1. Group Commitment
STAEDEAN is committed to protect its key business activities in the face of incidents and unwanted events and meet its obligations to interested parties, including Customers, Shareholders, Employees, and Suppliers.
As part of this commitment, the organization has established an Information Security Management System (ISMS) that complies with the requirements of the ISO/IEC 27001 international standard for Information Security and will be seeking certification to this standard in the near future.
2. Leadership Commitment
To achieve this goal, the company’s leadership recognizes the importance of dedicating resources, setting clear objectives, and fostering a culture of accountability throughout the organization.
Top management fully supports the implementation, maintenance, and continual improvement of our information security practices.
3. Scope
This policy applies to all systems, people, and processes that constitute the organization's Information Systems, including Top Management, Directors, Employees, Suppliers, and other Third Parties with access to STAEDEAN systems.
4. Information Security Policy
4.1. Information Security Requirements
A clear definition of the Security Requirements within STAEDEAN are agreed upon and maintained with the internal business so that all the activity is focused on fulfilling those requirements.
A fundamental principle of STAEDEAN Information Security Management system is that business needs drive the controls implemented, and this are regularly communicated to all staff through team meetings and briefing documents.
4.2. Framework for setting objectives
A regular cycle is used to set objectives for Information Security to coincide with the budget planning cycle. This ensures that adequate funding is obtained for the improvement activities identified. These objectives are based upon a clear understanding of the business requirements, informed by the Management Review process during which the views of relevant Interested Parties may be obtained.
Security objectives are documented for an agreed time period, and details of how they are achieved. These are evaluated and monitored as part of management reviews to ensure that they remain valid. These are managed through the change management process if amendments are required.
Per ISO/IEC 27001, the reference controls detailed in Annex A of the standard are adopted where appropriate by STAEDEAN. These are reviewed regularly in light of risk assessment outcomes.
For details of which Annex A controls have been implemented and which have been excluded, please see the Statement of Applicability (SOA) document.
4.2.1. Information Security Objectives
In order to assess whether the ISMS is working as intended it is essential that clear objectives are defined, and a system of monitoring and measurement established to record progress against targets.
As part of the ISMS management review process, objectives for Information Security are regularly set, reviewed, and updated in the following major areas:
1. Compliance – generally how well the organization’s Information Security assets are protected by the ISMS.
2. Capability – the knowledge, skills and experience available, mainly internally but also to some extent externally to the organization.
3. Cost – financial resources required to maintain and improve the ISMS.
4. Resource utilization – how effectively organizational resources are employed.
5. Risk reduction – the degree to which known risks are treated to within acceptable limits.
6. Other (e.g., Software Development, Customer Data Protection, Third-Party Security) – appropriate objectives that do not fall into any of the above areas.
In order to achieve our objectives, it is essential that STAEDEAN has a clear plan that is adequately resourced and has the full support of Top Management.
STAEDEAN’s plan to meet its Information Security objectives is also described, including:
1. What will be done.
2. What resources will be required.
3. Who will be responsible.
4. When it will be completed.
5. How the results will be evaluated.
Objectives will be based on a clear understanding of our Information Security requirements, including those from interested parties, and will consider the results of risk assessments carried out at various levels within the organization.
The main objectives are but are not limited to:
1. Ensure that all identified ISMS controls are in place.
2. Train Team Members on Information Security topics.
3. Reduce the number of high-priority risks on the risk register.
4. Implement secure coding practices to reduce vulnerabilities in software applications.
5. Safeguard Customer Data and ensure compliance with data protection regulations.
6. Ensure the security of third-party software and services.
In discussion with the Top Management and based upon documented requirements, STAEDEAN has agreed on specific objectives in the area of Information Security. The achievement of these objectives is tracked as part of regular Management Reviews of the ISMS.
The Parameters to be monitored and measured, together with monitoring methods, the resources required, the person responsible, evaluation methods are detailed in the Key Performance Indicators procedure (please refer to the SOP 013).
4.3 Continual Improvement
STAEDEAN policy regarding continual improvement is to:
- Continually improve the effectiveness of the ISMS.
- Enhance current processes to align with good practice as defined within regulatory standards.
- Achieve ISO/IEC 27001 certification and maintain it on an ongoing basis.
- Increase the level of proactivity concerning Security.
- Make Information Security processes and controls more measurable to provide a sound basis for informed decisions.
- Review relevant metrics annually to assess whether it is appropriate to change them based on collected historical data.
- Obtain ideas for improvement via regular meetings and other forms of communication with interested parties.
- Review ideas for improvement at regular management meetings to prioritize and assess timescales and benefits.
Ideas for improvements may be obtained from any source, including Employees, Customers, Suppliers, IT staff, risk assessments, and service reports. Once identified, they are recorded and evaluated as part of Management Reviews.
