| Document ID | ISMS-POL-001 |
| Version | 0.1 |
| Status | Draft |
| Classification | Internal |
| Owner | Information Security Officer |
| Approved by | Managing Director |
| Approval date | pending |
| Effective from | pending |
| Next review | pending — annually, or on material change |
| Supersedes | — (initial issue) |
BackupExperts is entrusted by its customers with the protection of
their information. Where that information is lost, corrupted, or
disclosed without authorisation, the consequences fall first on the
customer and then on BackupExperts. The Managing Director and the
entire BackupExperts leadership commit to maintaining an Information
Security Management System (ISMS) that protects the confidentiality,
integrity, and availability of customer data and of BackupExperts'
own information assets.
This policy is the master document of that ISMS. All topic-specific
policies, procedures, and records on this wiki derive their authority
from it.
This policy applies to all activities, services, locations, personnel,
and information assets within the ISMS Scope. It is
binding on all BackupExperts personnel — employees, contractors, and
interns — and on third parties acting for BackupExperts, to the extent
their contracts incorporate it.
BackupExperts' information security objectives are to:
Measurable security objectives and KPIs are recorded in ISMS →
Objectives (planned) and reviewed at management
review.
The following principles inform every other policy and every
operational decision in scope of the ISMS.
| Role | Responsibility |
|---|---|
| Managing Director | Owns the ISMS overall. Approves this policy, the scope, the risk treatment plan, and the Statement of Applicability. Allocates resources for the ISMS. Chairs management review. |
| Information Security Officer (ISO) | Day-to-day owner of the ISMS. Maintains the risk register, the policy set, and this wiki. Coordinates internal audit. Acts as the contact point for customers, regulators, and external auditors on security matters. |
| All staff | Read, acknowledge, and follow the policies applicable to their role. Report security events without delay per the Incident Response Policy. Complete the awareness training assigned to them. |
| Suppliers | Comply with the contractual security requirements imposed by BackupExperts, including Article 28 obligations where they process personal data on our behalf. |
The Managing Director and the Information Security Officer roles may
be held by the same person; where that is the case, the dual capacity
is documented and considered when scoping internal audit and management
review (see §5.1).
At the time of issue, BackupExperts is operated by a single person who
holds both the Managing Director and the acting Information Security
Officer roles. This dual capacity is acknowledged as a separation-of-duties
weakness. The following compensating controls apply for as long as the
arrangement persists:
This arrangement is not a long-term target. Splitting the roles, or
formally appointing an external Information Security Officer, is on
the risk register (planned) with a stated
treatment plan.
This master policy is elaborated by, and shall be read together with:
In the event of conflict between this policy and any topic-specific
policy, this policy prevails until the conflict is resolved by formal
revision.
Compliance with this policy is mandatory. Suspected breaches are
handled as security events under the Incident Response Policy.
Confirmed breaches by personnel are handled under the disciplinary
procedure in BackupExperts' employment terms, up to and including
termination. Breaches by suppliers are handled under the relevant
contract.
Compliance with this policy does not relieve any person from compliance
with applicable law.
The Information Security Officer maintains the risk register
(planned). Risks are identified, assessed for likelihood and impact,
and assigned an owner and a treatment (accept, mitigate, transfer,
avoid). Risk acceptance above a defined threshold requires approval by
the Managing Director.
The risk register feeds the Statement of Applicability
(planned), which records which Annex A controls are applicable, how
they are implemented, and where the evidence is.
All personnel complete information security awareness training:
Records are kept in the training log (planned).
The ISMS is improved through:
This policy is reviewed at least annually and additionally on any
material change to the organisation, services, regulatory environment,
or risk profile. Revisions are approved by the Managing Director before
publication. Superseded versions are retained for the period stated in
the Statement of Applicability.