L'assistente virtuale per il tuo ecommerce Shopify

Scopri Indi-e

02-SGSI Information Security Management System Policy

Document number: 02-SGSI

Company Name: Indigo.ai S.R.L.
Policy Owner(s): Andrea Tangredi
Effective date: 03.14.2024

Storia della versione

Versione: 1.0
Data: 03.14.2024
Descrizione: 02-SGSI Information Security Management System Policy
Autore: Andrea Tangredi
Approvato da: Gianluca Maruzzella

Scope

This policy provides a framework to be applied for the establishment, implementation, maintenance, and continual improvement of the information security management system ("ISMS"), as defined in 01-ISM Scope, in accordance with the requirements of the ISO/IEC 27001 standard ("ISO 27001").

Leadership

Leadership and commitment

Indigo.ai SRL is committed to establishing, implementing, maintaining, and continually improving the ISMS. Leadership commitment is demonstrated by Management in the exercise of their responsibilities. Indigo.ai SRL will establish an information security policy and set information security objectives that are fully aligned with our strategic direction. Indigo.ai SRL will ensure that sufficient resources are available for the effective establishment, implementation, maintenance, and improvement of our ISMS. Such resources will include:

  • Financial support
  • Qualified staff
  • Technical facilities and infrastructure

Information Security Policy

The management of Indigo.ai SRL establishes and supports a dedicated information security policy that has the following characteristics:

  1. Aligned with the organization's purpose and mission.
  2. It incorporates our information security objectives or provides the basis for determining those objectives.
  3. Demonstrates commitment to meeting all information security requirements.
  4. It underlines our continuous commitment to improve our information security management system.

For transparency and awareness:

  1. This policy is documented and easily accessible.
  2. It is actively communicated at all levels within Indigo.ai SRL.
  3. Additionally, we ensure that this policy is available to interested external parties, demonstrating our commitment to information security.

Roles, responsibilities and authorities

Indigo.ai SRL has defined the roles, responsibilities, and authorities involved in the creation, implementation, maintenance, and continuous improvement of the ISMS. Indigo.ai SRL has also defined how performance and skills will be measured and how skills gaps will be addressed. For further details, see document 03-ISMS Roles, Responsibilities and Authorities.

Planning

General planning of the ISMS

Indigo.ai SRL prioritizes identifying key risks and opportunities, integrating solutions into our system, and continuously monitoring and improving our approach.

Information Security Risk Assessment

At Indigo.ai SRL, our consistent risk assessment method ensures that key security threats are identified. We regularly assess and prioritize these risks and maintain documentation of all our findings. For further details, see document 04-SGSI Risk Assessment and Treatment Process.

Information Security Risk Treatment

Indigo.ai SRL is committed to selecting the right solutions for the identified risks, implementing the necessary security controls, and carefully documenting our choices by obtaining essential approvals. For further details, see document 04-SGSI Risk Assessment and Treatment Process.

Defining and achieving safety objectives

Indigo.ai SRL establishes clear and measurable security objectives. We have developed a comprehensive plan that explains how to achieve them, assigning the necessary resources and responsibilities and continuously monitoring our progress to make necessary changes. The information security objectives are reviewed annually by the Management of Indigo.ai SRL based on a clear understanding of the business requirements.

The current information security objectives are as follows:

  1. Protect the confidentiality, availability, and integrity of corporate, customer, and employee data.
  2. Comply with laws, regulations, and customer contractual obligations.
  3. Obtain and maintain ISO 27001 certification.

Action plans for achieving these objectives are maintained and reviewed annually by Management. For further details, see document 10-SGSI Information Security Objective Plan.

Planning changes to the ISMS

When changes are deemed essential, Indigo.ai SRL ensures that they are planned systematically, with careful consideration of their potential impact on overall security and the organization.

Support

Resources

Indigo.ai SRL is committed to allocating the resources necessary to create, operate, maintain, and continuously improve its information security management system.

Expertise:

  1. We identify the skills needed for roles that impact our cybersecurity.
  2. Staff are assessed based on education, training, and experience to ensure they have the required skills.
  3. When necessary, Indigo.ai SRL will provide training, mentoring, or reassignment, or will engage external expertise, including maintaining evidence of such expertise.

Awareness:

  1. All staff are made aware of our information security policy and undergo annual awareness training.
  2. Employees understand their role in the success of the information security management system and the repercussions of non-compliance.

Communication:

  1. Indigo.ai SRL identifies and acts on the need for internal and external communications regarding our information security practices.
  2. Decisions include what, when, how, and with whom to communicate.

The relevant information security policies will be communicated to all relevant personnel at least once a year, after review and approval, or after any significant change to the policy. The policy will be made available in the corporate system via the Complaino platform accessible to all Indigo.ai SRL personnel. For further details, see document 06-SGSI Information Security Communication Plan.

Control of documented information

Our system includes the information explicitly requested and any other documentation that we deem essential to the effectiveness of our security measures. Documentation creation and updates take into account proper identification, format, and approval mechanisms.

To maintain the integrity of our documentation, we have protocols to control distribution, access, storage, modifications, and retention.

Operation

Operational planning and control

Indigo.ai SRL will plan, execute, and supervise the vital processes to meet the requirements and actions outlined in clause 6. Indigo.ai SRL will maintain the necessary documented information. Planned changes will be supervised, and the implications of unplanned changes will be assessed. Appropriate actions will be taken to counter any adverse effects. Processes, products, or services of external origin that are critical to the information security management system will be managed by Indigo.ai SRL.

Information Security Risk Assessment

Indigo.ai SRL will conduct risk assessments at scheduled intervals or in light of significant alterations, following the criteria outlined in point 6.1.2 a). A record of the outcomes of such risk assessments will be maintained.

Information Security Risk Treatment

Indigo.ai SRL is committed to executing the information security risk treatment plan. To ensure accountability, documented information on the results of the risk treatment will be retained.

Performance evaluation

Internal Audit

Indigo.ai SRL annually performs internal audits of its ISMS and has defined an ISMS internal audit procedure. For further details, please refer to document 07-ISMS Procedure for internal audits.

Management Review

Indigo.ai SRL has defined a management review procedure for the ISMS that consists of the inputs and outputs necessary to ensure that the company's ISMS is operating effectively, as intended, and is continuously improving. For further details, please refer to 08-ISMS Management Review Procedure.

Improvement

Continuous improvement

Indigo.ai SRL is committed to continuously improving the relevance, adequacy, and efficiency of its information security management system.

Non-conformities and corrective actions

In case of deviation from the established standards, Indigo.ai SRL undertakes to:

  • Address non-conformity, manage its effects, and implement necessary corrections.
  • Assess the root cause, ensuring it does not recur or emerge in other areas.
  • Implement the required changes and validate effectiveness.
  • All measures taken will be proportionate to the severity of the non-conformities identified.

For transparency and due diligence, Indigo.ai SRL will document:

  • The specifics of each non-conformity and the corrective measures applied.
  • The results of such corrective actions.

Indigo.ai SRL has defined a procedure for corrective actions and continuous improvement of the ISMS when non-conformities are identified. Non-conformities can be identified during internal audits, external audits, management reviews, or continuous monitoring of the ISMS. For further details, see document 09-ISMS Procedure for corrective actions and continuous improvement.

Violation of policy

All Indigo.ai SRL personnel (including employees, contractors, and applicable third parties) must maintain the security, confidentiality, availability, integrity, and privacy of Indigo.ai SRL resources. Violations of SGSI policies and procedures may be considered serious breaches of trust, which may result in disciplinary action up to and including termination of employment or contract and criminal prosecution in accordance with applicable federal, state, and local laws.

ISO 27001 coverage

ISO 27001 4.1; 4.2; 4.3; 5.1