Information Security Policy

Version	1.0
Effective Date	[Insert Date]
Approved By	Compliance & Risk Committee
Next Review Date	[Insert Date]

1. Purpose

The purpose of this policy is to define the principles, responsibilities, and framework for managing information security at Bayarcash in alignment with ISO 27001. This ensures that:

Sensitive information is protected against unauthorized access, disclosure, alteration, and destruction.
Regulatory, contractual, and business requirements are met.
Risks to information assets are systematically identified, assessed, and mitigated.

2. Scope

This policy applies to:

All Bayarcash employees, contractors, third parties, and service providers.
All information assets including digital data, documents, communications, applications, and IT infrastructure.
All business units, systems, and locations operated by Bayarcash.

3. Policy Statement

Bayarcash is committed to:

Maintaining confidentiality, integrity, and availability of information.
Implementing a risk-based approach to information security management.
Continually improving the Information Security Management System (ISMS) in accordance with ISO 27001.
Complying with relevant legal, regulatory, and contractual obligations.

4. Information Security Objectives

Bayarcash will:

Protect customer, employee, and business information from unauthorized access or disclosure.
Ensure information systems are resilient, reliable, and available when needed.
Detect and respond promptly to security incidents.
Conduct regular risk assessments and implement appropriate controls.
Provide security awareness training to all personnel.

5. Roles & Responsibilities

5.1 Executive Management

Approve and support the ISMS and related policies.
Ensure resources are allocated for effective information security management.

5.2 Chief Information Security Officer (CISO) / Information Security Manager

Lead the implementation and maintenance of the ISMS.
Monitor compliance with the Information Security Policy.
Report on security risks and incidents to management.

5.3 Department Heads

Ensure staff comply with information security policies and procedures.
Identify information assets and classify them according to sensitivity.

5.4 Employees

Follow security procedures and guidelines.
Report any actual or suspected information security incidents immediately.

5.5 IT / Security Team

Implement technical security controls, including access control, encryption, and monitoring.
Maintain systems and respond to security alerts.

6. Information Security Principles

6.1 Asset Management

Identify and classify all information assets.
Assign ownership and implement appropriate security controls based on classification.

6.2 Access Control

Access to information and systems is granted on a need-to-know basis.
Users must authenticate using secure methods (e.g., passwords, MFA).
Privileged access must be logged, monitored, and reviewed regularly.

6.3 Cryptography

Sensitive data must be encrypted at rest and in transit using industry-standard algorithms.

6.4 Physical Security

Offices, server rooms, and data centers must be physically protected.
Access is restricted to authorized personnel only.

6.5 Operations Security

Regularly update and patch systems to mitigate vulnerabilities.
Monitor networks and systems for unauthorized access or anomalies.
Implement backups and disaster recovery procedures.

6.6 Supplier & Third-Party Management

Conduct due diligence before engaging third-party service providers.
Ensure contracts include security obligations and compliance requirements.

6.7 Information Security Incident Management

Establish procedures for detecting, reporting, and responding to security incidents.
Maintain records and conduct post-incident reviews to prevent recurrence.

6.8 Business Continuity

Ensure critical operations can continue during disruptions.
Maintain backup, recovery, and continuity plans in line with the Business Continuity Plan & Disaster Recovery Policy.

6.9 Compliance

Adhere to all applicable laws, regulations, and contractual obligations related to information security and data protection.

7. Risk Management

Conduct regular information security risk assessments.
Identify threats, vulnerabilities, and potential impacts on information assets.
Implement appropriate controls and monitor their effectiveness.
Review and update risk assessments annually or after significant changes.

8. Security Awareness & Training

Provide mandatory security awareness training for all employees upon joining and periodically thereafter.
Educate staff on phishing, social engineering, password management, and data protection practices.
Encourage a security-conscious culture throughout Bayarcash.

9. Policy Compliance & Audit

Compliance with this policy is mandatory.
Internal and external audits will verify adherence to ISO 27001 and related standards.
Non-compliance may result in disciplinary action, up to and including termination.

10. Continuous Improvement

Regularly review and update the ISMS, security policies, and controls.
Incorporate lessons learned from audits, risk assessments, and security incidents.
Benchmark against industry best practices to maintain ISO 27001 compliance.

11. Policy Review

This policy will be reviewed annually or upon significant changes in technology, business operations, or regulatory requirements.