The organization is committed to preserving the confidentiality, integrity, and availability of its information and information systems. To support this, we have established and maintain a risk-based Information Security Management System (ISMS) aligned with ISO/IEC 27001:2022.

This policy reflects top management’s commitment to:

• Protecting organizational, customer, and stakeholder information;
• Ensuring compliance with legal, regulatory, and contractual obligations;
• Minimizing business disruption from information security threats;
• Promoting continual improvement of our ISMS.

Adapt as applicable

Our primary information security objectives are to:

• Data Protection,
• Improve Resilience,
• Close Audit Findings & Rollouts,
• Perform Risk Mitigation.

These objectives are reviewed annually as part of the ISMS management review.

This policy applies to:

• All employees, contractors, consultants, and third-party users;
• All organizational units, systems, locations, and data assets;
• All forms of information (digital, physical, verbal) and processing environments.

It encompasses all activities that involve the creation, processing, storage, communication, and disposal of information under the organization’s control.

Top management shall:

• Establish and maintain an ISMS in line with ISO/IEC 27001:2022;
• Define and communicate roles, responsibilities, and authority for information security;
• Allocate appropriate resources to achieve ISMS objectives;
• Lead by example in promoting a security-aware culture;
• Integrate information security into strategic and operational planning.

Information security risks shall be:

• Identified, assessed, and treated in accordance with our Risk Assessment and Treatment Procedure;
• Managed continuously to reflect changes in threats, vulnerabilities, and business priorities;
• Aligned with our overall business risk management framework.

The organization is committed to fulfilling:

• Applicable legal, regulatory, and contractual obligations related to information security;
• Internal requirements, including policies, standards, and procedures;
• Monitoring and audit processes to ensure adherence.

All personnel are expected to comply with this policy and associated requirements. Non-compliance may result in disciplinary action.

The ISMS shall be continually improved through:

• Regular internal audits and management reviews;
• Risk and performance monitoring;
• Prompt and effective treatment of incidents, nonconformities, and opportunities for improvement.

This policy shall be:

• Approved by top management;
• Communicated to all personnel and relevant external parties;
• Available to interested parties upon request;
• Reviewed annually or following significant changes to business, risk, or compliance context.

Version 1.0