Information Security Policy
1. Purpose
The purpose of this document is to define the role that Albanian American Development Fund’s Board of Trustees takes in ensuring commitment to information security, the development and propagation of this policy, and the assignment of appropriate information security roles, responsibilities and authorities to protect AADF’s assets from all relevant threats, whether internal or external, deliberate or accidental.
This policy is supported by more detailed policies covering a range of information risk and security topics, expanding on the high-level principles with mid-level axioms and controls. Those topic-specific policies are supported in turn by corporate security standards laying down specific security parameters (such as password length and complexity requirements), plus procedures, guidelines and other security awareness and training materials.
2. Objective
AADF, which provides [brief description of business], is committed to preserving the confidentiality, integrity and availability of all the physical and electronic information assets (information assets include data or other knowledge stored in any format on any system that has value to an organisation, and should be logged) throughout the organisation in order to compete in the marketplace and maintain its legal, regulatory and contractual compliance and commercial image.
[To achieve this, [Organisation Name] has implemented an information security management system (ISMS) in accordance with the international standard ISO/IEC 27001:2013 requirements. The ISMS is subject to continual, systematic review and improvement.]
3. Roles and responsibilities
- The Board of Trustees is responsible for setting and approving the Information Security Policy.
- The Co-CEOs is responsible for ensuring that roles, responsibilities and authorities are appropriately assigned, maintained and updated as necessary.
- Managers are responsible for designing, implementing and using appropriate corporate governance arrangements including the ISMS plus this corporate information security policy and subsidiary topic-specific policies etc. Managers are expected to help ensure that workers in their areas of responsibility are aware of and uphold the policies.
- All employees and those working under the scope of the ISMS are responsible for adhering to the requirements of the Information Security Policy and for fulfilling any duties related to assigned roles, responsibilities or authorities. The consequences of breaching the Information Security Policy are set out in AADF’s disciplinary policy and in contracts and agreements with third parties.
4. Policy objectives
It is the policy of AADF that:
- Information is made available to all authorised parties with minimal disruption to the business processes.
- The integrity of this information is maintained.
- The confidentiality of information is preserved.
- The organisation ensures compliance with all legislation, regulations and codes of practice, and all other requirements applicable to its activities.
- Appropriate information security objectives are defined and, where practicable, measured using the SMART (Specific, Measurable, Achievable, Realistic and Timed) principles. Objectives are planned and documented, inclusive of how each is to be achieved and actions required. Subsequently, the objectives are regularly monitored and reviewed. [Insert a link to your objectives or outline them here]
- Appropriate business continuity arrangements are in place to counteract interruptions to business activities and these take account of information security.
- Appropriate information security education, awareness and training is available to staff and relevant others working on the organisation’s behalf. [Insert a link to your training and awareness programme or outline how this objective is achieved here]
- Breaches of information security or security incidents, actual or suspected, are reported and investigated through appropriate processes.
- Appropriate access control is maintained and information is protected against unauthorised access.
- The organisation maintains a management system that will achieve its objectives and seeks continual improvement in the effectiveness and performance of the management system based on risk.
- The organisation maintains awareness for continual improvement, and the ISMS is regularly reviewed at planned intervals by the senior management team to ensure it remains appropriate and suitable for the business.
This policy is approved by senior management and is reviewed at regular intervals or upon significant change.
This policy is communicated to all staff within AADF and is available to customers, suppliers, stakeholders and other interested parties upon request.
Document control
A current version of this document is available to all members of staff on AADF and is published location. This policy was approved by Co-CEOs and is issued on a version-controlled basis. Before the approval changes shall be discussed by the Board of Trustees.
Signature: Date:
Change history record
Issue | Description of change | Approval | Date of change |
1.0 | Initial issue | <Job Title> | dd/mm/yyyy |