Skip to main content

Data Protection

ISAE 3402

ISAE 3402

The Certicus information security policy is based on the organization's current business strategy, corporate objectives, and applicable laws and regulations. The policy is included in the information security plan. Management evaluates the information security plan periodically (at least annually) and adjusts the plan if necessary. Management revision is performed in accordance with the PDCA-model: Plan, Do, Check, Act. The information security policy is consistently reviewed each period to ensure applicability, effectiveness, and adequacy.

ISAE 3402

ISAE 3402

In order for all activities to meet the requirements, a clear definition of the information security requirements are agreed upon and maintained with the internal business and customers. For the planning process, legal, regulatory and contractual requirements will be documented. Specific requirements regarding the security are defined as part of the design phase of each project. The implemented controls within the Certicus security system are determined by business needs and regularly communicated to all staff members through team meetings and documents.

Outsourcing

Outsourcing

Organizational roles, responsibilities and authorities are vital. The roles and responsibilities are described in accordance with policies describing how the organization operates.

 

The responsibility of ensuring that employees and contractors understand their roles and are aware of their competences and skills lies with the management.

 

Responsibilities for the protection of individual assets and for carrying out specific processes are identified within the organization.

Outsourcing

Outsourcing

The information security objectives are prepared to provide sufficient funding for achieving the improvement activities identified. The objectives that have been set are documented for an agreed time period including how they will be achieved. In order to ensure that they remain valid, the objectives are evaluated and monitored as part of management reviews.

 

Controls are reviewed regularly based on the outcomes from risk assessments and information security risk treatment plans.

 

The global standard for controlled outsourcing

1 Step

2 Step

3 Step