ISO 27001 Top Level Policy
ISO 27001 Top Level Policy - Smallworld Nordic AS, Org no: 965 308 865.
The policy covers all Smallworld Nordic Norway AS, Smallworld Nordic Sweden AB and Smallworld Nordic Denmark A/S employees, services and business processes.
1. Goals
Smallworld Nordic secures data and systems against harmful events. We ensure confidentiality, integrity, availability and robustness in infrastructure to take care of information and data that we have, or are entrusted to Smallworld Nordic, employees and other stakeholders.
That there is a low threshold for reporting information security incidents and nonconformity in Smallworld Nordic. We will:
- Continued focus on customer satisfaction through efficient customer support and services
- Continuous improvement for employees information security training
- Systematic reduction of asset risk in accordance with ISO 27001
2. Strategy
The company's information security is based on ISO / IEC 27001 and certification of ISO 27001 will be a business advantage for Smallworld Nordic. We ensure that all policies, guidelines, and security strategies are in line with the company's business goals.
The security work is risk-based, and we work actively to deal with vulnerabilities.
Central to this work is the policy of “least access”:
- With “least access”, it must be verified who will have access to what, why, from where, how, and when.
- When incidents occur, we will reduce the damage and learn how to prevent a similar incident.
3. Commitments
We want to have an active relationship with our stakeholders and their expectations.
We handle risk according to ISO / IEC 27005 and assess business impact, vulnerability and likelihood of relevant threat events. Our information security forum also performs risk assessments of each of our assets necessary for general operations and operational planning.
Smallworld provides the necessary resources, equipment, competent personnel, and investments to ensure that our goals are achieved.
We have regular internal audits to document:
- Deviations according to privacy and information security
- Root causes of the discrepancies
- That the ISMS meets our information security objectives
- Continuous improvement
4. Managements obligations
Management is responsible for knowledge and expertise about information security.
Management regularly reviews the results of the internal audit and implements relevant and effective measures so that the frequency and level of damage to security incidents is minimised.
Management is also responsible for promoting continuous improvement of information security throughout the organisation.
5. Our employees
Our employees are one of our most important resources, and the work with information security reflects this. We work continuously to improve employees' competence and awareness of information security:
- Employees are aware of their responsibility to actively protect information security
- Employees are encouraged to register nonconformities and actively contribute to detecting potentially harmful incidents
6. Contact details
If you have any questions about this policy, you can contact us.