ’s information
) security policies.
5.12. A standard Information Security Confidentiality Clause (including a Non-
Disclosure Agreement) shall be included in all agreements, contCJDARCL ts, and
purchase orders between CJDARCL (CJDARCL and)any third party being granted access
to confidential or sensitive data, information, and systems.
5.13. CJDARCL (CJDARCL shall) ensure that it respects the intellectual property rights
of any third party whose products are used for its business purposes.
5.14. The Information Security Policy shall be reviewed by the Management at least
once a year or when there is any change affecting the policy.
5.15. The responsibility for the execution of this policy rests with the management of
the company. Each individual policy shall mention the ownership and implementation
responsibilities. Exceptions, if any, to the policies shall be explicitly approved by the
management.
5.16. The ISO shall facilitate overall policy review process.
5.17. The approved changes in policy shall be communicated to the affected
personnel by the CISO.
5.18. All breaches of information security shall be reported to the ISO and
investigated by the appropriate staff, depending upon the type of breach. Any
violation, non-adherence to this policy shall be viewed seriously and shall be liable for
disciplinary action that may include termination.
5.19. The Management shall meet once every 12 months (annually) to review the
Information Security Policies and minutes of these meetings shall be maintained as
records.
Page 6 of 12

Classified as Internal Use Only

 DOCUMENT CONTROL BLOCK
Internal Use Only Issued On: 16-Sep-24 V2.0

Information Security Policy Page 7 of 12

5.20. General Statements

5.20.1 Information security management system (ISMS) at CJDARCL (CJDARCL ) shall be
established, implemented, operated, monitored and reviewed by defining its scope
and boundaries, ISMS policy, risk assessment approach and risk acceptance criteria.
5.20.2 Risks to critical Innovative Solution’s information assets and underlying systems shall
be identified, analysed, and evaluated along with risk treatment options.
5.20.3 Appropriate controls shall be selected and management approval for residual risks
and authorization for implementation and operations of ISMS shall be obtained.
5.20.4 A Statement of Applicability shall be prepared / reviewed.
5.20.5 Information Security and Quality Policy shall be reviewed to ensure fulfilment of
business objectives and statutory requirements, its adequacy and effectiveness and
communication to all employees and external parties as relevant.
5.20.6 Risk treatment plan shall be prepared, and controls shall be implemented.
5.20.7 Procedures shall be established / reviewed to enable proper implementation and
maintenance of controls.
5.20.8 Documented Information Security Management System (ISMS) shall be maintained,
reviewed within the context of the organization’s overall business activities and
risks.
5.20.9 Internal ISMS audits shall be conducted at least once in a year, to determine the
effectiveness and adequacy of control objectives, controls, processes and
procedures of ISMS.
5.20.10 Effectiveness of ISMS shall be continually improved through the use of the
information security policy, security objectives, and audit results, analysis of
monitored events, controls’ effectiveness measurements, corrective and preventive
actions and management reviews.
5.21. Establish ISMS
5.21.1. Scope and boundaries of the ISMS shall be defined and annually reviewed
considering the business, contCJDARCL tual requirements and legal obligations.
Any exclusion from the scope shall be justified and documented.
5.21.2. Pre-defined and systematic approach to identifying business critical processes
and corresponding information assets, risk assessment, evaluation of risk
treatment options, criteria for accepting risks and identifying the acceptable risk
levels shall be followed.
5.21.3. A statement of applicability (SOA) shall be prepared and updated after
considering currently implemented controls, control objectives and controls
selected for the treatment of risks based on the risk assessment methodology and
business and legal requirements with justification for exclusion of any control
objectives or controls.

Page 7 of 12

Classified as Internal Use Only

 DOCUMENT CONTROL BLOCK
Internal Use Only Issued On: 16-Sep-24 V2.0

Information Security Policy Page 8 of 12

5.21.4. Security policies and procedures shall be developed / updated / modified to

address selected controls and for their implementation.
5.22. Implement and Operate ISMS
5.22.1. The selected controls based on the SOA shall be implemented after developing
risk treatment plan identifying management actions, resources, responsibilities
and the time-frame for implementation.
5.22.2. Suitable measures for effectiveness of controls or group of controls shall be
established for their evaluations.
5.22.3. Security awareness training programs shall be conducted periodically i.e. for
new employees during induction.
5.22.4. Information Security Officer shall manage the operations and resources of the
ISMS.
5.23. Monitor and Review of ISMS
5.23.1. Procedures for prompt incident detection, reporting, response and escalation
shall be implemented.
5.23.2. Monitoring and review of procedures and other controls shall be performed
minimum once in a year to detect errors, security breaches, incidents, to
determine if controls are performing as expected and effectiveness of actions
taken to resolve security breaches.
5.23.3. Information security policy shall be reviewed at least once in a year.
5.23.4. Internal ISMS audit shall be carried out twice a year.
5.23.5. Effectiveness of the ISMS shall be measured every year from the inputs of
internal audits, security audits, incidents, control effectiveness measurements,
suggestions and feedback from all interested parties.
5.23.6. Risk assessment shall be conducted on annual basis and level of residual risk and
acceptable risk shall be reviewed considering changes to organization, technology,
business, external environment (legal, contCJDARCL tual, social), identified threats
and effectiveness of implemented controls.
5.23.7. Record of actions and events affecting ISMS shall be maintained.

Page 8 of 12

Classified as Internal Use Only

 DOCUMENT CONTROL BLOCK
Internal Use Only Issued On: 16-Sep-24 V2.0

Information Security Policy Page 9 of 12

5.24. Maintain and Improve ISMS

5.24.1. Identified improvements in the ISMS shall be implemented.
5.24.2. Corrective and preventive actions shall be taken to rectify weakness in control
environment and any future non-conformity.
5.24.3. Security experiences of other organizations shall be considered to improve the
ISMS.
5.24.4. MF shall ensure that the improvements achieve their intended objectives.
5.25. Documentation
5.25.1. All ISMS documents viz. ISMS Policy and Objectives, Scope, procedures, risk
assessment methodology, risk assessment report, risk treatment plan, evidence of
conformity to ISMS requirements and operations, statement of applicability shall
be secured and controlled.
5.25.2. Each department / division shall maintain records to provide evidence of
conformity to the ISMS and for all occurrences of significant ISMS related security
incidents.
5.25.3. Documented controls for the identification, storage, protection, retrieval,
retention and disposal of records shall be adhered to.
5.26. Management Responsibility
5.26.1. Established Management Forum (MF) of CJDARCL (CJDARCL ) chaired by ISO,
shall implement, operate, monitor, review, maintain and improve the ISMS and
provide evidence of its commitment.
5.27. ISMS Policy, objectives and plans shall be reviewed at least once in a year to
incorporate changes to business, contCJDARCL tual and legal requirements.
5.28. MF formed shall ensure sufficient resources to establish, implement, operate
and maintain the ISMS.
5.29. All personnel who are assigned information security and QMS responsibilities
shall be competent to perform the necessary tasks. Adequate training shall be provided
if necessary or trained personnel shall be employed to satisfy these needs.
5.30. All relevant personnel shall be made aware of the importance of their role
information security activities and their contribution to the achievement of the ISMS
objectives.
5.31. ISMS Internal Audits
5.31.1. Internal audit of Innovative Solution’s ISMS shall be carried out by Internal Audit
Team at least once every year to check adherence to all policies, procedures, ISMS
and its documentation to identify non-conformities in implementation and
operation.

Page 9 of 12

Classified as Internal Use Only

 DOCUMENT CONTROL BLOCK
Internal Use Only Issued On: 16-Sep-24 V2.0

Information Security Policy Page 10 of 12

5.32. Internal audit requires consideration of requirements of the international

standard and regulation, status and importance of the processes to be audited, and
also the results of previous audits.
5.33. The ISO shall define the objectives, criteria, scope, frequency and methods of
the internal audit.
5.34. Impartiality and independence of the audit process shall be ensured. Internal
auditors shall not audit their own work.
5.35. Head of the department / function (HOD) shall be responsible for the area being
audited and shall ensure that prompt actions are taken to remove detected non-
conformities and their causes.
5.36. MF shall take actions to eliminate the cause of non-conformities and determine
actions to guard against future non-conformities associated with the implementation
and operation of the ISMS.
5.37. Management Review of the ISMS
5.37.1. IMF shall review ISMS at least once in a year to ensure its continued suitability,
adequacy and effectiveness; to improve and change ISMS where possible including
security objectives / policies / procedures.
5.37.2. Such reviews shall be documented and their records shall be maintained for
verification.
5.37.3. Input for Management Review - ISMS internal audit results, reviews, feedbacks
of the interested parties, status of preventive and corrective actions,
vulnerabilities and threats not adequately addressed, results of the effectiveness
measurements, follow-up actions from previous management reviews, any
changes to business environment that could affect ISMS and recommendations for
improvements shall be a basis for management review.
5.37.4. Output of Management Review – Improvement to ISMS effectiveness, updated
risk assessment / treatment plan to cover changes in set-up / environment,
required changes to policies / procedures in line with changes to business
requirements and processes, contCJDARCL tual and legal requirements, levels of
risk or risk acceptance criteria, resource needs and improvement to effectiveness
of control measurement.
5.38. ISMS Improvement
5.38.1. Based on internal audit reports, controls effectiveness reports and incident
management reports, MF shall take actions to eliminate the cause of non-
conformities and determine actions to guard against potential non-conformities
associated with the implementation and operations of the ISMS.
5.39. Preventive actions taken shall be appropriate to the impact of the potential
problems or based on the results of the risk assessment or on identification of
significantly changed risk.

Page 10 of 12

Classified as Internal Use Only

 DOCUMENT CONTROL BLOCK
Internal Use Only Issued On: 16-Sep-24 V2.0

Information Security Policy Page 11 of 12

5.40. Preventive / corrective actions and identified improvements in the ISMS shall be
implemented by the responsible personals recording the actions taken.
5.41. The preventive actions taken shall be verified by the ISO and the results
reported to MF.
5.42. MF shall review the corrective and preventive actions taken for the current and
future non-conformities and ensure that improvements achieve their intended
objectives.
5.43. The respective asset owners shall undertake the responsibility of identifying the
root cause of the non-conformity, closing them and implementing suitable controls to
prevent the re-occurrence of the non-conformity.
5.44. Security organization members shall seek experiences of other organizations to
learn the lessons and improve Innovative Solution’s ISMS.
5.45. Information Security Policies or Procedures shall be revised to remove the
weaknesses in the control systems and improve Organization’s security posture.

6. ENFORCEMENT
Any employee found to have violated this policy and other applicable Saudi Laws & regulations,
may be subject to disciplinary action, up to and including termination of employment.

7. ASSOCIATED DOCUMENTS
Information Security Management System Policies and Procedures.
7.1. Organization of Information Security
7.2. Acceptable Use Policy
7.3. Internet & Email Use Policy
7.4. Human Resource Security Policy
7.5. Asset Management Policy
7.6. Access Control Policy
7.7. Password Policy
7.8. Data Encryption Policy
7.9. Physical Security Policy
7.10. Operations Security Policy
7.11. Network Security Policy
7.12. Mobile Computing Security Policy
7.13. Application Security Policy
7.14. Business Continuity Policy

Page 11 of 12

Classified as Internal Use Only

DOCUMENT CONTROL BLOCK
Internal Use Only Issued On: 16-Sep-24 V2.0

Information Security Policy Page 12 of 12

7.15. Incident Management Policy

7.16. Compliance Policy
7.17. Information Security Requirements of Project Management

Page 12 of 12

Classified as Internal Use Only