Document Summary
Item | Value |
Organization | Information Dynamics |
Document Name | Compliance Policy |
Classification | Internal |
Compliance Reference | ISO/IEC 27001:2013 |
Document Revision History
Date | Version | Prepared By |
Dec 29,2019 | 1.0 | Arya Vijayan & Suresh kutty |
Dec24, 2020 | 1.1 | Arya Vijayan & Suresh kutty |
Dec24, 2021 | 1.2 | Vani & Suresh kutty |
Dec29, 2022 | 1.3 | Ragini & Suresh kutty |
Document Review History
Reviewed By | Version | Date | Signature |
Linda | 1.0 | 29-Dec-2019 | |
Linda | 1.1 | 26-Dec-2020 | |
Linda | 1.2 | 26-Dec-2021 | |
Linda | 1.3 | 29-Dec-2022 |
The purpose of this policy is to have a compliance framework designed in alignment with the security best practices and international standards.
ISO 27001:2013 Domain Reference: A.18 - Compliance
ISO 27001:2013 Reference | |
A.18.1.1 | Identification of applicable legislation and contractual requirements |
A.18.1.2 | Intellectual property rights |
A.18.1.3 | Protection of records |
A.18.1.4 | Privacy and protection of personally identifiable information |
A.18.2.1 | Independent review of information security |
A.18.2.2 | Compliance with security policies and standards |
A.18.2.3 | Technical compliance review |
The scope of the policy will be applicable to all activities under the scope statement of Information Dynamics.
All relevant statutory, regulatory and contractual requirements and ID’s approach to meet these requirements shall be explicitly defined and documented.
Reference: ISMS Scope document
Licensing/ copyright requirements for all information assets including proprietary software application systems, which typically limit the use of application to specified machines; or creation of the backup copies, shall be adhered to.
Following controls shall be enforced:
Awareness shall be maintained among the staff for using only legal copies of software.
Disciplinary action shall be taken against all the users breaching these policies.
Asset register of licenses for the software/ hardware products shall be maintained.
Usage of licenses shall be monitored and controls shall be implemented to ensure usage is as per license agreement/s.
Regular checks shall be carried out to ensure that only authorized software and licensed products are installed.
Organizational records shall be classified, stored, protected, and destroyed (after the retention period) in accordance with asset classification and requirements of the applicable laws and regulations.
A register detailing the classification, valuation, ownership, storage location, period of retention, method of destruction shall be made for identified organizational records.
ID shall implement controls for collecting, processing, and disseminating personal information. Data protection and privacy shall ensure compliance with all relevant legislation, regulations, and, if applicable, contractual clauses.
Information security head shall solicit legal opinion to identify a list of applicable data protection/ privacy regulations, on an annual basis.
Any unauthorized usage/ misuse of information processing facilities shall lead to disciplinary action as per HR Policy.
Users, including but not limited to employees, third parties and sub contracted parties shall be made aware of permitted access and use of information systems.
Information systems shall be configured to display appropriate warning banners against unauthorized access.
All users of information assets including but not limited to employees and third parties, shall comply with relevant aspects of ID information security.
Information asset owners shall support regular compliance reviews of their systems against appropriate clauses of ISMS.
Technical compliance check shall be regularly carried out, which involves examination of operational systems to ensure that hardware and software controls have been correctly implemented.
Audit of operational systems shall be planned to minimize risk of disruptions to the business processes.
The requirements and scope of the audit shall be agreed upon with the management and any requirement for special or additional processing shall be identified.
System audit tools shall be protected from any possible misuse or compromise. Only audit tools approved by IT head shall be used for conducting the systems audit.
Acceptable use of assets policy
ISMS Scope document – List of Applicable Laws and Legislations
ISMS policies – Technical Vulnerability Assessment and Penetration Test Frequencies