IMS CORE Manual

1. Purpose and Scope

Policy Statements:

The organisation applies a comprehensive information security and governance framework to protect confidentiality, integrity, and availability of information assets. This framework integrates practices across information security, data protection, awareness, incident response, continuity, vendor oversight, acceptable use, cryptography, physical security, and HR security.

• Information Security: The ISMS scope is defined in line with ISO/IEC 27001 Clause 4.3, with objectives documented and reviewed annually (Clause 6.2). Controls are structured around NIST CSF v2.0 (Identify, Protect, Detect, Respond, Recover), ensuring a holistic approach to risk.
• Data Protection & Privacy: Data handling practices are aligned with GDPR Articles 5–6, 32, 33–34, POPIA Sections 19, 22, HIPAA Security Rule, Mauritius DPA Section 36, and the AU Convention on Cybersecurity (2014). These frameworks guide lawful, fair, and transparent processing of personal data, with emphasis on breach notification and cross‑border transfers.
• Cybersecurity Awareness & Training: Awareness programmes are designed in line with ISO 27001 Annex A.7.2.2, PCI DSS Req. 12.6, and SOC 2 CC6.3, ensuring staff understand acceptable use, incident response, and data protection obligations. Training is reinforced through simulations and awareness campaigns.
• Incident Response: Response processes are documented and tested annually, referencing ISO 27001 Annex A.16.1, NIST CSF RS.RP, PCI DSS Req. 12.10, and HIPAA §164.308(a)(6). Breach notification obligations follow GDPR Articles 33–34 and POPIA Section 22.
• Business Continuity & Disaster Recovery: Continuity and recovery practices are structured according to ISO 22301 Clause 8.4, ISO 27001 Annex A.17.1, and PCI DSS Req. 12.11, with resilience integrated into enterprise risk registers. Recovery objectives (RTO/RPO) are defined and tested.
• Vendor & Third‑Party Risk Management: Oversight is aligned with ISO 27001 Annex A.15.1, NIST CSF ID.SC, SOC 2 CC9, PCI DSS Req. 12.8, and GDPR Article 28, ensuring supplier contracts include security clauses and obligations. Vendor risk assessments are conducted prior to onboarding and annually thereafter.
• Acceptable Use: Standards reference ISO 27001 Annex A.8.1, PCI DSS Req. 12.3, and HIPAA §164.308(a)(2), defining authorised and prohibited activities. Workforce obligations are documented under GDPR Article 29.
• Cryptography & Encryption: Practices follow ISO 27001 Annex A.10.1, NIST CSF PR.DS, PCI DSS Req. 3–4, HIPAA §164.312(a)(2)(iv), and GDPR Article 32, with approved algorithms (AES‑256, RSA‑2048, SHA‑256) and key management lifecycle controls.
• Physical Security: Controls are aligned with ISO 27001 Annex A.11.1, PCI DSS Req. 9.1–9.4, and HIPAA §164.310, covering facility access restrictions, visitor logs, CCTV, and environmental safeguards.
• Human Resources Security: Processes reference ISO 27001 Annex A.7.1–A.7.3, SOC 2 CC2, and GDPR Article 29, covering pre‑employment screening, confidentiality agreements, role‑based responsibilities, and termination procedures.

This section establishes the scope of the unified policy, showing how each domain contributes to the overall governance framework.

2. Governance and Accountability

Policy Statements:

Governance structures establish accountability for information security across all domains. Oversight is demonstrated through board involvement, defined roles, and collaborative responsibilities with suppliers and partners.

• Board Oversight: Governance is demonstrated through board involvement, consistent with ISO/IEC 27001 Clause 5.1, SOX Section 404, King IV Principle 12, and the UK Corporate Governance Code (2018). The board sets the tone at the top, ensuring that information security, privacy, and resilience are integrated into organisational strategy.
• Defined Roles and Responsibilities: Formal appointments include Chief Information Security Officer (CISO), Incident Response Manager, Business Continuity Manager, Vendor Risk Manager, Cryptography Officer, Facilities Security Manager, and HR Security Manager (ISO 27001 Clause 5.3). These roles are documented in job descriptions and linked to accountability structures.
• Departmental Accountability: Department heads oversee compliance within their teams, ensuring that operational practices align with policy statements. HR managers oversee workforce security responsibilities, facilities managers oversee physical access controls, and IT managers oversee cryptography and acceptable use.
• Reporting and Review: Quarterly performance reports are presented to the Audit & Risk Committee, fulfilling SOX Section 404 and King IV Principle 12. Reports include incident metrics, training completion rates, vendor compliance status, and audit findings.
• Supplier Collaboration: Collaborative responsibilities with suppliers and partners are documented and reviewed annually (ISO 44001 Clause 5.2, 7.4). Vendor contracts include clauses on incident participation, continuity planning, acceptable use, and cryptography standards.
• Governance Alignment: Practices align with COSO Principle 1 (Governance & Culture), ensuring tone at the top, accountability for risk, and integration of governance into organisational culture.
• Integration Across Domains:
  • Information Security: Governance ensures ISMS objectives are reviewed annually (ISO 27001 Clause 6.2).
  • Data Protection: Governance structures ensure lawful processing of personal data (GDPR Articles 5–6, POPIA Section 19).
  • Awareness: Governance mandates training programmes (ISO 27001 Annex A.7.2.2, PCI DSS Req. 12.6).
  • Incident Response: Governance ensures escalation procedures are documented (ISO 27001 Annex A.16.1, NIST CSF RS.RP).
  • Continuity: Governance integrates resilience into enterprise risk registers (ISO 22301 Clause 8.2).
  • Vendor Risk: Governance requires supplier oversight (ISO 27001 Annex A.15.1, SOC 2 CC9).
  • Acceptable Use: Governance defines authorised and prohibited activities (ISO 27001 Annex A.8.1, PCI DSS Req. 12.3).
  • Cryptography: Governance approves algorithms and key management (ISO 27001 Annex A.10.1, GDPR Article 32).
  • Physical Security: Governance mandates facility access controls (ISO 27001 Annex A.11.1, PCI DSS Req. 9.1–9.4).
  • HR Security: Governance ensures pre‑employment screening and termination procedures (ISO 27001 Annex A.7.1–A.7.3, SOC 2 CC2).

3. Risk Management

Policy Statements:

Risk management practices are applied across all domains of information security, privacy, continuity, vendor oversight, acceptable use, cryptography, physical security, and HR security. Risks are identified, assessed, and treated systematically, with alignment to international frameworks and governance codes.

• Risk Assessment: Risk assessments are carried out regularly in accordance with ISO/IEC 27001 Clause 6.1.2 and ISO 22301 Clause 8.2. These assessments consider threats to information assets, personal data, IT systems, facilities, and workforce security.
• Risk Treatment: Risk treatment plans are documented and reviewed in line with ISO/IEC 27001 Clause 6.1.3, ensuring that mitigation strategies are proportionate to the level of risk. Treatment options include acceptance, avoidance, transfer, or mitigation.
• Integration into Enterprise Risk Registers: Business continuity, vendor, HR, cryptography, and acceptable use risks are integrated into enterprise risk registers. This ensures that information security risks are not managed in isolation but are part of the broader organisational risk landscape.
• Cybercrime Considerations: Risks relating to cybercrime are considered under the South Africa Cybercrimes Act (2020) and the Mauritius Cybercrime Act (2003/2018). These frameworks guide the identification of risks such as fraud, unauthorised access, and data manipulation.
• Shared Risk Registers with Partners: Shared risk registers with strategic partners include continuity, vendor, and HR risks, in line with ISO 44001 Clause 6.3. This collaborative approach ensures that risks in joint ventures and supplier relationships are identified and managed collectively.
• COSO ERM Alignment: Risk management practices align with the COSO ERM Framework (2017, Principle 6), embedding risk into organisational culture and decision‑making. This ensures that risk appetite, tolerance, and response strategies are clearly defined.
• Domain‑Specific Risk Practices:
  • Information Security: Risks to confidentiality, integrity, and availability are assessed using NIST CSF Identify Function (ID.RA).
  • Data Protection & Privacy: Risks to personal data are assessed through Data Protection Impact Assessments (DPIAs), aligned with GDPR Article 35 and POPIA Section 19.
  • Awareness & Training: Risks of human error and social engineering are addressed through training programmes (ISO 27001 Annex A.7.2.2, PCI DSS Req. 12.6).
  • Incident Response: Risks of delayed detection or escalation are mitigated through documented response procedures (ISO 27001 Annex A.16.1, NIST CSF RS.MI).
  • Business Continuity: Risks of disruption are addressed through continuity planning and disaster recovery exercises (ISO 22301 Clause 8.4, PCI DSS Req. 12.11).
  • Vendor Risk: Supplier risks are managed through due diligence, contracts, and monitoring (ISO 27001 Annex A.15.1, SOC 2 CC9, GDPR Article 28).
  • Acceptable Use: Risks of misuse are mitigated through acceptable use standards and monitoring (ISO 27001 Annex A.8.1, PCI DSS Req. 12.3).
  • Cryptography: Risks of weak encryption or poor key management are addressed through approved algorithms and lifecycle controls (ISO 27001 Annex A.10.1, GDPR Article 32).
  • Physical Security: Risks of unauthorised access or environmental damage are mitigated through facility controls (ISO 27001 Annex A.11.1, PCI DSS Req. 9.1–9.4).
  • HR Security: Risks of insider threat or improper termination are addressed through screening, confidentiality agreements, and access revocation (ISO 27001 Annex A.7.1–A.7.3, SOC 2 CC2).

4. Standards and Controls

Policy Statements:

The organisation applies a comprehensive set of standards and controls across all domains of information security, privacy, continuity, vendor oversight, acceptable use, cryptography, physical security, and HR security. These controls are aligned with international standards, sector‑specific requirements, and governance codes to ensure consistency, resilience, and accountability.

Access control practices are structured in line with ISO/IEC 27001 Annex A.9.2.3 and A.12.4.1, supported by PCI DSS v4.0 Req. 12.3 and HIPAA §164.308(a)(2). Workforce obligations are documented under GDPR Article 29 and POPIA Section 19(3). Acceptable use standards define authorised and prohibited activities, including restrictions on personal use, data sharing, and system monitoring. In multi‑vendor environments, SIAM v4 guidance is applied to ensure supplier access controls are consistent across service providers. Governance oversight aligns with King IV Principle 12 and King V draft principles on stakeholder inclusivity, ensuring acceptable use policies reflect ethical conduct and transparency.

Cryptographic standards follow ISO/IEC 27001 Annex A.10.1, NIST CSF PR.DS, PCI DSS v4.0 Req. 3–4, HIPAA §164.312(a)(2)(iv), and GDPR Article 32. Approved algorithms include AES‑256, RSA‑2048, and SHA‑256. Key management lifecycle practices are aligned with ISO/IEC 27017:2015 (cloud security controls) and ISO/IEC 27018:2019 (cloud privacy controls), ensuring cloud service providers apply consistent encryption and privacy safeguards. Emerging AI governance requirements are addressed under ISO/IEC 42001:2023 (AI Management Systems), extending cryptographic and privacy controls to AI‑driven systems. Vendor contracts mandate encryption obligations, with oversight documented under ISO 44001 Clause 7.4.

Physical security controls are aligned with ISO/IEC 27001 Annex A.11.1, A.11.2.1, PCI DSS v4.0 Req. 9.1–9.4, HIPAA §164.310, and SOC 2 CC6 Physical Security Criteria. Facility access restrictions include badges, biometrics, visitor logs, and CCTV, with environmental safeguards addressing fire, flood, and power continuity. Supplier facilities are reviewed under ISO 44001 Clause 7.4 to ensure collaborative resilience. Governance oversight aligns with COSO Principle 17, embedding physical resilience into enterprise risk reporting.

Human resources security practices reference ISO/IEC 27001 Annex A.7.1–A.7.3, SOC 2 CC2, HIPAA §164.308(a)(2), and GDPR Article 29. Pre‑employment screening, confidentiality agreements, role‑based responsibilities, and termination procedures are documented. Workforce governance aligns with King IV Principle 14 and King V draft principles, ensuring ethical treatment of employees and contractors. HR security controls are integrated into vendor contracts, requiring suppliers to apply equivalent workforce standards.

Vendor and third‑party controls reference ISO/IEC 27001 Annex A.15.1, NIST CSF ID.SC, SOC 2 CC9, PCI DSS v4.0 Req. 12.8, HIPAA §164.308(b)(1), and GDPR Article 28. Contracts mandate compliance with cryptography, acceptable use, and incident participation. Collaborative governance is documented under ISO 44001:2017 and SIAM v4, ensuring multi‑supplier environments apply consistent standards. Vendor risk assessments are conducted prior to onboarding and annually thereafter, with results integrated into enterprise risk registers.

Continuity and incident controls reference ISO 22301 Clause 8.4, ISO/IEC 27001 Annex A.17.1, PCI DSS v4.0 Req. 12.11, HIPAA §164.308(a)(7), and NIST CSF RC.IM, RS.MI. Supplier participation is mandated under ISO 44001 Clause 7.4, ensuring continuity and incident response are collaborative. Incident escalation procedures are documented in line with ISO/IEC 27001 Annex A.16.1 and NIST CSF RS.CO, with breach notifications referencing GDPR Articles 33–34 and POPIA Section 22.

Privacy controls reference ISO/IEC 27701:2019 Clause 5.4.2, GDPR Articles 5–6, 32, 33–34, POPIA Sections 19, 22, Mauritius DPA Section 36, and AU Convention 108+. Cloud privacy practices are aligned with ISO/IEC 27018:2019, ensuring personal data in cloud environments is processed lawfully and securely. Governance oversight aligns with OECD Principles of Corporate Governance (2015) and SEBI LODR Regulations (2015), embedding transparency and accountability in data protection practices.

5. Monitoring and Oversight

Policy Statements:

Monitoring and oversight practices ensure that information security, privacy, and governance controls are functioning effectively across all domains. Oversight activities are designed to provide assurance to management, regulators, and stakeholders, and are aligned with international standards and governance codes.

Information security monitoring is structured in line with ISO/IEC 27001 Annex A.12.4.1, requiring event logs to be produced, retained, and reviewed. Logs capture user activity, system events, and security alerts, with retention periods aligned to regulatory requirements. Oversight of monitoring activities is documented under SOC 2 CC6.1–CC6.3, ensuring that system operations are continuously observed for anomalies.

Data protection oversight references ISO/IEC 27701:2019 Clause 7.4.2, GDPR Article 32, and POPIA Section 19(2). Monitoring activities include regular reviews of data processing operations, privacy impact assessments, and breach detection mechanisms. Cloud monitoring practices are aligned with ISO/IEC 27017:2015 Clause 12.1 and ISO/IEC 27018:2019 Clause 11.4, ensuring that cloud service providers maintain transparency and accountability in handling personal data.

Cybersecurity awareness oversight is guided by PCI DSS v4.0 Req. 12.6 and ISO/IEC 27001 Annex A.7.2.2, requiring evidence of training completion and effectiveness. Oversight includes monitoring participation rates, evaluating training outcomes, and reporting results to governance committees.

Incident response oversight references ISO/IEC 27001 Annex A.16.1, NIST CSF RS.CO, and HIPAA §164.308(a)(6). Monitoring activities include tracking incident detection times, escalation procedures, and resolution effectiveness. Oversight committees review incident reports quarterly, ensuring lessons learned are integrated into future response plans.

Business continuity oversight is aligned with ISO 22301 Clause 9.1–9.3, requiring performance evaluation of continuity exercises. Monitoring includes tracking recovery times, validating RTO/RPO objectives, and ensuring supplier participation. Oversight reports are presented to the Audit & Risk Committee, fulfilling King IV Principle 12 and COSO Principle 17.

Vendor and third‑party oversight references ISO/IEC 27001 Annex A.15.1, NIST CSF ID.SC, SOC 2 CC9.2, and PCI DSS v4.0 Req. 12.8.5. Monitoring activities include quarterly vendor audits, dashboard reviews, and compliance attestations. Collaborative oversight is documented under ISO 44001 Clause 7.4 and SIAM v4, ensuring multi‑supplier environments are monitored consistently.

Acceptable use oversight references ISO/IEC 27001 Annex A.8.1.3, requiring monitoring of system usage to detect unauthorised activities. Oversight includes reviewing logs for policy violations, monitoring internet and email usage, and reporting breaches to HR and compliance teams. Governance oversight aligns with King V draft principles, ensuring transparency in workforce monitoring.

Cryptography oversight references ISO/IEC 27001 Annex A.10.1.2, PCI DSS v4.0 Req. 3.6, and GDPR Article 32. Monitoring activities include reviewing key management logs, validating algorithm strength, and ensuring compliance with lifecycle procedures. Oversight committees review cryptographic practices annually, with results documented in audit reports.

Physical security oversight references ISO/IEC 27001 Annex A.11.1.4, PCI DSS v4.0 Req. 9.10, and HIPAA §164.310(d)(2). Monitoring activities include reviewing access logs, CCTV footage, and visitor records. Oversight includes quarterly inspections of facilities, environmental controls, and supplier premises.

HR security oversight references ISO/IEC 27001 Annex A.7.2.2, SOC 2 CC2.2, and GDPR Article 29. Monitoring activities include reviewing compliance with confidentiality agreements, tracking completion of workforce training, and ensuring termination procedures are followed. Oversight reports are presented to HR governance committees, aligning with King IV Principle 14.

Governance oversight integrates all domains under COSO ERM Principle 17, ensuring that monitoring results are reported to the board and stakeholders. Oversight practices align with OECD Principles of Corporate Governance (2015) and SEBI LODR Regulations (2015), embedding transparency and accountability into monitoring activities.

6. Incident Response and Continuity

Policy Statements:

Incident response and continuity practices ensure that the organisation can detect, respond to, and recover from security events and operational disruptions. These practices integrate requirements from information security, privacy, vendor oversight, acceptable use, cryptography, physical security, and HR security, and are aligned with international standards and governance codes.

Incident response processes are documented in line with ISO/IEC 27001 Annex A.16.1, requiring clear procedures for identification, reporting, and escalation of incidents. Oversight is supported by NIST CSF RS.CO (Response Communications) and RS.MI (Mitigation), ensuring that incidents are managed effectively and lessons learned are incorporated into future planning. Breach notification obligations follow GDPR Articles 33–34, POPIA Section 22, and HIPAA §164.308(a)(6), requiring timely communication with regulators and affected individuals.

Continuity practices are structured according to ISO 22301 Clause 8.4 and ISO/IEC 27001 Annex A.17.1, requiring documented business continuity and disaster recovery plans. Recovery objectives (RTO/RPO) are defined and tested annually, with results reported to governance committees. Oversight aligns with COSO ERM Principle 17, embedding resilience into enterprise risk reporting.

Vendor participation in incident response and continuity is mandated under ISO/IEC 27001 Annex A.15.1, PCI DSS v4.0 Req. 12.8.5, and ISO 44001 Clause 7.4, ensuring that suppliers are integrated into escalation procedures and continuity exercises. Multi‑vendor environments apply SIAM v4 guidance, ensuring consistent incident handling across service providers.

Cryptography controls are integrated into incident response, referencing ISO/IEC 27017:2015 Clause 12.1 and ISO/IEC 27018:2019 Clause 11.4, requiring monitoring of encryption failures and privacy breaches in cloud environments. AI‑driven systems are included under ISO/IEC 42001:2023, ensuring that incidents involving machine learning models are detected and mitigated.

Physical security incidents are addressed under ISO/IEC 27001 Annex A.11.1.4, PCI DSS v4.0 Req. 9.10, and HIPAA §164.310(d)(2). Procedures include evacuation plans, environmental monitoring, and facility recovery strategies. Oversight includes quarterly inspections and annual continuity drills.

HR security incidents are managed under ISO/IEC 27001 Annex A.7.2.2, SOC 2 CC2.2, and GDPR Article 29, requiring procedures for insider threats, workforce misconduct, and improper termination. Incident escalation includes coordination between HR, IT, and compliance teams.

Governance oversight integrates all domains under King IV Principle 12 and King V draft principles, ensuring that incident response and continuity are reported to the board and stakeholders. Transparency obligations align with OECD Principles of Corporate Governance (2015) and SEBI LODR Regulations (2015), embedding accountability into incident management.

Examples of Controls and Practices:

• Incident detection systems integrated with SIEM platforms, generating alerts for anomalous activity.
• Escalation flowcharts defining roles and responsibilities during incidents.
• Breach notification templates prepared for GDPR, HIPAA, and POPIA compliance.
• Business impact analysis conducted annually, identifying critical processes and dependencies.
• Continuity exercises simulating cyberattacks, natural disasters, and vendor failures.
• Vendor risk assessments including incident response participation clauses.
• Cryptographic monitoring ensuring encryption failures are logged and investigated.
• Physical security drills covering evacuation, lockdown, and environmental recovery.
• HR incident procedures including immediate revocation of access and investigation protocols.

7. Training and Awareness

Policy Statements:

Training and awareness programmes ensure that employees, contractors, and third‑party partners understand their responsibilities in safeguarding information assets, complying with data protection laws, and responding effectively to incidents. These programmes are aligned with international standards, sector‑specific requirements, and governance codes, and are designed to embed a culture of security and accountability across the organisation.

Information security awareness is structured in line with ISO/IEC 27001 Annex A.7.2.2, requiring all staff to receive regular training on security policies, acceptable use, and incident response. Oversight is supported by PCI DSS v4.0 Req. 12.6, which requires evidence of training completion, and SOC 2 CC6.3, which emphasises workforce awareness of system operations and risks.

Data protection training references ISO/IEC 27701:2019 Clause 7.2.2, GDPR Article 29, and POPIA Section 19(3). Employees are trained on lawful processing, data minimisation, breach notification, and cross‑border transfer obligations. Cloud privacy awareness is aligned with ISO/IEC 27018:2019 Clause 11.5, ensuring staff understand the implications of processing personal data in cloud environments.

Cybersecurity awareness programmes include simulations of phishing, social engineering, and ransomware attacks. These exercises are aligned with NIST CSF PR.AT (Awareness and Training), ensuring that staff can recognise and respond to threats. Oversight committees review training outcomes quarterly, embedding lessons learned into future programmes.

Incident response training references ISO/IEC 27001 Annex A.16.1.2, requiring role‑specific training for incident handlers. Staff are trained on escalation procedures, communication protocols, and breach notification requirements under GDPR Articles 33–34 and POPIA Section 22. Tabletop exercises are conducted annually, simulating incidents across IT, HR, and facilities domains.

Business continuity awareness is aligned with ISO 22301 Clause 7.3, requiring staff to understand their roles during disruptions. Training includes evacuation drills, disaster recovery simulations, and supplier participation exercises. Oversight aligns with COSO ERM Principle 17, embedding resilience into organisational culture.

Vendor and third‑party training references ISO/IEC 27001 Annex A.15.1.2, requiring suppliers to provide evidence of workforce awareness programmes. Collaborative training is documented under ISO 44001 Clause 7.4 and SIAM v4, ensuring multi‑supplier environments apply consistent standards.

Acceptable use training references ISO/IEC 27001 Annex A.8.1.3, requiring staff to understand authorised and prohibited activities. Training includes case studies of misuse, monitoring practices, and disciplinary procedures. Governance oversight aligns with King V draft principles, embedding transparency and accountability in workforce monitoring.

Cryptography awareness references ISO/IEC 27001 Annex A.10.1.2, PCI DSS v4.0 Req. 3.6.6, and GDPR Article 32. Staff are trained on encryption practices, key management responsibilities, and the implications of cryptographic failures. Awareness programmes extend to AI systems under ISO/IEC 42001:2023, ensuring staff understand the risks of machine learning models.

Physical security awareness references ISO/IEC 27001 Annex A.11.1.5, PCI DSS v4.0 Req. 9.9, and HIPAA §164.310(d)(2). Training includes facility access procedures, visitor management, and environmental safeguards. Staff participate in quarterly drills covering evacuation, lockdown, and recovery procedures.

HR security awareness references ISO/IEC 27001 Annex A.7.2.2, SOC 2 CC2.2, and GDPR Article 29. Training includes confidentiality obligations, insider threat awareness, and termination procedures. Governance oversight aligns with King IV Principle 14, embedding ethical treatment of employees into workforce programmes.

Governance oversight integrates all domains under OECD Principles of Corporate Governance (2015) and SEBI LODR Regulations (2015), ensuring that training and awareness programmes are transparent, accountable, and reported to stakeholders. Oversight committees review training outcomes annually, embedding continuous improvement into organisational culture.

Examples of Controls and Practices:

• Mandatory annual training for all employees, with completion tracked in HR systems.
• Role‑specific training for IT administrators, incident responders, HR managers, and facilities staff.
• Quarterly phishing simulations with reporting of click‑through rates.
• Vendor training attestations included in supplier contracts.
• Tabletop exercises simulating data breaches, ransomware attacks, and facility disruptions.
• Cryptography workshops covering algorithm strength, key management, and AI risks.
• Physical security drills covering evacuation, lockdown, and environmental recovery.
• HR training modules covering confidentiality, insider threats, and termination procedures.

8. Compliance Obligations

Policy Statements:

Compliance obligations ensure that the organisation operates within the boundaries of applicable laws, regulations, standards, and governance codes. These obligations span information security, privacy, continuity, vendor oversight, acceptable use, cryptography, physical security, and HR security. The organisation’s compliance framework integrates international standards, regional legislation, and sector‑specific requirements, embedding accountability and transparency into all operations.

Information security compliance is structured in line with ISO/IEC 27001:2022 Clause 4.2 and Clause 9.1, requiring identification of applicable legal, regulatory, and contractual requirements. Oversight is supported by NIST CSF ID.GV (Governance) and SOC 2 CC1.1, ensuring that compliance obligations are documented, monitored, and reviewed.

Data protection compliance references ISO/IEC 27701:2019 Clause 5.4.2, GDPR Articles 5–6, 32, 33–34, POPIA Sections 19, 22, Mauritius DPA Section 36, and the AU Convention 108+. Obligations include lawful processing, data minimisation, breach notification, and cross‑border transfer assessments. Cloud privacy compliance is aligned with ISO/IEC 27018:2019, ensuring personal data processed in cloud environments meets international privacy standards.

Sector‑specific compliance obligations include HIPAA Security Rule (45 CFR §164.308–312) for healthcare data, PCI DSS v4.0 for cardholder data, and SOC 2 Trust Services Criteria for service organisations. These frameworks require documented controls, monitoring, and reporting to demonstrate compliance.

Cybersecurity compliance obligations reference South Africa Cybercrimes Act (2020) and Mauritius Cybercrime Act (2003/2018), requiring detection, reporting, and prosecution of cybercrime incidents. Oversight committees ensure that obligations are integrated into incident response and monitoring practices.

Business continuity compliance is aligned with ISO 22301 Clause 4.2 and Clause 9.1, requiring identification of statutory and contractual obligations for continuity planning. Obligations include maintaining resilience in critical services, conducting annual continuity exercises, and reporting results to regulators and stakeholders.

Vendor compliance obligations reference ISO/IEC 27001 Annex A.15.1.2, NIST CSF ID.SC, PCI DSS v4.0 Req. 12.8.5, and GDPR Article 28. Contracts mandate supplier compliance with applicable laws and standards, including data protection, cryptography, and incident response. Collaborative compliance is documented under ISO 44001 Clause 7.4 and SIAM v4, ensuring multi‑supplier environments apply consistent obligations.

Acceptable use compliance references ISO/IEC 27001 Annex A.8.1.3, requiring monitoring of workforce activities to detect policy violations. Obligations include disciplinary procedures, reporting of misuse, and transparency in workforce monitoring. Governance oversight aligns with King V draft principles, embedding accountability in acceptable use practices.

Cryptography compliance references ISO/IEC 27001 Annex A.10.1.2, PCI DSS v4.0 Req. 3.6, and GDPR Article 32. Obligations include use of approved algorithms, documented key management procedures, and compliance with lifecycle requirements. Cloud cryptography obligations are aligned with ISO/IEC 27017:2015 Clause 12.1, ensuring encryption practices are consistent across cloud environments. AI compliance obligations reference ISO/IEC 42001:2023, requiring governance of AI systems, including transparency, accountability, and risk management.

Physical security compliance references ISO/IEC 27001 Annex A.11.1.4, PCI DSS v4.0 Req. 9.10, and HIPAA §164.310(d)(2). Obligations include facility access controls, visitor management, and environmental safeguards. Supplier facilities are required to demonstrate compliance through audits and inspections.

HR security compliance references ISO/IEC 27001 Annex A.7.2.2, SOC 2 CC2.2, and GDPR Article 29. Obligations include confidentiality agreements, insider threat monitoring, and termination procedures. Governance oversight aligns with King IV Principle 14, embedding ethical treatment of employees into compliance frameworks.

Governance oversight integrates all domains under COSO ERM Principle 17, ensuring compliance obligations are reported to the board and stakeholders. Oversight aligns with OECD Principles of Corporate Governance (2015) and SEBI LODR Regulations (2015), embedding transparency and accountability into compliance practices.

Examples of Controls and Practices:

• Compliance registers documenting applicable laws, regulations, and standards.
• Annual compliance audits covering information security, privacy, continuity, and vendor obligations.
• Breach notification templates aligned with GDPR, HIPAA, and POPIA requirements.
• Vendor contracts including compliance clauses and audit rights.
• Workforce training modules covering compliance obligations.
• Cryptography compliance checklists validating algorithm strength and key management practices.
• Physical security compliance inspections covering facility access and environmental safeguards.
• HR compliance reviews covering confidentiality agreements and termination procedures.

9. Audit and Assurance

Policy Statements:

Audit and assurance practices provide independent verification that information security, privacy, continuity, vendor oversight, acceptable use, cryptography, physical security, and HR security controls are operating effectively. These practices are aligned with international standards, sector‑specific requirements, and governance codes, ensuring transparency, accountability, and continuous improvement.

Information security audits are structured in line with ISO/IEC 27001 Clause 9.2, requiring internal audits at planned intervals to verify compliance with the ISMS. Oversight is supported by NIST CSF ID.GV (Governance) and SOC 2 CC1.1, ensuring that audit results are documented, reported, and acted upon. External certification audits are conducted by accredited bodies, providing assurance to regulators and stakeholders.

Data protection assurance references ISO/IEC 27701:2019 Clause 9.2, GDPR Article 24, and POPIA Section 19(2). Audits include reviews of data processing operations, privacy impact assessments, and breach notification procedures. Cloud privacy audits are aligned with ISO/IEC 27018:2019 Clause 11.5, ensuring that cloud service providers demonstrate compliance with privacy obligations.

Sector‑specific audits include HIPAA Security Rule (45 CFR §164.308–312) compliance reviews, PCI DSS v4.0 assessments, and SOC 2 Type II examinations. These audits provide assurance that controls are operating effectively over time, with results reported to governance committees.

Cybersecurity assurance references South Africa Cybercrimes Act (2020) and Mauritius Cybercrime Act (2003/2018), requiring audits of detection, reporting, and prosecution practices. Oversight committees review audit results, ensuring that obligations are integrated into incident response and monitoring practices.

Business continuity assurance is aligned with ISO 22301 Clause 9.2, requiring internal audits of continuity and recovery plans. Assurance activities include testing recovery objectives, validating supplier participation, and reporting results to governance committees. Oversight aligns with COSO ERM Principle 17, embedding resilience into enterprise risk reporting.

Vendor assurance references ISO/IEC 27001 Annex A.15.1.2, NIST CSF ID.SC, PCI DSS v4.0 Req. 12.8.5, and GDPR Article 28. Audits include supplier compliance reviews, contract assessments, and collaborative assurance activities under ISO 44001 Clause 7.4 and SIAM v4. Multi‑supplier environments are audited to ensure consistent standards and obligations.

Acceptable use assurance references ISO/IEC 27001 Annex A.8.1.3, requiring audits of workforce activities to detect policy violations. Assurance activities include reviewing logs, monitoring internet and email usage, and reporting breaches to HR and compliance teams. Governance oversight aligns with King V draft principles, embedding accountability in acceptable use practices.

Cryptography assurance references ISO/IEC 27001 Annex A.10.1.2, PCI DSS v4.0 Req. 3.6, and GDPR Article 32. Audits include reviews of key management practices, algorithm strength, and lifecycle compliance. Cloud cryptography assurance is aligned with ISO/IEC 27017:2015 Clause 12.1, ensuring encryption practices are consistent across cloud environments. AI assurance obligations reference ISO/IEC 42001:2023, requiring audits of AI systems, including transparency, accountability, and risk management.

Physical security assurance references ISO/IEC 27001 Annex A.11.1.4, PCI DSS v4.0 Req. 9.10, and HIPAA §164.310(d)(2). Audits include facility inspections, access log reviews, and environmental safeguard assessments. Supplier facilities are required to demonstrate compliance through independent audits.

HR security assurance references ISO/IEC 27001 Annex A.7.2.2, SOC 2 CC2.2, and GDPR Article 29. Audits include reviews of confidentiality agreements, insider threat monitoring, and termination procedures. Governance oversight aligns with King IV Principle 14, embedding ethical treatment of employees into assurance frameworks.

Governance oversight integrates all domains under OECD Principles of Corporate Governance (2015) and SEBI LODR Regulations (2015), ensuring that audit and assurance results are transparent, accountable, and reported to stakeholders. Oversight committees review audit outcomes annually, embedding continuous improvement into organisational culture.

Examples of Controls and Practices:

• Internal audit schedules covering information security, privacy, continuity, and vendor obligations.
• External certification audits for ISO/IEC 27001, ISO/IEC 27701, and ISO/IEC 22301.
• SOC 2 Type II examinations providing assurance over time.
• PCI DSS v4.0 assessments validating cardholder data security.
• HIPAA compliance reviews covering administrative, physical, and technical safeguards.
• Vendor audits including contract reviews and compliance attestations.
• Workforce audits covering acceptable use, confidentiality agreements, and termination procedures.
• Cryptography audits validating algorithm strength, key management practices, and AI governance.
• Physical security audits covering facility access, visitor management, and environmental safeguards.
• Governance oversight reports presented to the Audit & Risk Committee and board.

10. Governance Alignment Statement

Policy Statements:

The appendices provide supporting detail, references, and governance alignment statements that ensure the organisation’s information security and governance framework is comprehensive, transparent, and aligned with international standards, sector‑specific requirements, and corporate governance codes.

The appendices include mappings of controls to standards, glossaries of terms, templates for reporting, and governance alignment statements. These documents serve as reference material for staff, auditors, regulators, and stakeholders, ensuring clarity and accountability.

The governance alignment statement integrates all domains under the below and more:

• OECD Principles of Corporate Governance (2015).
• SEBI LODR Regulations (2015).
• UK Corporate Governance Code (2018).
• King IV Principles and King V draft principles.

This statement demonstrates that the organisation’s information security and governance framework is transparent, accountable, and aligned with international best practices. It confirms that oversight committees review appendices annually, embedding continuous improvement into organisational culture.

11. Appendices Guidelines

The appendices should map the organisational controls from the policies to practically implementable controls in the Information Compliance Unviverse (ICU). Below are the minimum guidelines with examples of how this can be achieved.

Control Mapping Tables

The organisation maintains detailed mapping tables that cross‑reference internal controls against international standards and frameworks. Examples include:

• ISO/IEC 27001 Annex A controls mapped to NIST CSF categories and SOC 2 Trust Services Criteria.
• ISO/IEC 27701 privacy controls mapped to GDPR Articles 5–6, 32, 33–34, POPIA Sections 19, 22, and Mauritius DPA Section 36.
• ISO/IEC 27017 and 27018 cloud controls mapped to contractual obligations for cloud service providers.
• ISO/IEC 42001 AI governance controls mapped to organisational AI risk management practices.

Templates and Forms

The appendices include standardised templates to ensure consistency in compliance and reporting:

• Data Protection Impact Assessment (DPIA) template aligned with GDPR Article 35.
• Breach notification form aligned with GDPR Article 33, POPIA Section 22, and HIPAA breach notification rules.
• Business continuity plan template aligned with ISO 22301 Clause 8.4.
• Vendor risk assessment form aligned with ISO/IEC 27001 Annex A.15 and PCI DSS Req. 12.8.
• Incident response escalation flowchart aligned with ISO/IEC 27001 Annex A.16.

Sector‑Specific Compliance Matrices

Sector‑specific obligations are documented in compliance matrices:

• HIPAA Security Rule matrix covering administrative, physical, and technical safeguards.
• PCI DSS v4.0 matrix covering cardholder data protection requirements.
• SOC 2 Type II matrix covering Trust Services Criteria for security, availability, confidentiality, processing integrity, and privacy.

Cryptography and AI Governance Appendices

Cryptography appendices include:

• Approved algorithm lists (AES‑256, RSA‑2048, SHA‑256).
• Key management lifecycle procedures (generation, distribution, rotation, destruction).
• Audit templates for cryptographic compliance.

AI governance appendices include:

• Risk assessment templates for machine learning models aligned with ISO/IEC 42001:2023.
• Transparency and accountability checklists for AI systems.
• Ethical use guidelines aligned with King V draft principles on stakeholder inclusivity.

Physical and HR Security Appendices

Physical security appendices include:

• Facility access logs and visitor management templates.
• Environmental safeguard checklists (fire suppression, flood protection, backup power).

HR security appendices include:

• Confidentiality agreement templates.
• Insider threat monitoring procedures.
• Termination checklists ensuring immediate revocation of access.

Information security appendices include mappings to ISO/IEC 27001:2022 Annex A controls, NIST CSF v2.0 categories, and SOC 2 Trust Services Criteria. These mappings demonstrate how organisational controls align with international best practices.

Data protection appendices reference ISO/IEC 27701:2019, GDPR Articles 5–6, 32, 33–34, POPIA Sections 19, 22, Mauritius DPA Section 36, and AU Convention 108+. Templates include Data Protection Impact Assessment (DPIA) forms, breach notification templates, and cross‑border transfer checklists.

Sector‑specific appendices include HIPAA Security Rule compliance matrices, PCI DSS v4.0 control mappings, and SOC 2 Type II audit templates. These documents provide assurance that sector‑specific obligations are integrated into the organisational framework.

Cybersecurity appendices reference South Africa Cybercrimes Act (2020) and Mauritius Cybercrime Act (2003/2018), including reporting templates for cybercrime incidents and escalation procedures.

Business continuity appendices include mappings to ISO 22301 Clause 8.4, continuity plan templates, disaster recovery exercise reports, and supplier participation checklists. Oversight aligns with COSO ERM Principle 17, embedding resilience into enterprise risk reporting.

Vendor appendices reference ISO/IEC 27001 Annex A.15.1.2, NIST CSF ID.SC, PCI DSS v4.0 Req. 12.8.5, and GDPR Article 28. Templates include supplier risk assessment forms, contract compliance clauses, and collaborative governance statements under ISO 44001 Clause 7.4 and SIAM v4.

Acceptable use appendices include policy documents, disciplinary procedures, and monitoring templates. Oversight aligns with King V draft principles, embedding accountability and transparency in workforce monitoring.

Cryptography appendices reference ISO/IEC 27001 Annex A.10.1.2, PCI DSS v4.0 Req. 3.6, and GDPR Article 32. Documents include approved algorithm lists, key management lifecycle procedures, and audit templates. Cloud cryptography appendices reference ISO/IEC 27017:2015 Clause 12.1 and ISO/IEC 27018:2019 Clause 11.4, ensuring encryption practices are consistent across cloud environments. AI governance appendices reference ISO/IEC 42001:2023, including risk assessment templates for machine learning models.

Physical security appendices reference ISO/IEC 27001 Annex A.11.1.4, PCI DSS v4.0 Req. 9.10, and HIPAA §164.310(d)(2). Documents include facility access logs, visitor management templates, and environmental safeguard checklists.

HR security appendices reference ISO/IEC 27001 Annex A.7.2.2, SOC 2 CC2.2, and GDPR Article 29. Documents include confidentiality agreements, insider threat monitoring procedures, and termination checklists. Oversight aligns with King IV Principle 14, embedding ethical treatment of employees into governance frameworks.

A Minimal Supporting Document Set:

• Control mappings to ISO/IEC 27001, NIST CSF, SOC 2, PCI DSS, HIPAA, GDPR, POPIA, Mauritius DPA, and AU Convention 108+.
• DPIA templates, breach notification forms, and cross‑border transfer checklists.
• Continuity plan templates, disaster recovery exercise reports, and supplier participation checklists.
• Vendor risk assessment forms, contract compliance clauses, and collaborative governance statements.
• Acceptable use policy documents, disciplinary procedures, and monitoring templates.
• Approved algorithm lists, key management lifecycle procedures, and audit templates.
• Facility access logs, visitor management templates, and environmental safeguard checklists.
• Confidentiality agreements, insider threat monitoring procedures, and termination checklists.
• Governance alignment statements referencing OECD, SEBI, UK Corporate Governance Code, King IV, and King V.

Enterprise and Conglomerate implementation content will be added here.