Policies for information security

The organization must operate, maintain, and continuously develop a security management system.

The boundaries and scope, contents, role, cumulative implementation information and other necessary descriptive information related to the management system must be clearly documented.

The organization has an information security policy developed and approved by top management. The policy shall include at least the following:

• the basis for setting the organization’s security objectives
• commitment to meeting information security requirements
• commitment to continuous improvement of the information security management system

In addition, the task owner shall ensure that:

• the is appropriate for the organization's business idea
• the policy is communicated to the entire organization
• the policy is available to stakeholders as appropriate

Theme-specific policy documents can help the communication and viewing of tasks, instructions and other documentation related to different areas, as well as connecting possible upper-level principles to these contents of the management system, which describe a more detailed implementation.

The organization must define which theme-specific policy documents are maintained and, if necessary, reviewed as a whole at desired intervals. Examples of topics for which you may want to maintain your own policy document include:

• access control
• physical security
• management of assets to be protected
• backup
• encryption practices
• data classification
• technical vulnerability management
• secure development

The employees of our organization accept the general information security policy formed by the management with their signatures. The policy may refer to a number of more specific security guidelines.