Information Security Policy

1. Purpose and Scope

This policy defines how the organisation protects information assets to ensure confidentiality, integrity, and availability. It applies to all employees, contractors, suppliers, and partners.

Policy Statements:

• The organisation maintains a certified ISMS under ISO/IEC 27001:2022 Clause 4.3, defining scope across all business units and IT systems. ISO27001 4.3
• Security objectives are documented, measurable, and reviewed annually, satisfying Clause 6.2. ISO27001 6.2
• Controls are structured around NIST CSF v2.0 (2024) functions (Identify, Protect, Detect, Respond, Recover). NISTCSF v2.0
• Governance oversight is provided by the board, consistent with ISO/IEC 38500:2015 and, where applicable to the organisation’s jurisdiction, instruments such as US SOX Section 404 and equivalent national governance codes. ISO38500 all

2. Governance and Accountability

Security responsibilities are clearly defined and enforced.

Policy Statements:

• The board demonstrates leadership and commitment to the ISMS (ISO 27001 Clause 5.1). ISO27001 5.1
• The CISO is formally appointed and accountable for ISMS operation (Clause 5.3). ISO27001 5.3
• Department heads ensure compliance within their teams, with responsibilities documented in job descriptions.
• Quarterly ISMS performance reports are presented to the Audit & Risk Committee in the form required by applicable governance instruments; representative reference points include US SOX Section 404, South Africa King V Principle 12, and equivalent national codes.
• Internal audits are conducted annually under Clause 9.2, with corrective actions tracked. ISO27001 9.2
• Collaborative security responsibilities with suppliers and partners are documented and reviewed annually, consistent with ISO 44000 Clause 5.2 (Relationship governance).
• Joint governance committees are established with critical suppliers to oversee shared information security risks.
• Relationship agreements include clear escalation paths for security incidents and compliance obligations.
• Information security governance aligns with the COSO Internal Control — Integrated Framework (Principle 1: Governance & Culture) or equivalent internal-control framework adopted by the organisation, ensuring tone at the top and accountability for risk. COSOERM P1
• Security roles and responsibilities are integrated into enterprise risk management structures.

3. Risk Management

Risks are identified, assessed, and treated systematically.

Policy Statements:

• Risk assessments are conducted quarterly, satisfying ISO 27001 Clause 6.1.2. ISO27001 6.1.2 ISO27005 all
• Risk treatment plans are documented and approved, aligned with Clause 6.1.3 and Annex A controls. ISO27001 6.1.3 ISO27002 Annex A
• Business continuity risks are integrated into enterprise risk registers (ISO 22301:2019 Clause 8.2). ISO22301 8.2
• ICT products and services undergo certification under applicable national or regional cybersecurity certification schemes; representative reference: EU Cybersecurity Act (2019) and successor regimes.
• Cybercrime risks are explicitly tracked under applicable cybercrime legislation in each operating jurisdiction; representative references include the South Africa Cybercrimes Act (2020) and the Mauritius Computer Misuse and Cybercrime Act (2003/2018). SACYBER all
• Risk assessments include collaborative risks arising from joint ventures, outsourcing, and supply chain dependencies (ISO 44000 Clause 6.3).
• Shared risk registers are maintained with strategic partners to ensure transparency and accountability.
• Information security risk assessments are embedded into the organisation’s enterprise risk management framework — COSO ERM (Principle 6: Risk Identification & Assessment), ISO 31000:2018, or equivalent ERM framework adopted by the organisation. COSOERM P6 ISO31000 all
• Shared risk registers with partners include enterprise-level risks.

4. Access Control and Monitoring

Access to systems is restricted, monitored, and reviewed regularly.

Policy Statements:

• A documented access control policy is enforced (Annex A.9.1.1).
• Privileged accounts require MFA and quarterly review (Annex A.9.2.3).
• Event logging is implemented, with logs retained for 12 months and reviewed weekly (Annex A.12.4.1).
• Cloud access is monitored via CASB, satisfying ISO/IEC 27017:2015 Clause 9.1.
• All personal data is encrypted at rest and in transit, meeting the encryption requirements of applicable data protection law. Reference obligations include EU GDPR Article 32, POPIA Section 19(2), and equivalent provisions in each operating jurisdiction. GDPR Art.32 POPIA S.19(2)

5. Incident Response and Continuity

Incident response procedures are documented, tested, and reviewed.

Policy Statements:

• Incident response plans are maintained and tested annually (Annex A.5.25).
• Lessons learned are documented and integrated into ISMS improvements (Annex A.5.29).
• Continuity exercises are conducted annually (ISO 22301 Clause 8.4).
• Breach notifications follow the timing and scope required by applicable data protection law. Reference obligations include the 72-hour window under EU GDPR Articles 33–34; notification requirements under POPIA Section 22; the South Africa Cybercrimes Act (2020); and equivalent provisions in each operating jurisdiction.
• Supplier contracts mandate incident participation, consistent with SIAM principles.
• Case studies drawn from significant publicly-reported cybersecurity incidents are used in tabletop exercises. Illustrative examples include supply-chain compromises (e.g. SolarWinds 2020, MOVEit 2023), critical-infrastructure ransomware events (e.g. Colonial Pipeline 2021), and regionally-relevant incidents in each organisation’s operating jurisdiction.
• Incident response plans include coordinated communication with partners and suppliers (ISO 44000 Clause 7.4).
• Business continuity exercises are conducted jointly with critical suppliers to validate resilience.
• Incident response integrates with enterprise risk reporting channels (COSO Principle 17: Risk Reporting & Communication, or equivalent).
• Business continuity planning is aligned with the resilience and performance expectations of the organisation’s chosen internal-control framework.

6. Compliance Obligations

Operations comply with applicable laws and standards in every jurisdiction in which the organisation operates.

Policy Statements:

• Data processing complies with applicable data protection law in every jurisdiction in which the organisation operates. Where applicable, this includes: EU GDPR (2016/679), UK GDPR, POPIA (2013), Mauritius DPA (2017), Singapore PDPA, India DPDP Act (2023), Brazil LGPD, California CCPA/CPRA, and equivalent national frameworks.
• Cross-border transfers follow the lawful transfer mechanisms of each applicable regime — representative references include EU GDPR Chapter V, Mauritius DPA Section 36, and equivalent provisions — with Standard Contractual Clauses and equivalent safeguards reviewed annually.
• Privacy impact assessments are conducted for new systems (ISO/IEC 27701:2019 Clause 5.4.2).
• AU Convention 108+ obligations are integrated into transfer policies where the organisation operates in signatory states.
• The organisation maintains a living register of data protection obligations applicable to its jurisdictions of operation and reviews it whenever the operating footprint changes.

7. Audit and Assurance

Independent audits validate control effectiveness.

Policy Statements:

• Internal audits are conducted annually (ISO 27001 Clause 9.2).
• Management reviews ISMS performance quarterly (Clause 9.3).
• External audits validate compliance with recognised assurance frameworks applicable to the organisation’s market context. Representative references include the SOC 2 Trust Services Criteria (AICPA).
• Audit findings are reported to the board and disclosed in the form required by applicable governance instruments; representative reference: US SOX Section 404 and equivalent national governance codes.
• Corrective actions are tracked and verified, consistent with ISO 9001 continual improvement.

8. AI Governance

Where AI systems are deployed, risks are managed under:

Policy Statements:

• AI risk management processes are documented (ISO 42001:2023 Clause 8.2).
• AI models undergo bias testing and explainability reviews.
• AI incidents are reported to the board as part of ISMS reporting.
• Ethical oversight committees review AI deployments quarterly, consistent with the OECD AI Principles (2019) and equivalent national AI governance frameworks.

9. Governance Alignment Statement

This policy supports transparency, accountability, ethical conduct, and stakeholder inclusivity, consistent with recognised corporate governance instruments in each jurisdiction in which the organisation operates. Representative instruments include the OECD Principles of Corporate Governance and the AU APRM framework. National codes referenced as applicable include (non-exhaustive):

• UK Corporate Governance Code
• US SOX Section 404
• Japan Corporate Governance Code
• Singapore Code of Corporate Governance
• India SEBI LODR
• South Africa King V
• Mauritius National Code of Corporate Governance
• AU APRM
• OECD Principles of Corporate Governance

Enterprise and Conglomerate implementation content will be added here.