Products

Developers

Pricing

Support

Company

Root App Squad
Sign in

Home

Products

Cards

Accounts

Developers

Overview

DocumentationStatusGitHub

Company

About Us

CareersBlog

Pricing

Support

Contact

Help CenterResources
Root App

Squad

Sign In

Information Security Management System Policy

Last Updated on 18th Dec, 2024

PLEASE READ THE TERMS OF THIS POLICY CAREFULLY BEFORE USING THE SITE

INTRODUCTION?

This policy defines how Management Systems will be set up, managed, measured, reported on, and developed within Sudo Africa.

The purpose of this document is to define an overall policy with regard to management systems that are appropriate to the purpose of Sudo Africa and it includes:

  • A framework for setting objectives
  • A commitment to satisfying applicable requirements
  • A commitment to continual improvement of the management systems

This Policy is available in electronic form and will be communicated within the organization and to all relevant stakeholders and interested third parties.

ISMS Policy
  1. Scope of the ISMS

    For the purposes of certification within Sudo Africa, the boundaries of the Management Systems are defined in the context, requirement and scope.

  2. Requirements

    A clear definition of the requirements for the Management Systems will be agreed upon and maintained with the business so that all activities are focused on fulfilling those requirements. Statutory, regulatory, and contractual requirements will also be documented and inputted into the planning process. Specific requirements with regard to the security of new or changed systems or services will be captured as part of the design stage of each project.

    It is a fundamental principle of the Sudo Africa Information Security Management System that business needs drive the controls implemented and this will be regularly communicated to all staff through team meetings and briefing documents.

  3. Top Management Leadership and Commitment

    Commitment to the Information Security Management Systems extends to senior levels of the organization and will be demonstrated through this ISMS Policy and the provision of appropriate resources to provide and develop the management systems and associated controls. Top management is fully committed to satisfying all applicable requirements related to Information security and to the continual improvement of the ISMS.

    Top management will also ensure that a systematic review of the program's performance is conducted regularly to ensure that objectives are being met and issues are identified through the audit program and management processes. Management Review can take several forms including departmental and other management meetings.

  4. Framework for Setting Objectives and Policy

    These overall objectives will be used as guidance in the setting of lower-level, more short-term objectives within an annual cycle timed to coincide with the organizational budget planning. This will ensure that adequate funding is obtained for the improvement of activities identified. These objectives will be based upon a clear understanding of the overall business requirements, informed by the annual management review with stakeholders.

    These overall objectives will be used as guidance in the setting of lower-level, more short-term objectives within an annual cycle timed to coincide with the organizational budget planning. This will ensure that adequate funding is obtained for the improvement of activities identified. These objectives will be based upon a clear understanding of the overall business requirements, informed by the annual management review with stakeholders.

    ISMS objectives will be documented for the relevant financial year, together with details of how they will be achieved. These will be reviewed on a quarterly basis to ensure that they remain valid. If amendments are required, these will be managed through the change management process.

  5. Roles and Responsibilities

    Within the field of Information Security Management, there are a number of key roles that need to be undertaken to ensure the successful protection of the business from risk.

    Full details of the responsibilities associated with each of the roles and how they are allocated within Sudo Africa are given in a separate document Sudo Africa ISMS Roles, Responsibilities and Authorities document.

    The Information Security Management System Manager shall have overall authority and responsibility for the implementation and management of the Management Systems, specifically:

    • The identification, documentation, and fulfillment of applicable requirements
    • Implementation, management, and improvement of risk management processes
    • Integration of processes
    • Compliance with statutory, regulatory and contractual requirements in the management of assets used to deliver products and services
    • Reporting to top management on performance and improvement
  6. Continual Improvement Policy

    Sudo Africa policy with regard to Continual Improvement is to:

    • Continually improve the effectiveness of the ISMS across all areas within scope
    • Enhance current processes to bring them into line with good practice
    • Achieve certification to the management systems and maintain them on an ongoing basis
    • Increase the level of proactivity (and the stakeholder perception of proactivity) with regard to the ongoing management of the ISMS
    • Make processes and controls more measurable in order to provide a sound basis for informed decisions
    • Achieve an enhanced understanding of and relationship with the business units to which the ISMS applies
    • Review relevant metrics on an annual basis to assess whether it is appropriate to change them, based on collected historical data
    • Obtain ideas for improvement via regular meetings with stakeholders and document them in a Continual Improvement Log
    • Review the Continual Improvement Log at regular management meetings in order to prioritise and assess timescales and benefits

    Ideas for improvements may be obtained from any source including employees, customers, suppliers, IT staff, risk assessments, and service reports. Once identified they will be added to the Sudo Africa Improvement Action Log and evaluated by the ISMS Manager.

    As part of the evaluation of proposed improvements, the following criteria will be used:

    • Cost
    • Business Benefit
    • Risk
    • Implementation timescale
    • Resource requirement
  7. Approach to Managing Risk

    A risk management strategy and the process will be used which is in line with the requirements and recommendations of the Management Systems. This requires that relevant assets are identified, and the following aspects considered:

    • Threats
    • Vulnerabilities
    • Impact and likelihood before risk treatment
    • Risk Treatment (e.g. reduction, removal, transfer)
    • Impact and Likelihood after risk treatment
    • Function responsible/Owner
    • Timescale and Review Frequency

    Risk management will take place at several levels within the ISMS, including:

    • Management planning – risks to the achievement of objectives
    • Information security and business continuity risk assessments
    • Assessment of the risk of changes via the change management process
    • At the project level as part of the management of significant business change

    High-level risk assessments will be reviewed on an annual basis or upon significant change to the business or service provision. For more detail on the approach to risk assessment please review the documents “Sudo Africa Risk Assessment and treatment process”.

  8. Human Resources

    Sudo Africa will ensure that all staff involved in ISMS are competent on the basis of appropriate education, training, skills, and experience.

    The skills required will be determined and reviewed on a regular basis together with an assessment of existing skill levels within Sudo Africa. Training needs will be identified, and a plan maintained to ensure that the necessary competencies are in place.

    Training, education, and other relevant records will be kept by the Human Resources Department to document individual skill levels attained.

  9. Auditing and Review

    Once in place, it is vital that regular reviews take place of how well the ISMS processes and procedures are being adhered to. This will happen at three levels:

    1. Structured regular management review of conformity to policies and procedures
    2. Internal audit reviews against the management system standards by the Sudo Africa Audit Team
    3. External audit against the standards in order to gain and maintain certification

    Details of how internal audits will be carried out can be found in Sudo Africa Procedure for Internal Audits.

  10. Documentation Structure and Policy

    All policies and plans that form part of the ISMS must be documented. This section sets out the main documents that must be maintained in each area.

    Details of documentation conventions and standards are given in the Sudo Africa Procedure for Control of Documents and Records.

    A number of core documents have been created and will be maintained as part of the ISMS. They are uniquely numbered, and the current versions are tracked in Sudo Africa ISMS Document Log.

  11. Control of Records

    The keeping of records is a fundamental part of the ISMS. Records are key information resources and represent evidence that processes are being carried out effectively.

    The controls in place to manage records are defined in the document Sudo Africa Procedure of Documents and Records.

  12. Consequence Management

    Employees, suppliers, or other stakeholders who observe any deviations from the guidelines of this Policy, may report the fact to the ISMS Manager via - email at legal@sudo.africa and may identify themselves or not.

    Internally, the failure to comply with the guidelines of this Policy envisages the application of measures to charge the agents who do not comply with this Policy according to the related seriousness of such non-compliance.