CPBM Information Security and IT Policies (ISO 27001 Compliant)
CPBM Information Security and IT Policies (ISO 27001 Compliant)
A comprehensive set of IT and information security policies aligned with ISO 27001 Annex A controls. Use this page on your IT Portal; sections are collapsible for easy navigation.
1. Information Security Policy (A.5)
This policy establishes management direction and support for information security in accordance with business requirements and relevant laws and regulations. Objectives include:
- Define roles and responsibilities for information security governance.
- Ensure confidentiality, integrity and availability of information assets.
- Align information security objectives with CPBM business goals.
2. Access Control Policy (A.9)
Access to information and systems shall be controlled and restricted based on business and security requirements. Key points:
- Access is granted on the principle of least privilege.
- User provisioning and de-provisioning procedures must be documented and followed.
- Multi-factor authentication (MFA) is required for remote and privileged access.
- Shared accounts are prohibited; where unavoidable, strict logging is required.
3. Asset Management Policy (A.8)
All IT assets including hardware, software, and data are company property and must be inventoried, classified, and protected according to sensitivity.
- Maintain an up-to-date asset inventory with owners and classification.
- Apply handling rules according to classification (Confidential / Internal / Public).
- Ensure secure disposal or transfer of assets when retired or reassigned.
4. Acceptable Use of IT Systems (A.9.1.1)
Users must use IT systems responsibly and only for business purposes. Any misuse, including unauthorized access or data manipulation, is prohibited.
- Personal use of corporate devices is limited and must not interfere with work.
- Downloading pirated software, media, or using peer-to-peer networks is forbidden.
- Report lost or stolen devices to IT immediately.
5. Cryptography & Password Policy (A.10)
All sensitive information must be encrypted during storage and transmission. Passwords must meet complexity and rotation standards defined by the IT Department.
- Use approved cryptographic algorithms and key management practices.
- Password minimum length: 12 characters; include upper, lower, number and symbol.
- Encourage passphrases and use of company-approved password managers.
6. Operations Security Policy (A.12)
Operational procedures and responsibilities must be documented, reviewed, and maintained to ensure secure and reliable IT operations.
- Change management procedures for system and application changes.
- Hardening standards for servers, endpoints, and network devices.
- Monitoring, logging and alerting for security-relevant events.
7. Communications & Email Policy (A.13)
Official communication shall only occur through approved corporate channels. Employees must avoid forwarding internal information to external addresses.
- Company email is for official business; avoid using personal email for work data.
- All attachments must be scanned and verified for malware before opening.
- Use data classification labels when sending sensitive information externally.
8. Backup & Recovery Policy (A.12.3)
Regular backups of critical systems and data shall be maintained. Backup data must be tested for integrity and stored securely.
- Define backup schedules and retention periods for each critical system.
- Store backup copies off-site or within approved cloud services.
- Perform periodic restore tests and record the results.
9. Physical & Environmental Security (A.11)
Physical access to IT equipment and data centers must be controlled. Environmental controls such as fire detection and UPS systems must be in place.
- Restrict access to server rooms and infrastructure to authorized staff only.
- Implement CCTV, entry logging and visitor management for critical areas.
- Ensure power redundancy, UPS and fire suppression systems are maintained.
10. Supplier / Vendor Policy (A.15)
Vendors handling company data or systems must comply with CPBM’s information security standards and sign confidentiality agreements.
- Perform security due diligence before onboarding vendors.
- Include security and confidentiality clauses in supplier contracts.
- Monitor vendor performance and compliance regularly.
11. Incident Management Policy (A.16)
All information security incidents must be reported immediately to the IT Department. Root cause analysis and corrective actions will be documented.
- Define incident classification and escalation matrix.
- Maintain an incident log and preserve evidence for forensic review.
- Conduct post-incident reviews and implement corrective actions.
12. Business Continuity & Disaster Recovery (A.17)
Business continuity and disaster recovery plans must ensure system availability during critical events and must be tested periodically.
- Maintain a Business Continuity Plan (BCP) and a Disaster Recovery Plan (DRP).
- Define Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO).
- Run periodic BCP/DRP exercises and update plans based on lessons learned.
13. Compliance & Review Policy (A.18)
All IT activities shall comply with applicable legal, regulatory, and contractual obligations. Policies will be reviewed annually or as needed.
- Conduct periodic compliance audits and internal reviews.
- Maintain records of policy changes and approvals.
- Ensure staff awareness and training on key policies.
Comments
Post a Comment