Objective, scope and users
‍

The purpose of this high-level Policy is to define the objective, direction, principles and basic rules for information security management.
This Policy applies to the entire Information Security Management System (ISMS), as defined in the ISMS Scope Document.
The users of this document are all ZEROD employees, as well as third parties external to the organization.

Basic information security terminology

‍
Confidentiality: Characteristic of information whereby it is only available to authorized persons or systems.
Integrity: Characteristic of information whereby it is only modified by authorized persons or systems and in a permitted manner.
Availability: Characteristic of information whereby it can only be accessed by authorized persons when necessary.
Information security: is the preservation of confidentiality, integrity and availability of information.
Information security management system: Part of the general management processes that is responsible for planning, implementing, maintaining, reviewing and improving information security.

‍

Information Security Management

‍
Objectives and Measurement

‍
The general objectives for the information security management system are the following: create a better market image and reduce the damage caused by potential incidents; the goals are in line with the business objectives, strategy and business plans of the organization. The Security Manager together with the ISMS Manager is responsible for reviewing these general ISMS objectives and establishing new ones.
The defined objectives as well as the metrics that will be used to measure the progress of achieving the objectives can be seen in the Objectives register.
All objectives must be reviewed at least once a year.
ZEROD will measure compliance with all objectives. The Security Committee is responsible for defining the method for measuring compliance with the objectives; the measurement will be carried out at least once a semester and the results will be analyzed and evaluated at a Committee meeting and reported to [senior management] as material for management review.
This Policy and the entire ISMS shall comply with the organization's relevant legal and regulatory requirements in the area of ​​information security, as well as contractual obligations.
A list of contractual and legal requirements is detailed in the List of legal, regulatory, contractual and other requirements.

‍
Information security controls
‍

The process of choosing controls (protection) is defined in the Risk assessment and treatment methodology.
The selected controls and their implementation status are detailed in the Statement of applicability.

‍
Responsibilities
‍

The responsibilities for the ISMS are as follows:

• The ISMS Manager is responsible for ensuring that the ISMS is implemented and maintained in accordance with this Policy and for ensuring that all necessary resources are available.
• The ISMS Manager is responsible for the operational coordination of the ISMS, as well as for reporting on its performance.
• [Top management] shall review the ISMS at least annually or whenever a significant change occurs, and shall prepare minutes of such meetings. The objective of management checks is to establish the suitability, adequacy and effectiveness of the ISMS.
• The Information Officer shall implement employee information security training and awareness programmes.
• Protecting the integrity, availability and confidentiality of assets is the responsibility of the owner of each asset.
• All security incidents or weaknesses shall be reported to the [position].
• The Security Committee shall define which information related to information security shall be communicated to which interested party (both internal and external), by whom and when.
• The ISMS Officer is responsible for adopting and implementing the Training and Awareness Plan, which is the responsibility of all persons who have a role in managing information security.

Communication of the Policy

‍
The ISMS Manager will ensure that all ZEROD employees as well as the corresponding external participants are familiar with this Policy and it will be his/her responsibility to publish or communicate any changes to said Policy.

‍

Support for the implementation of the ISMS

‍
Hereby, management declares that the implementation and continuous improvement of the ISMS will be supported by adequate resources to achieve all the objectives established in this Policy, as well as to comply with all the identified requirements.

To review the ISMS, management will review:

• Periodically review the key performance indicators (KPIs) and security metrics.
• Analyze security incidents, trends and vulnerabilities detected.
• Evaluate the effectiveness of the applied controls.
• Evaluate the compliance status of ISO 27001.
• Analyze internal and external audits.
• Evaluate the results of business continuity tests and incident response.
• Review the context of the organization and updated security risks.

To do this, the Security Manager will provide you with a quarterly follow-up report that you can take with you to a Committee meeting.

‍

Validity and management of documents

‍
The owner of this document is the ISMS Manager who must verify, and if necessary update, the document at least once a year.