Compliance Policy

Document Summary

Item

Value

Organization

Information Dynamics

Document Name

Compliance Policy

Classification

Internal

Compliance Reference

ISO/IEC 27001:2013

Document Revision History

Date

Version

Prepared By

Dec 29,2019

1.0

Arya Vijayan & Suresh kutty

Dec24, 2020

1.1

Arya Vijayan & Suresh kutty

Dec24, 2021

1.2

Vani & Suresh kutty

Document Review History

Reviewed By

Version

Date

Signature

Linda

1.0

29-Dec-2019

Linda

1.1

26-Dec-2020

Linda

1.2

26-Dec-2021

Internal 2 of 5

1. Purpose

The purpose of this policy is to have a compliance framework designed in alignment with

the security best practices and international standards.

ISO 27001:2013 Domain Reference: A.18 - Compliance

ISO 27001:2013 Reference

A.18.1.1

Identification of applicable legislation and contractual requirements

A.18.1.2

Intellectual property rights

A.18.1.3

Protection of records

A.18.1.4

Privacy and protection of personally identifiable information

A.18.2.1

Independent review of information security

A.18.2.2

Compliance with security policies and standards

A.18.2.3

Technical compliance review

2. Scope

The scope of the policy will be applicable to all activities under the scope statement of

Information Dynamics.

3. Policy

3.1. Compliance with Legal Requirements

3.1.1. Identification of Applicable Legislation

• All relevant statutory, regulatory and contractual requirements and ID’s approach

to meet these requirements shall be explicitly defined and documented.

Reference: ISMS Scope document

3.1.2. Intellectual Property Rights (IPR)

Internal 3 of 5

• Licensing/ copyright requirements for all information assets including proprietary

software application systems, which typically limit the use of application to

specified machines; or creation of the backup copies, shall be adhered to.

Following controls shall be enforced:

• Awareness shall be maintained among the staff for using only legal copies of

software.

• Disciplinary action shall be taken against all the users breaching these policies.

• Asset register of licenses for the software/ hardware products shall be maintained.

• Usage of licenses shall be monitored and controls shall be implemented to ensure

usage is as per license agreement/s.

• Regular checks shall be carried out to ensure that only authorized software and

licensed products are installed.

3.1.3. Safeguarding of Organizational Records

• Organizational records shall be classified, stored, protected, and destroyed (after

the retention period) in accordance with asset classification and requirements of

the applicable laws and regulations.

• A register detailing the classification, valuation, ownership, storage location,

period of retention, method of destruction shall be made for identified

organizational records.

3.1.4. Data Protection and Privacy of Personal Information

• ID shall implement controls for collecting, processing, and disseminating personal

information. Data protection and privacy shall ensure compliance with all relevant

legislation, regulations, and, if applicable, contractual clauses.

• Information security head shall solicit legal opinion to identify a list of applicable

data protection/ privacy regulations, on an annual basis.

3.1.5. Prevention of Misuse of Information Processing Facilities

• Any unauthorized usage/ misuse of information processing facilities shall lead to

disciplinary action as per HR Policy.

Internal 4 of 5

• Users, including but not limited to employees, third parties and sub contracted

parties shall be made aware of permitted access and use of information systems.

• Information systems shall be configured to display appropriate warning banners

against unauthorized access.

3.2. Compliance with Security Policies and Technical

Compliance

3.2.1. Compliance with Security Policy

• All users of information assets including but not limited to employees and third

parties, shall comply with relevant aspects of ID information security.

• Information asset owners shall support regular compliance reviews of their

systems against appropriate clauses of ISMS.

3.2.2. Technical Compliance Checking

• Technical compliance check shall be regularly carried out, which involves

examination of operational systems to ensure that hardware and software controls

have been correctly implemented.

3.3. System Audit Considerations

3.3.1. System Audit Controls

• Audit of operational systems shall be planned to minimize risk of disruptions to

the business processes.

• The requirements and scope of the audit shall be agreed upon with the

management and any requirement for special or additional processing shall be

identified.

Internal 5 of 5

3.3.2. Protection of System Audit Tools

• System audit tools shall be protected from any possible misuse or compromise.

Only audit tools approved by IT head shall be used for conducting the systems

audit.

4. Associated Documentation

1. Acceptable use of assets policy

2. ISMS Scope document – List of Applicable Laws and Legislations

3. ISMS policies – Technical Vulnerability Assessment and Penetration Test

Frequencies