1. Introduction
This policy defines how the information security management systems will be set up, managed, measured, reported on and developed within Hugo.
Hugo, currently located at 33 Ikorodu Road, Lagos is committed to ensuring its information is secure by pursuing full certification to ISO/IEC 27001 that the effective adoption of Information Security best practice may be validated by an external third party.
The purpose of this document is to define an overall policy regarding the information security management system that is appropriate to the purpose of Hugo and includes:
This Policy is available in electronic form and will be communicated within the organisation and to all relevant stakeholders and interested third parties.
1.1 ISMS POLICY STATEMENT
Hugo ’s current strategy and Information Security Management System provides the context for identifying, assessing, evaluating and controlling information/process/service-related risks through establishment and maintenance of the ISMS. The risk assessment and risk treatment plan capture how identified risks are controlled in alignment with Hugo ’s risk management strategy.
In particular, business continuity and contingency plans, data backup procedures, access control to systems and information security incident reporting are fundamental to this policy. All employees of Hugo shall have the responsibility of reporting incidents in real time or as they are discovered.
All employees of Hugo and external parties identified in the ISMS are expected to comply with this policy. All staff and certain external parties will receive or be required to provide appropriate evidence of training.
The Head of Technology is the owner of this document and is responsible for ensuring that this policy document is reviewed and reapproved by the executive management at least annually and in the event of relevant changes and/or incidents.
Breach of the policy or security mechanism may warrant disciplinary measures, up to and including termination of employment/contract as well as legal action in line with the Cybercrime Prohibition Act 2015.
Hugo defines the core objectives and purpose of the ISMS as listed below:
1.2 Scope of the ISMS
For the purposes of certification within Hugo, the boundaries of the Management Systems are defined in the Context Requirements and Scope (Document Reference: Hugo ISMS0401)
1.4 Requirements
A clear definition of the requirements for the ISMS will be agreed and maintained with the business so that all activities are focused on the fulfilment of those requirements. Statutory, regulatory and contractual requirements will also be documented and input to the planning process. Specific requirements with regard to the security of new or changed systems or services will be captured as part of the design stage of each project.
It is a fundamental principle of Hugo’s ISMS that the controls implemented are driven by business needs and this will be regularly communicated to all staff through pre scheduled meetings and posted to the intranet.
1.5 Executive Leadership Commitment
Commitment to the Management System extends to all senior levels of the organization and will be demonstrated through this ISMS Policy and the provision of appropriate resources to provide and develop the management systems and associated controls.
The Executive Leadership will also ensure that a systematic review of the performance of the programme is conducted on a regular basis – quarterly – to ensure that objectives are being met and issues are identified through the audit programme and management processes. Management Review can take several forms including divisional or other senior leadership meetings.
1.6 Executive Leadership Commitment
The high-level objectives for the ISMS within Hugo are defined within the document “Context Requirements and Scope (Document Reference: Hugo ISMS0401)”. These are fundamental to the nature of the business and should not be subject to frequent change.
These overall objectives will be used as guidance in the setting of lower level, more short-term objectives within an annual cycle timed to coincide with organisational budget planning and goal setting cycle. This will ensure that adequate funding is obtained for the improvement activities identified. These objectives will be based upon a clear understanding of the overall business requirements, informed by the quarterly management review with stakeholders.
ISMS objectives will be documented for the relevant financial year, together with details of how they will be achieved. These will be reviewed on a quarterly basis to ensure that they remain valid. If amendments are required, these will be managed through the change management process.
In accordance with ISO/IEC 27001:2013 the control objectives and policy statements detailed in Annex A of the standard will be adopted where appropriate by Hugo. These will be reviewed on a regular basis in the light of the outcome from risk assessments and in line with ISMS Risk Assessment and Treatment Process. For references to the controls that implement each of the policy statements given please see The Statement of Applicability.
1.7 Framework for Setting Objectives and Policy
The high-level objectives for the ISMS within Hugo are defined within the document “Context Requirements and Scope (Document Reference: Hugo ISMS0401)”. These are fundamental to the nature of the business and should not be subject to frequent change.
These overall objectives will be used as guidance in the setting of lower level, more short-term objectives within an annual cycle timed to coincide with organisational budget planning and goal setting cycle. This will ensure that adequate funding is obtained for the improvement activities identified. These objectives will be based upon a clear understanding of the overall business requirements, informed by the quarterly management review with stakeholders.
ISMS objectives will be documented for the relevant financial year, together with details of how they will be achieved. These will be reviewed on a quarterly basis to ensure that they remain valid. If amendments are required, these will be managed through the change management process.
In accordance with ISO/IEC 27001:2013 the control objectives and policy statements detailed in Annex A of the standard will be adopted where appropriate by Hugo. These will be reviewed on a regular basis in the light of the outcome from risk assessments and in line with ISMS Risk Assessment and Treatment Process. For references to the controls that implement each of the policy statements given please see The Statement of Applicability.
1.8 Roles and Responsibilities
Within the fields of Information Security, there are a number of key roles that need to be undertaken to ensure successful protection of the business from risk.
Full details of the responsibilities associated with each of the roles and how they are allocated within Hugo are given in a separate document: Roles, Responsibilities and Authorities.
The ISMS Manager shall have overall authority and responsibility for the implementation and management of the Information Security Management System specifically:
1.9 Continual Improvement Policy
Hugo’s policy with regard to Continual Improvement is to:
Ideas for improvements may be obtained from any source including employees, customers, suppliers, risk assessments and service reports. Once identified they will be added to the Continual Improvement Log and evaluated by the ISMS Manager.
As part of the evaluation of proposed improvements, the following criteria will be used:
If accepted, the improvement proposal will be prioritised in order to allow more effective planning.
1.10 Approach to Managing Risk
A risk management strategy and process will be used which is in line with the requirements and recommendations of the Management System. This requires that relevant assets, processes are identified, and the following aspects considered:
Risk management will take place at several levels within the ISMS, including:
High level risk assessments will be reviewed on an annual basis or upon significant change to the business or service provision. For more detail on the approach to risk assessment please review the documents “ISMS Risk Assessment and Treatment Process.
1.11 People
Hugo will ensure that all staff involved in developing the ISMS are competent based on appropriate education, training, skills and experience.
The skills required will be determined and reviewed on a regular basis together with an assessment of existing skill levels within Hugo. Training needs will be identified, and a plan maintained to ensure that the necessary competencies are in place.
Training, education and other relevant records will be kept by the People Team to document individual skill levels attained.
1.12 Auditing and Review
Once in place, it is vital that regular reviews take place of how well the ISMS processes and procedures are being adhered to, this will happen at three levels:
1.13 Documentation Structure and Policy
All policies, processes, procedures and plans that form part of the ISMS must be documented. This section sets out the main documents that must be maintained in each area.
Details of documentation conventions and standards are given in the Documentation and Filing policy.
A number of core documents have been created and will be maintained as part of the ISMS. They are uniquely numbered, and the current versions are tracked in the Documentation Log.
1.14 Control of Records
The keeping of records is a fundamental part of the ISMS. Records are key information resources and represent evidence that processes are being carried out effectively.
The controls in place to manage records are defined in the Documentation and Filing policy.
1.15 Addendum
A current version of this document is available to all members of staff on the Intranet. This policy is issued on a version-controlled basis and pre-signed by the CEO.