Level Access (Level) is committed to protecting its information assets to satisfy our business objectives and meet the information security requirements of our customers whilst maintaining the safety of individuals and their right to privacy. To achieve these goals, we have established an ISO 27001 Information Security Management System (ISMS).
This document outlines the highest-level security policy by describing:
- How we are committed to information security.
- The scope of what is covered by our ISMS.
- Our information security objectives.
There are additional, supplemental policy documents which provide more detail in specific areas.
This and other policy documents will be reviewed for opportunities for improvement annually, or when major changes occur which affect the context of the ISMS.
Deviations from policy may be allowed under exceptional circumstances. Contact firstname.lastname@example.org before deviating if you believe an exception is necessary. Observed deviations should be raised as an incident (see below).
The CEO and SVP of Engineering set Information Security as a priority for the business through the approval and availability of this policy.
The current policy is made available to all employees and interested parties by either direct communication or by request to email@example.com.
The SVP of Engineering sponsors the ISMS and owns the information security risks. The Director of Information Security is responsible for the implementation and operation of the ISMS, including reporting on its performance. Other dedicated, competent staff are responsible for implementing specific controls as needed.
Commitment is required from everyone at Level as described below:
- All employees are required to acknowledge they have read, understand and agree with this and the Employee Handbook.
- Employees will report any suspected security incidents, vulnerabilities or threats to information assets to firstname.lastname@example.org.
- Suppliers working on behalf of Level will be made aware of this policy and are required to comply with it.
Level conducts regular performance reviews of the ISMS that include senior management. This ensures the ISMS achieves its intended outcomes and our commitment to continually improving our information security posture.
The scope of the ISMS covers the Level applications delivered through Software-as-a-Service (SaaS) and their supporting operations. This includes the people and processes who directly contribute to the delivery of those services and operations, the physical and digital information assets which the services and operations depend on, and the management of third parties involved in their delivery.
In addition, Level complies with relevant laws and industry regulations which relate to information security.
Other information security activities occur at Level but are not within the scope of the ISMS at this time.
Information Security Objectives
The Information Security Objectives described below have been established after considering:
- The context, purpose, and internal, as well as external issues affecting the organization.
- Determining the requirements of the interested parties.
- The boundaries of the ISMS.
- The outputs of the risk assessment and risk treatment processes.
|To deliver reliable cloud applications for users and other interested parties who need confidence and assurance the platform is fit for their purpose of sharing and working with sensitive information|
|To provide a pragmatic digital paperless ISMS for staff and other interested parties who need to access it which is integrated into their day to day work practices to ensure it becomes a habit for good performance not an inhibitor to getting their work done|
|To identify and manage risks of assets within the scope of the ISMS|
|To continually strengthen and improve the overall capabilities of the information security management system|
|To establish quantified information security goals annually through management and review meetings|
|To design, conduct and run an Application Security Program following best practices to give interested parties the confidence we deliver secure software|
|To protect the privacy of individuals who use, actively or passively, our hosted software products|
|To improve the resilience of our hosted software services|
|To maintain a highly secure hosted software platform|
|To certify an ISMS against the ISO 27001 standard, and maintain the certification|
Figure 1 – Table of Information Security Objectives
Measurements of these objectives are established as KPIs and reviewed in the management review meetings.
Note: A PDF version of this policy is available here : Level_Access_Information_Security_Policy v2.0