88 lines
4.2 KiB
Markdown
88 lines
4.2 KiB
Markdown
Title: Information Security Policy
|
|
Document ID: [POL-INFOSEC-001]
|
|
Version: 0.1 Draft
|
|
Status: Draft
|
|
Owner: CEO (Paul Hague)
|
|
Approver: CEO (Paul Hague)
|
|
Classification: Internal
|
|
Effective date: [DD Month YYYY]
|
|
Review date: [DD Month YYYY]
|
|
|
|
# Information Security Policy
|
|
|
|
## Purpose
|
|
|
|
This policy sets out BlackDice's overall direction for managing information security. It establishes the management intent and core principles that the ISMS and supporting control framework must follow.
|
|
|
|
## Scope
|
|
|
|
This policy applies to all personnel, contractors, systems, information assets, and third parties within the approved ISMS scope. It applies to activities involved in developing, operating, supporting, and assuring BlackDice services and supporting business functions.
|
|
|
|
## Objectives
|
|
|
|
BlackDice's information security objectives should support:
|
|
|
|
- confidentiality, integrity, and availability of information and services
|
|
- effective identification and treatment of security risk
|
|
- secure cloud-native service delivery and software development
|
|
- proportionate control over suppliers, systems, and operational processes
|
|
- compliance with applicable legal, regulatory, contractual, and assurance requirements
|
|
- continual improvement of security performance
|
|
|
|
## Principles / Policy Statements
|
|
|
|
BlackDice must maintain an ISMS that is appropriate to its business activities, risk profile, and operating model.
|
|
|
|
Information security risks must be identified, assessed, treated, and reviewed using an approved and repeatable methodology.
|
|
|
|
Security controls must be selected and operated in a manner that is proportionate to risk and suitable for cloud-native SaaS operations, including containerised workloads, CI/CD processes, and operational monitoring functions.
|
|
|
|
Access to information and systems must be controlled according to business need, least privilege, and approved authorisation.
|
|
|
|
Information assets must be identified, classified, handled, retained, and disposed of according to business, legal, contractual, and security requirements.
|
|
|
|
Security requirements must be considered throughout system design, software development, change management, deployment, and operational support activities.
|
|
|
|
Security events and weaknesses must be reported, assessed, and managed through defined incident and escalation processes.
|
|
|
|
Suppliers and third parties that support in-scope services or handle relevant information must be assessed and managed according to risk.
|
|
|
|
Exceptions to required controls must be documented, risk-assessed, approved, time-bound where appropriate, and reviewed.
|
|
|
|
BlackDice should monitor the effectiveness of the ISMS and use audit, review, and corrective action to improve it.
|
|
|
|
## Roles and Responsibilities
|
|
|
|
- [Role] is accountable for overall ownership of this policy and the ISMS.
|
|
- Managers must ensure that relevant personnel understand and follow applicable security requirements.
|
|
- Document and control owners must maintain policies, standards, procedures, and records relevant to their areas.
|
|
- All personnel and contractors must follow applicable information security requirements and report security concerns promptly.
|
|
- Management must review ISMS performance and support continual improvement.
|
|
|
|
## Compliance / Exceptions
|
|
|
|
Failure to comply with this policy may result in investigation and corrective action in line with BlackDice processes and contractual arrangements.
|
|
|
|
Any exception to this policy must be raised through the approved exception management process and approved by [Approval Authority] based on documented risk.
|
|
|
|
## Monitoring and Review
|
|
|
|
This policy should be reviewed at least annually and when material changes occur to business operations, technology, legal obligations, or the threat landscape.
|
|
|
|
Compliance and effectiveness should be monitored through management review, internal audit, risk review, incident analysis, exception tracking, and progress against security objectives.
|
|
|
|
## Related Documents
|
|
|
|
- ISMS Scope Statement
|
|
- ISMS Manual
|
|
- Risk Assessment and Treatment Methodology
|
|
- Document and Records Control Standard
|
|
- Statement of Applicability Template
|
|
- Information Security Objectives Template
|
|
|
|
## Version Control
|
|
|
|
| Version | Date | Description of Change | Author |
|
|
| --- | --- | --- | --- |
|
|
| 0.1 Draft | [DD Month YYYY] | Initial draft. | [Name or Role] |
|