Scope of the Information Security Management System (ISMS) for Our Zero

  1. Introduction

    This document outlines the scope of the Information Security Management System (ISMS) for Our Zero, a Software as a Service (SaaS) platform that provides carbon footprinting tools for users across various industries. The objective of this ISMS is to protect the confidentiality, integrity, and availability of information assets associated with the Our Zero platform.

  2. System Description

    Our Zero is a web-based application that enables users to calculate the carbon footprint of their operations, products, or services. The platform offers various features, including data input, analysis, reporting, and visualisation tools. It caters to a wide range of customers, including printers, agencies, brands, and other organisations interested in understanding and reducing their carbon emissions.

  3. System Components

    The scope of the ISMS for Our Zero includes the following components:

    1. Infrastructure

      The ISMS covers the physical and virtual infrastructure that supports the Our Zero platform, including:

      • Servers, storage devices, and networking equipment
      • Cloud services and related resources
      • Backup and disaster recovery systems
    2. Software

      The ISMS encompasses all software components of the Our Zero platform, such as:

      • Web application and underlying programming languages
      • Databases and data storage systems
      • Third-party libraries and APIs
      • Security, monitoring, and management tools
    3. Processes

      The ISMS includes processes related to the development, operation, and maintenance of the Our Zero platform, including:

      • Software development life cycle (SDLC)
      • Change management
      • Incident management
      • Vulnerability and patch management
      • Data backup and recovery
    4. People

      The ISMS applies to all personnel involved in the development, operation, and support of the Our Zero platform, including:

      • Developers
      • System administrators
      • Support staff
      • Management
    5. Third-Party Relationships

      The ISMS covers third-party relationships that may impact the security of the Our Zero platform, such as:

      • Cloud service providers
      • Data centres
      • Vendors and suppliers of hardware, software, or services
      • External consultants or contractors
  4. Exclusions

    The ISMS scope does not include:

    • Physical security of customer premises or data centres not directly related to the operation of Our Zero
    • Security of third-party applications or services not directly integrated with or used by the Our Zero platform
  5. Compliance and Applicable Legislation

    The Our Zero ISMS will be designed to comply with relevant information security standards, such as ISO/IEC 27001, and applicable data protection laws and regulations, including the General Data Protection Regulation (GDPR) and the UK Data Protection Act 2018.

  6. Review and Updates

    The scope of the ISMS will be reviewed and updated periodically or as needed to ensure its ongoing effectiveness and relevance to the Our Zero platform. Changes to the scope will be documented and communicated to all relevant stakeholders.

  7. Roles and Responsibilities

    The success of the ISMS relies on clearly defined roles and responsibilities for all involved parties. Key roles within the Our Zero ISMS include:

    1. Senior Management

      Senior management is responsible for:

      • Approving and endorsing the ISMS scope
      • Allocating necessary resources for the ISMS implementation and maintenance
      • Ensuring that the ISMS is integrated into organisational processes and culture
    2. ISMS Manager

      The ISMS Manager is responsible for:

      • Developing, implementing, and maintaining the ISMS in accordance with the defined scope
      • Coordinating ISMS-related activities, including risk assessments, audits, and training
      • Reporting on the performance of the ISMS to senior management
    3. Information Asset Owners

      Information Asset Owners are responsible for:

      • Identifying and classifying information assets within their area of responsibility
      • Assessing risks to their information assets and implementing appropriate controls
      • Ensuring that information assets are used and handled in accordance with the ISMS
    4. Employees and Contractors

      All employees and contractors involved in the Our Zero platform are responsible for:

      • Complying with the ISMS policies, procedures, and guidelines
      • Reporting any security incidents or weaknesses they become aware of
      • Participating in ISMS-related training and awareness activities
    5. Risk Assessment and Treatment

      The ISMS requires a systematic approach to identifying, assessing, and treating information security risks. The risk assessment process should include:

      • Identifying assets, threats, and vulnerabilities
      • Assessing the likelihood and impact of potential security incidents
      • Prioritising risks based on their potential impact on the organisation and the Our Zero platform
      • Identifying and implementing appropriate risk treatment options, such as avoidance, mitigation, transfer, or acceptance
    6. Monitoring and Improvement

      The effectiveness of the ISMS should be regularly monitored and improved to ensure its continued relevance and alignment with the organisation's objectives. Monitoring and improvement activities may include:

      • Internal and external audits to assess compliance with the ISMS and identify areas for improvement
      • Key performance indicators (KPIs) to measure the effectiveness of security controls and risk treatment measures
      • Regular reviews and updates of the ISMS scope, policies, procedures, and guidelines
      • Lessons learned from security incidents, near misses, and other relevant events
    7. Documentation and Record Keeping

      All ISMS-related documents and records should be properly maintained to support decision-making, demonstrate compliance, and facilitate continuous improvement. Documentation and record keeping requirements include:

      • Maintaining a register of information assets, risk assessments, and risk treatment plans
      • Retaining records of security incidents, investigations, and corrective actions
      • Documenting ISMS policies, procedures, and guidelines and ensuring they are accessible to all relevant personnel
      • Ensuring that ISMS-related documents and records are reviewed, updated, and archived as necessary

      By establishing a comprehensive ISMS scope, assigning clear roles and responsibilities, and implementing robust processes for risk management, monitoring, and improvement, the Our Zero platform can achieve a high level of information security and compliance with relevant standards and regulations. This will help protect the confidentiality, integrity, and availability of the platform's information assets, support the organisation's objectives, and enhance the trust and confidence of customers and other stakeholders.

Information Security Policy

1. Introduction

This Information Security Policy outlines [Organisation Name]'s commitment to information security and establishes the framework for setting objectives and ensuring continuous improvement. The policy is designed to protect the confidentiality, integrity, and availability of the organisation's information assets and to comply with relevant laws, regulations, and industry standards.

2. Purpose

The purpose of this policy is to:

  • Define the scope and objectives of the organisation's Information Security Management System (ISMS)
  • Establish roles and responsibilities for information security within the organisation
  • Provide a basis for implementing appropriate risk management processes and security controls
  • Promote a culture of information security awareness and compliance among employees, contractors, and other stakeholders

3. Scope

This policy applies to all information assets owned, controlled, or processed by [Organisation Name], including but not limited to:

  • Digital information and systems, such as databases, applications, servers, networks, and devices
  • Physical information and assets, such as paper records, storage media, and office facilities
  • Information shared with or received from third parties, such as suppliers, customers, and partners

4. Objectives

The objectives of this policy are to:

  • Protect the confidentiality of information, ensuring that only authorised individuals have access to sensitive information
  • Maintain the integrity of information, ensuring that it is accurate, complete, and reliable
  • Ensure the availability of information and systems, minimising disruption to business operations
  • Comply with all applicable legal, regulatory, and contractual requirements related to information security

5. Roles and Responsibilities

Senior management is responsible for approving and endorsing this policy, allocating necessary resources for its implementation, and ensuring that it is integrated into the organisation's processes and culture.

The ISMS Manager is responsible for developing, implementing, and maintaining the ISMS in accordance with this policy, coordinating ISMS-related activities, and reporting on the performance of the ISMS to senior management.

Information Asset Owners are responsible for identifying and classifying information assets within their area of responsibility, assessing risks to their information assets, and implementing appropriate controls.

All employees and contractors are responsible for complying with this policy and any associated procedures and guidelines, reporting any security incidents or weaknesses they become aware of, and participating in ISMS-related training and awareness activities.

6. Risk Assessment and Treatment

The organisation shall implement a systematic approach to identifying, assessing, and treating information security risks, which includes:

  • Identifying assets, threats, and vulnerabilities
  • Assessing the likelihood and impact of potential security incidents
  • Prioritising risks based on their potential impact on the organisation and its information assets
  • Identifying and implementing appropriate risk treatment options, such as avoidance, mitigation, transfer, or acceptance

7. Continuous Improvement

The organisation is committed to continuously improving the effectiveness of its ISMS through regular monitoring, review, and updating of its information security policies, procedures, and guidelines, as well as lessons learned from security incidents and other relevant events.

8. Policy Review

This policy shall be reviewed and updated at least annually or as needed to ensure its continued relevance and alignment with the organisation's objectives, legal, and regulatory requirements.

9. Compliance

Failure to comply with this policy may result in disciplinary action, up to and including termination of employment or contract. The organisation may also pursue legal remedies in the event of a breach of this policy that results in damage or loss to the organisation's information assets or reputation.

By adhering to this Information Security Policy, [Organisation Name] aims to achieve a high level of information security and compliance with relevant standards and regulations, protect its information assets, and promote a culture of security awareness and responsibility among its employees and other stakeholders.

System Components

1. Introduction

This document outlines the components within the scope of the Information Security Management System (ISMS) for Our Zero. These components have been identified and defined to ensure the effective implementation and management of the ISMS.

2. Purpose

The purpose of this document is to:

  • Clearly identify and define the components that are within the scope of the ISMS for Our Zero
  • Provide a basis for risk assessment, risk treatment, and implementation of security controls
  • Establish a clear understanding of the system components for all stakeholders

3. System Components

The scope of the ISMS for Our Zero includes the following components:

  1. Hardware: This includes all physical devices and equipment used to store, process, or transmit information related to Our Zero, such as servers, storage devices, network devices, workstations, laptops, mobile devices, and other peripherals.
  2. Software: This includes all applications, operating systems, databases, and other software used to support the Our Zero platform, as well as any custom-developed software or third-party software components.
  3. Network and Communications Infrastructure: This includes all network components and infrastructure used to support the Our Zero platform, such as routers, switches, firewalls, load balancers, wireless access points, and other networking equipment, as well as network services, protocols, and communication channels.
  4. Data and Information: This includes all information assets related to Our Zero, such as customer data, transaction data, product data, configuration data, and any other data stored, processed, or transmitted by the platform.
  5. People and Processes: This includes all personnel involved in the operation, administration, and support of the Our Zero platform, as well as the processes, procedures, and guidelines used to manage the platform and ensure its ongoing security and compliance.

4. Exclusions

The following components are explicitly excluded from the scope of the ISMS for Our Zero:

  • Third-party systems, services, and infrastructure not directly related to the operation, administration, or support of the Our Zero platform
  • Non-IT assets, such as physical facilities and non-IT equipment
  • Personal devices and systems not used for the operation, administration, or support of the Our Zero platform

5. Updates and Revisions

This document will be reviewed and updated as needed to ensure that it remains accurate and up-to-date, particularly in response to changes in the organisation's information assets, system components, or risk environment. Any updates or revisions to this document will be approved by the ISMS Manager and communicated to relevant stakeholders.

By clearly identifying and defining the system components within the scope of the ISMS for Our Zero, the organisation can ensure the effective implementation and management of the ISMS, as well as maintain compliance with relevant laws, regulations, and industry standards.

Compliance and Applicable Legislation

1. Introduction

This document outlines the compliance and applicable legislation requirements for the Our Zero Information Security Management System (ISMS). It describes the relevant information security standards and data protection laws and regulations that the ISMS must adhere to in order to ensure legal compliance and protect the organisation's information assets.

2. Purpose

The purpose of this document is to:

  • Identify the information security standards and data protection laws and regulations applicable to the Our Zero ISMS
  • Provide guidance on how to achieve compliance with these requirements
  • Establish a clear understanding of the compliance requirements for all stakeholders

3. Compliance with Information Security Standards

The Our Zero ISMS will be designed to comply with the following information security standards:

  • ISO/IEC 27001: This international standard provides a framework for establishing, implementing, maintaining, and continually improving an Information Security Management System. Compliance with this standard demonstrates the organisation's commitment to information security and helps ensure the confidentiality, integrity, and availability of its information assets.

4. Compliance with Data Protection Laws and Regulations

The Our Zero ISMS will be designed to comply with the following data protection laws and regulations:

  • General Data Protection Regulation (GDPR): The GDPR is a European Union regulation that governs the processing of personal data of individuals within the EU and the European Economic Area (EEA). It requires organisations to implement appropriate technical and organisational measures to ensure the protection of personal data and the rights of data subjects.
  • UK Data Protection Act 2018: The UK Data Protection Act 2018 supplements the GDPR and provides additional requirements for the processing of personal data in the United Kingdom. It also establishes the Information Commissioner's Office (ICO) as the supervisory authority for data protection matters in the UK.

5. Achieving Compliance

To achieve compliance with the identified information security standards and data protection laws and regulations, the Our Zero ISMS will include the following components:

  • Risk Assessment and Treatment: The organisation will regularly assess the risks to its information assets and implement appropriate security controls to address identified risks in line with the requirements of ISO/IEC 27001 and applicable data protection laws and regulations.
  • Data Protection Policies and Procedures: The organisation will develop and maintain policies and procedures to ensure compliance with the GDPR and the UK Data Protection Act 2018. This includes implementing measures to protect personal data, respect data subjects' rights, and demonstrate accountability and transparency.
  • Training and Awareness: The organisation will provide regular training and awareness programs for all personnel involved in the processing of personal data to ensure they understand their responsibilities and the requirements of the GDPR and the UK Data Protection Act 2018.
  • Incident Management and Reporting: The organisation will establish an incident management process to identify, respond to, and report information security incidents, including data breaches, in accordance with the requirements of ISO/IEC 27001 and applicable data protection laws and regulations.

6. Updates and Revisions

This document will be reviewed and updated as needed to ensure it remains accurate and up-to-date, particularly in response to changes in relevant laws, regulations, and industry standards. Any updates or revisions to this document will be approved by the ISMS Manager and communicated to relevant stakeholders.

By ensuring compliance with the identified information security standards and data protection laws and regulations, the organisation can demonstrate its commitment to protecting the confidentiality, integrity, and availability of its information assets, as well as the privacy of personal data, in accordance with legal requirements and industry best practices.

Task / Activity Responsible Person Frequency Due Date Status Comments
ISMS Scope Review ISMS Manager Annually [Date] Pending / In Progress / Completed
Risk Assessment ISMS Manager Annually [Date] Pending / In Progress / Completed
Risk Treatment Plan Update ISMS Manager Annually [Date] Pending / In Progress / Completed
Internal ISMS Audit Internal Auditor Annually [Date] Pending / In Progress / Completed
Management Review Meeting ISMS Manager Annually [Date] Pending / In Progress / Completed
ISMS Policy Review ISMS Manager Annually [Date] Pending / In Progress / Completed
Data Protection Policy Review Data Protection Officer Annually [Date] Pending / In Progress / Completed
GDPR Compliance Check Data Protection Officer Annually [Date] Pending / In Progress / Completed
UK Data Protection Act Compliance Check Data Protection Officer Annually [Date] Pending / In Progress / Completed
Training and Awareness Program HR Manager Quarterly [Date] Pending / In Progress / Completed
Incident Management Process Review ISMS Manager Annually [Date] Pending / In Progress / Completed
Security Control Review and Update ISMS Manager Annually [Date] Pending / In Progress / Completed
Business Continuity Plan Review ISMS Manager Annually [Date] Pending / In Progress / Completed
Supplier Security Assessment Procurement Manager Annually [Date] Pending / In Progress / Completed
© 2024 | Privacy Policy | Terms of Use | GDPR Policy | ISMS Policy | Responsible Person | Cookies