This policy defines how Information Security will be set up, managed, measured, reported on and developed within Digital Jewels Limited (DJL).
DJL has decided to pursue full renewal of its certification to ISO/IEC 27001 in order that the effective adoption of information security best practice may be validated by an external third party.
2 ISMS Policy
2.1 Scope of the ISMS
For the purposes of certification within DJL, the boundaries of the Information Security Management System are defined in the ISMS Scope. See DJL ISMS_QMS Organisational Context Document.
2.2 Digital Jewels Policy Statement
To ensure that information is protected against unauthorized access by maintaining Confidentiality, Integrity, Availability, Regulatory and Legislative obligations, Business Continuity plans, Information security training and to report and investigate all breaches of information security, actual or suspected.
2.3 Information Security Requirements
This Policy and the entire ISMS must be in line with legal and regulatory requirements relevant to the organization in the field of information security, data secrecy, business continuity as well as with contractual obligations. The Statutory, Regulatory and Contractual Obligations of DJL are as follows:
- National Information Technology Development Agency (NITDA)
- Computer Professionals Association of Nigeria (CPN)
- Payment Card Industry Data Security Standard Council (PCI DSS)
- Nigeria Data Protection Regulation (NDPR)
2.4 Top Management Leadership and Commitment
Commitment to information security extends to senior levels of the organization and will be demonstrated through this ISMS Policy and the provision of appropriate resources to provide and develop the ISMS and associated controls.
Top management will also ensure that a systematic review of performance of the programme is conducted on a regular basis to ensure that quality objectives are being met and quality issues are identified through the audit programme and management processes. Management Review can take several forms including departmental and other management meetings.
The Information Security Manager shall have overall authority and responsibility for the implementation and management of the Information Security Management System, specifically:
- The identification, documentation and fulfilment of information security requirements
- Implementation, management and improvement of risk management processes
- Integration of processes
- Compliance with statutory, regulatory and contractual requirements
- Reporting to top management on performance and improvement
2.5 Framework for Setting Objectives and Policy
An annual cycle will be used for the setting of objectives for information security, to coincide with the budget planning cycle. This will ensure that adequate funding is obtained for the improvement activities identified. These objectives will be based upon a clear understanding of the business requirements, informed by the annual management review with stakeholders.
ISMS objectives will be documented for the relevant financial year, together with details of how they will be achieved. These will be reviewed on an annual basis to ensure that they remain valid. If there is a change in the organisation and amendments are required, these will be managed through the change management process.
In accordance with ISO/IEC 27001:2013 the control objectives and policy statements detailed in Annex A of the standard will be adopted where appropriate by Digital Jewels Limited. These will be reviewed on a regular basis in the light of the outcome from risk assessments and in line with DJL/ISMS/PRO/ISMP/10.0/21 Information Security Risk Assessment and Treatment Plan. For references to the controls that implement each of the policy statements given please see DJL ISMS0603 Statement of Applicability.
2.6 ISMS Objectives
The following major objectives are set for Digital Jewels Information Security Management System:
- Objective 1 – Protect 85% of critical information assets and critical business processes relative to Digital Jewels core business
- Objective 2 – Protect 100% of client confidential information
- Objective 3 – Provide 80% assurance of business continuity and information systems resilience
- Objective 4 – Improve security-awareness culture by 90%.
2.7 Roles and Responsibilities
Within the field of information security, there are a number of management roles that correspond to the areas defined within the scope set out above. In a larger organization, these roles will often be filled by an individual in each area. In a smaller organization these roles and responsibilities must be allocated between the members of the team.
Full details of the responsibilities associated with each of the roles and how they are allocated within Digital Jewels Limited are given in a separate document DJL/ISMS/POL/ISP/10.0/21 Information Security Roles and Responsibilities.
It is the responsibility of the Human Resources department to ensure that staff understand the roles they are fulfilling and that they have appropriate skills and competence to do so.
2.8 Continual Improvement Policy
Digital Jewels Limited policy with regard to Continual Improvement is to:
- Continually improve the effectiveness of the ISMS
- Enhance current processes to bring them into line with good practice as defined within ISO/IEC 27001
- Achieve ISO/IEC 27001 certification and maintain it on an on-going basis
- Increase the level of proactivity (and the stakeholder perception of proactivity) with regard to information security
- Make information security processes and controls more measurable in order to provide a sound basis for informed decisions
- Review relevant metrics on an annual basis to assess whether it is appropriate to change them, based on collected historical data
- Obtain ideas for improvement via regular meetings with stakeholders and document them in the Continual Improvement Log
- Review the Continual Improvement Log at regular management meetings in order to prioritise and assess timescales and benefits
Ideas for improvements may be obtained from any source including employees, customers, suppliers, IT staff, risk assessments and service reports. Once identified they will be added to the Continual Improvement Log and evaluated by Management.
As part of the evaluation of proposed improvements, the following criteria will be used:
- Business Benefit
- Implementation timescale
- Resource requirement
If accepted, the improvement proposal will be prioritised in order to allow more effective planning.
2.9 Approach to Managing Risk
Risk management will take place at several levels within the ISMS, including:
- Management planning – risks to the achievement of objectives
- Information security and IT service continuity risk assessments
- Assessment of the risk of changes via the change management process
- As part of the design and transition of new or changed services
High level risk assessments will be reviewed on an annual basis or upon significant change to the business or service provision.
2.9.1 Risk Assessment Process
A risk assessment process will be used which is line with the requirements and recommendations of ISO/IEC 27001, the International Standard for Information Security. This is documented in DJL ISMS0601 Risk Assessment and Treatment Procedure.
From this analysis, a risk assessment report will be generated followed by a risk treatment plan. This will then give rise to the selection of appropriate controls.
2.9.2 Risk Evaluation Criteria
Risk will be evaluated according to two main criteria:
How likely is the combination of the threat and any identified vulnerabilities to result in an impact to the asset under consideration? This will be judged on a scale of 1 (low) to 3 (high) and will take into account the following considerations:
- Has the risk happened before? If so, how long ago and what (if anything) has changed since then to make it more or less likely?
- Are there any available statistics or other information that can give an objective view of how likely the risk is to occur? e.g. crime figures by local government area
- Has the risk previously come to pass to any other organizations in the geographical area, similar industry or with the same assets etc.?
Such information will help to inform the discussion about likelihood and arrive at a realistic estimate. Risks which are very unlikely to happen will almost certainly not warrant the use of business resources to address them (unless perhaps their impact is catastrophic).
The other criterion that must be considered is the impact to the asset should the risk occur. The following are the impacts assessed:
- Confidentiality – what will the impact be to the confidentiality requirements of the asset if the risk were to occur?
- Integrity – what will the impact be to the integrity requirements of the asset if the risk were to occur?
- Availability – what will the impact be to the availability requirements of the asset if the risk were to occur?
Again, this will be assessed on a scale from 1 (low) to 3 (high). An average of the three values gives the impact.
The overall risk factor will then be calculated by multiplying the two numbers, likelihood and impact to give a score. This will then give a risk classification of Low, Medium or High.
2.9.3 Risk Acceptance Criteria
In general, the following criteria will be adopted for the acceptance of risks according to their classification:
- Low – these risks will generally be accepted with no further action required
- Medium – these will be carefully reviewed and monitored and actions decided on an individual basis
- High – these risks must be addressed as a matter of urgency to prevent significant impact to the organization
These criteria will be reviewed on an annual basis to ensure they remain appropriate to the organization’s needs.
2.10 Human Resources
Digital Jewels Limited will ensure that all staff involved in information security are competent on the basis of appropriate education, training, skills and experience.
The skills required will be determined and reviewed on a regular basis together with an assessment of existing skill levels within DJL. Training needs will be identified and a plan maintained to ensure that the necessary competencies are in place.
Training, education and other relevant records will be kept by the Human Resources Department to document individual skill levels attained.
2.11 Auditing and Review
Once in place, it is vital that regular reviews take place of how well the information security processes and procedures are being adhered to. This will happen at three levels:
- Structured regular management review of conformity to policies and procedures
- Internal audit reviews against the ISO/IEC 27001 standard by the Digital Jewels Limited Quality Team
- External audit against the standard in order to gain and maintain certification
Details of how internal audits will be carried out can be found in DJL Procedure for ISMS Audits.
2.12 Documentation Structure and Policy
All information security policies and plans must be documented. This section sets out the main documents that must be maintained in each area.
Details of documentation conventions and standards are given in the DJL Procedure for the Control of Documents and Records.
A number of core documents has been created and will be maintained as part of the ISMS. They are uniquely numbered, and the current versions are tracked in DJL Documentation Log.
2.13 Control of Records
The keeping of records is a fundamental part of the ISMS. Records are key information resources and represent evidence that processes are being carried out effectively.
The controls in place to manage records are defined in the document DJL Procedure for the Control of Documents and Records.