1. Purpose
The purpose of this policy is to define the principles, responsibilities, and framework for managing information security at Bayarcash in alignment with ISO 27001. This ensures that:
- Sensitive information is protected against unauthorized access, disclosure, alteration, and destruction.
- Regulatory, contractual, and business requirements are met.
- Risks to information assets are systematically identified, assessed, and mitigated.
2. Scope
This policy applies to:
- All Bayarcash employees, contractors, third parties, and service providers.
- All information assets including digital data, documents, communications, applications, and IT infrastructure.
- All business units, systems, and locations operated by Bayarcash.
3. Policy Statement
Bayarcash is committed to:
- Maintaining confidentiality, integrity, and availability of information.
- Implementing a risk-based approach to information security management.
- Continually improving the Information Security Management System (ISMS) in accordance with ISO 27001.
- Complying with relevant legal, regulatory, and contractual obligations.
4. Information Security Objectives
Bayarcash will:
- Protect customer, employee, and business information from unauthorized access or disclosure.
- Ensure information systems are resilient, reliable, and available when needed.
- Detect and respond promptly to security incidents.
- Conduct regular risk assessments and implement appropriate controls.
- Provide security awareness training to all personnel.
5. Roles & Responsibilities
| Role | Responsibility |
|---|---|
| Executive Management | Approve and support the ISMS and related policies. Ensure resources are allocated for effective information security management. |
| CISO / Information Security Manager | Lead the implementation and maintenance of the ISMS. Monitor compliance with the Information Security Policy. Report on security risks and incidents to management. |
| Department Heads | Ensure staff comply with information security policies and procedures. Identify information assets and classify them according to sensitivity. |
| Employees | Follow security procedures and guidelines. Report any actual or suspected information security incidents immediately. |
| IT / Security Team | Implement technical security controls, including access control, encryption, and monitoring. Maintain systems and respond to security alerts. |
6. Information Security Principles
| Principle | Description |
|---|---|
| Asset Management | Identify and classify all information assets. Assign ownership and implement appropriate security controls based on classification. |
| Access Control | Access to information and systems is granted on a need-to-know basis. Users must authenticate using secure methods (e.g., passwords, MFA). Privileged access must be logged, monitored, and reviewed regularly. |
| Cryptography | Sensitive data must be encrypted at rest and in transit using industry-standard algorithms. |
| Physical Security | Offices, server rooms, and data centres must be physically protected. Access is restricted to authorised personnel only. |
| Operations Security | Regularly update and patch systems to mitigate vulnerabilities. Monitor networks and systems for unauthorised access or anomalies. Implement backups and disaster recovery procedures. |
| Supplier & Third-Party Management | Conduct due diligence before engaging third-party service providers. Ensure contracts include security obligations and compliance requirements. |
| Incident Management | Establish procedures for detecting, reporting, and responding to security incidents. Maintain records and conduct post-incident reviews to prevent recurrence. |
| Business Continuity | Ensure critical operations can continue during disruptions. Maintain backup, recovery, and continuity plans in line with the Business Continuity Plan & Disaster Recovery Policy. |
| Compliance | Adhere to all applicable laws, regulations, and contractual obligations related to information security and data protection. |
7. Risk Management
- Conduct regular information security risk assessments.
- Identify threats, vulnerabilities, and potential impacts on information assets.
- Implement appropriate controls and monitor their effectiveness.
- Review and update risk assessments annually or after significant changes.
8. Security Awareness & Training
- Provide mandatory security awareness training for all employees upon joining and periodically thereafter.
- Educate staff on phishing, social engineering, password management, and data protection practices.
- Encourage a security-conscious culture throughout Bayarcash.
9. Policy Compliance & Audit
- Compliance with this policy is mandatory.
- Internal and external audits will verify adherence to ISO 27001 and related standards.
- Non-compliance may result in disciplinary action, up to and including termination.
10. Continuous Improvement
- Regularly review and update the ISMS, security policies, and controls.
- Incorporate lessons learned from audits, risk assessments, and security incidents.
- Benchmark against industry best practices to maintain ISO 27001 compliance.
11. Policy Review
This policy will be reviewed annually or upon significant changes in technology, business operations, or regulatory requirements.