Information Security Management System Policy
1. Introduction
This policy defines how the information security management systems will be set up, managed, measured, reported on and developed within Hugo.
Hugo, currently located at 9th Floor, Tower B, Parkside Towers, Mombasa Road, Nairobi, is committed to ensuring its information is secure by pursuing full certification to ISO/IEC 27001 that the effective adoption of Information Security best practice may be validated by an external third party.
The purpose of this document is to define an overall policy regarding the information security management system that is appropriate to the purpose of Hugo and includes:
- A framework for setting objectives.
- A commitment to satisfying applicable requirements.
- A commitment to continual improvement of the management systems.
This Policy is available in electronic form and will be communicated within the organisation and to all relevant stakeholders and interested third parties.
1.1 ISMS POLICY STATEMENT
Hugo ’s current strategy and Information Security Management System provides the context for identifying, assessing, evaluating and controlling information/process/service-related risks through establishment and maintenance of the ISMS. The risk assessment and risk treatment plan capture how identified risks are controlled in alignment with Hugo ’s risk management strategy.
In particular, business continuity and contingency plans, data backup procedures, access control to systems and information security incident reporting are fundamental to this policy. All employees of Hugo shall have the responsibility of reporting incidents in real time or as they are discovered.
All employees of Hugo and external parties identified in the ISMS are expected to comply with this policy. All staff and certain external parties will receive or be required to provide appropriate evidence of training.
The Head of Technology is the owner of this document and is responsible for ensuring that this policy document is reviewed and reapproved by the executive management at least annually and in the event of relevant changes and/or incidents.
Breach of the policy or security mechanism may warrant disciplinary measures, up to and including termination of employment/contract as well as legal action in line with the Cybercrime Prohibition Act 2015.
Hugo defines the core objectives and purpose of the ISMS as listed below:
- Understand the needs of Hugo and the necessity for establishing Business Continuity, Information Security and Information Technology Service Management policy and objectives.
- Implement and operate controls and measures for managing the overall capability of Hugo to manage disruptive incidents, Information security and its IT assets.
- Monitor and review the performance and effectiveness of the ISMS.
- Continually improve Hugo’ s Information Security Management System based on objective measurement.
1.2 Scope of the ISMS
For the purposes of certification within Hugo, the boundaries of the Management Systems are defined in the Context Requirements and Scope (Document Reference: Hugo ISMS0401)
1.4 Requirements
A clear definition of the requirements for the ISMS will be agreed and maintained with the business so that all activities are focused on the fulfilment of those requirements. Statutory, regulatory and contractual requirements will also be documented and input to the planning process. Specific requirements with regard to the security of new or changed systems or services will be captured as part of the design stage of each project.
It is a fundamental principle of Hugo’s ISMS that the controls implemented are driven by business needs and this will be regularly communicated to all staff through pre scheduled meetings and posted to the intranet.
1.5 Executive Leadership Commitment
Commitment to the Management System extends to all senior levels of the organization and will be demonstrated through this ISMS Policy and the provision of appropriate resources to provide and develop the management systems and associated controls.
The Executive Leadership will also ensure that a systematic review of the performance of the programme is conducted on a regular basis – quarterly – to ensure that objectives are being met and issues are identified through the audit programme and management processes. Management Review can take several forms including divisional or other senior leadership meetings.
1.6 Executive Leadership Commitment
The high-level objectives for the ISMS within Hugo are defined within the document “Context Requirements and Scope (Document Reference: Hugo ISMS0401)”. These are fundamental to the nature of the business and should not be subject to frequent change.
These overall objectives will be used as guidance in the setting of lower level, more short-term objectives within an annual cycle timed to coincide with organisational budget planning and goal setting cycle. This will ensure that adequate funding is obtained for the improvement activities identified. These objectives will be based upon a clear understanding of the overall business requirements, informed by the quarterly management review with stakeholders.
ISMS objectives will be documented for the relevant financial year, together with details of how they will be achieved. These will be reviewed on a quarterly basis to ensure that they remain valid. If amendments are required, these will be managed through the change management process.
In accordance with ISO/IEC 27001:2013 the control objectives and policy statements detailed in Annex A of the standard will be adopted where appropriate by Hugo. These will be reviewed on a regular basis in the light of the outcome from risk assessments and in line with ISMS Risk Assessment and Treatment Process. For references to the controls that implement each of the policy statements given please see The Statement of Applicability.
1.7 Framework for Setting Objectives and Policy
The high-level objectives for the ISMS within Hugo are defined within the document “Context Requirements and Scope (Document Reference: Hugo ISMS0401)”. These are fundamental to the nature of the business and should not be subject to frequent change.
These overall objectives will be used as guidance in the setting of lower level, more short-term objectives within an annual cycle timed to coincide with organisational budget planning and goal setting cycle. This will ensure that adequate funding is obtained for the improvement activities identified. These objectives will be based upon a clear understanding of the overall business requirements, informed by the quarterly management review with stakeholders.
ISMS objectives will be documented for the relevant financial year, together with details of how they will be achieved. These will be reviewed on a quarterly basis to ensure that they remain valid. If amendments are required, these will be managed through the change management process.
In accordance with ISO/IEC 27001:2013 the control objectives and policy statements detailed in Annex A of the standard will be adopted where appropriate by Hugo. These will be reviewed on a regular basis in the light of the outcome from risk assessments and in line with ISMS Risk Assessment and Treatment Process. For references to the controls that implement each of the policy statements given please see The Statement of Applicability.
1.8 Roles and Responsibilities
Within the fields of Information Security, there are a number of key roles that need to be undertaken to ensure successful protection of the business from risk.
Full details of the responsibilities associated with each of the roles and how they are allocated within Hugo are given in a separate document: Roles, Responsibilities and Authorities.
The ISMS Manager shall have overall authority and responsibility for the implementation and management of the Information Security Management System specifically:
- The identification, documentation and fulfilment of applicable requirements.
- Implementation, management and improvement of risk management processes.
- Integration of processes.
- Compliance with statutory, regulatory and contractual requirements in the management of assets used to deliver products and services.
- Reporting to Executive Leadership on performance and improvement
1.9 Continual Improvement Policy
Hugo’s policy with regard to Continual Improvement is to:
- To continually improve the effectiveness of the ISMS across all areas within scope.
- Enhance current processes to bring them in line with good practice as defined within ISO/IEC 27001.
- Achieve certification to the management systems and maintain it on an on-going basis.
- Increase the level of proactivity (and the stakeholder perception of proactivity) with regard to the ongoing management of the ISMS.
- Make processes and controls more measurable in order to provide a sound basis for informed decisions.
- Achieve an enhanced understanding of and relationship with the business units to which the ISMS applies.
- Review relevant metrics on a periodic basis – annually or less – to assess whether it is appropriate to change them, based on collected historical data.
- Obtain ideas for improvement via regular meetings with stakeholders and document them in a Continual Improvement Log.
- Review the Continual Improvement Log at regular management meetings in order to prioritise and assess timescales and benefits.
Ideas for improvements may be obtained from any source including employees, customers, suppliers, risk assessments and service reports. Once identified they will be added to the Continual Improvement Log and evaluated by the ISMS Manager.
As part of the evaluation of proposed improvements, the following criteria will be used:
- Cost.
- Business Benefit.
- Risk.
- Implementation timescale.
- Resource requirement.
If accepted, the improvement proposal will be prioritised in order to allow more effective planning.
1.10 Approach to Managing Risk
A risk management strategy and process will be used which is in line with the requirements and recommendations of the Management System. This requires that relevant assets, processes are identified, and the following aspects considered:
- Threats.
- Vulnerabilities.
- Impact and likelihood before risk treatment.
- Risk Treatment (e.g. reduction, removal, transfer).
- Impact and Likelihood after risk treatment.
- Function responsible/Owner.
- Timescale and Review Frequency.
Risk management will take place at several levels within the ISMS, including:
- Management planning – risks to the achievement of objectives
- Information security, business continuity and IT service management risk assessments
- Assessment of the risk of changes via the change management process
- At the project level as part of the management of significant business change
High level risk assessments will be reviewed on an annual basis or upon significant change to the business or service provision. For more detail on the approach to risk assessment please review the documents “ISMS Risk Assessment and Treatment Process.
1.11 People
Hugo will ensure that all staff involved in developing the ISMS are competent based on appropriate education, training, skills and experience.
The skills required will be determined and reviewed on a regular basis together with an assessment of existing skill levels within Hugo. Training needs will be identified, and a plan maintained to ensure that the necessary competencies are in place.
Training, education and other relevant records will be kept by the People Team to document individual skill levels attained.
1.12 Auditing and Review
Once in place, it is vital that regular reviews take place of how well the ISMS processes and procedures are being adhered to, this will happen at three levels:
- Structured regular management review of conformity to policies and procedures.
- Internal audit reviews against the management system standards by the Hugo Audit Team.
- External audit against the standards in order to gain and maintain certification.
1.13 Documentation Structure and Policy
All policies, processes, procedures and plans that form part of the ISMS must be documented. This section sets out the main documents that must be maintained in each area.
Details of documentation conventions and standards are given in the Documentation and Filing policy.
A number of core documents have been created and will be maintained as part of the ISMS. They are uniquely numbered, and the current versions are tracked in the Documentation Log.
1.14 Control of Records
The keeping of records is a fundamental part of the ISMS. Records are key information resources and represent evidence that processes are being carried out effectively.
The controls in place to manage records are defined in the Documentation and Filing policy.
1.15 Addendum
A current version of this document is available to all members of staff on the Intranet. This policy is issued on a version-controlled basis and pre-signed by the CEO.