Compliance Policy
Document Summary
Item
Value
Organization
Information Dynamics
Document Name
Compliance Policy
Classification
Internal
Compliance Reference
ISO/IEC 27001:2013
Document Revision History
Date
Version
Prepared By
Dec 29,2019
1.0
Arya Vijayan & Suresh kutty
Dec24, 2020
1.1
Arya Vijayan & Suresh kutty
Dec24, 2021
1.2
Vani & Suresh kutty
Document Review History
Reviewed By
Version
Signature
Linda
1.0
Linda
1.1
Linda
1.2
Internal 2 of 5
1. Purpose
The purpose of this policy is to have a compliance framework designed in alignment with
the security best practices and international standards.
ISO 27001:2013 Domain Reference: A.18 - Compliance
ISO 27001:2013 Reference
A.18.1.1
Identification of applicable legislation and contractual requirements
A.18.1.2
Intellectual property rights
A.18.1.3
Protection of records
A.18.1.4
Privacy and protection of personally identifiable information
A.18.2.1
Independent review of information security
A.18.2.2
Compliance with security policies and standards
A.18.2.3
Technical compliance review
2. Scope
The scope of the policy will be applicable to all activities under the scope statement of
Information Dynamics.
3. Policy
3.1. Compliance with Legal Requirements
3.1.1. Identification of Applicable Legislation
All relevant statutory, regulatory and contractual requirements and ID’s approach
to meet these requirements shall be explicitly defined and documented.
Reference: ISMS Scope document
3.1.2. Intellectual Property Rights (IPR)
Internal 3 of 5
Licensing/ copyright requirements for all information assets including proprietary
software application systems, which typically limit the use of application to
specified machines; or creation of the backup copies, shall be adhered to.
Following controls shall be enforced:
Awareness shall be maintained among the staff for using only legal copies of
software.
Disciplinary action shall be taken against all the users breaching these policies.
Asset register of licenses for the software/ hardware products shall be maintained.
Usage of licenses shall be monitored and controls shall be implemented to ensure
usage is as per license agreement/s.
Regular checks shall be carried out to ensure that only authorized software and
licensed products are installed.
3.1.3. Safeguarding of Organizational Records
Organizational records shall be classified, stored, protected, and destroyed (after
the retention period) in accordance with asset classification and requirements of
the applicable laws and regulations.
A register detailing the classification, valuation, ownership, storage location,
period of retention, method of destruction shall be made for identified
organizational records.
3.1.4. Data Protection and Privacy of Personal Information
ID shall implement controls for collecting, processing, and disseminating personal
information. Data protection and privacy shall ensure compliance with all relevant
legislation, regulations, and, if applicable, contractual clauses.
Information security head shall solicit legal opinion to identify a list of applicable
data protection/ privacy regulations, on an annual basis.
3.1.5. Prevention of Misuse of Information Processing Facilities
Any unauthorized usage/ misuse of information processing facilities shall lead to
disciplinary action as per HR Policy.
Internal 4 of 5
Users, including but not limited to employees, third parties and sub contracted
parties shall be made aware of permitted access and use of information systems.
Information systems shall be configured to display appropriate warning banners
against unauthorized access.
3.2. Compliance with Security Policies and Technical
Compliance
3.2.1. Compliance with Security Policy
All users of information assets including but not limited to employees and third
parties, shall comply with relevant aspects of ID information security.
Information asset owners shall support regular compliance reviews of their
systems against appropriate clauses of ISMS.
3.2.2. Technical Compliance Checking
Technical compliance check shall be regularly carried out, which involves
examination of operational systems to ensure that hardware and software controls
have been correctly implemented.
3.3. System Audit Considerations
3.3.1. System Audit Controls
Audit of operational systems shall be planned to minimize risk of disruptions to
the business processes.
The requirements and scope of the audit shall be agreed upon with the
management and any requirement for special or additional processing shall be
identified.
Internal 5 of 5
3.3.2. Protection of System Audit Tools
System audit tools shall be protected from any possible misuse or compromise.
Only audit tools approved by IT head shall be used for conducting the systems
audit.
4. Associated Documentation
1. Acceptable use of assets policy
2. ISMS Scope document List of Applicable Laws and Legislations
3. ISMS policies Technical Vulnerability Assessment and Penetration Test
Frequencies