Information Security Policy

Owned by: CertCrowd Management
Last updated: 23 October 2025, 8:38 AM
Last updated by: CertCrowd Management

1. Purpose & Policy Statement

This policy sets the direction and provides a framework for establishing, implementing, maintaining, and continually improving the Information Security Management System (ISMS) at CertCrowd, in line with ISO/IEC 27001 and other required frameworks.

Top Management commits to:

Protecting the confidentiality, integrity, and availability of CertCrowd information assets.
Meeting applicable requirements, including legal, regulatory, and contractual obligations relevant to information security.
Using a risk-based approach to select and maintain controls.
Setting, monitoring, and reviewing information security objectives that are measurable and aligned to business goals.
Integrating information security into business processes and decision-making.
Providing resources and competent people to run the ISMS.
Continually improving the ISMS's effectiveness.

This policy is documented, communicated to all personnel, made available to relevant interested parties as appropriate, and reviewed for continued suitability.

2. Scope & Context

Scope. The ISMS scope covers people, processes, technology, and information within the defined boundaries of CertCrowd's operations, including (as applicable):

Corporate offices.
Cloud infrastructure and platforms: CertCrowd production and staging environments, identity and access management, and supporting cloud services.
Products and services: CertCrowd SaaS platform, web app, APIs; customer tenants/environments.
Supporting systems: identity, collaboration, code repositories, CI/CD, monitoring.
Third parties and suppliers with access to CertCrowd information.

Any exclusions from scope must be justified and documented.

Context. The ISMS considers internal and external issues (Clause 4.1) and needs/expectations of interested parties (Clause 4.2), including customers, partners, regulators, employees, and contractors.

3. Roles & Responsibilities

Top Management (TM): Set direction, provide resources, endorse risk appetite, approve this policy and the Statement of Applicability (SoA), chair management reviews.
Information Security Manager (ISM): Operate and improve the ISMS; maintain risk management methodology, SoA, incident response, and training; report performance to Top Management.
Information Owners / Process Owners (ISM): Classify information; approve access; ensure control implementation and compliance in their domains.
System Owners / Product & Engineering (ISM): Implement secure design, change, and operations controls; maintain logging, vulnerability and patch management, backup/restore, and secure development practices.
People & Culture (Management) (TM): Manage security screening, onboarding/offboarding, disciplinary process, and awareness programs.
Procurement / Vendor Management (TM): Conduct supplier due diligence, contractual clauses, and ongoing assurance.
All Personnel: Comply with policies and procedures, complete training, report incidents and weaknesses promptly.

Authority to enforce this policy falls to the ISM and Management. Non-compliance may result in disciplinary action including termination of employment or contract.

4. Information Security Objectives

The organisation establishes measurable objectives and KPIs aligned to risk and business priorities; these are documented separately and reviewed at least quarterly. Example targets include:

=99.9% service availability for customer-facing services.
100% critical vulnerabilities remediated within defined timelines; high-severity items remediated within agreed timelines.
=95% workforce completing annual security training.
100% of critical in-scope assets inventoried and classified.
Backup success rate >=99% and quarterly restore tests successful.

5. Risk Management

CertCrowd maintains a documented risk management methodology aligned with ISO 27005. Key elements include:

Risk criteria and appetite: Defined, approved by Top Management, and reviewed annually.
Assessment: Identify assets, threats, vulnerabilities, and impacts; evaluate likelihood and consequence; consider supply-chain and cloud risks.
Treatment: Select controls and treatment options; define owners and deadlines; record residual risk and obtain acceptance at the appropriate authority level.
Monitoring: Track risks and treatment progress; trigger re-assessments on significant change (for example new systems, mergers, incidents).
Statement of Applicability (SoA): Map selected controls to ISO/IEC 27001 Annex A; justify inclusions/exclusions; maintain current status.

6. Control Framework (Annex A) & Implementation

Controls are selected and implemented based on risk and business needs. Control themes include, but are not limited to:

Organisation & People: Roles, screening, terms and conditions, awareness, disciplinary process.
Asset Management: Inventory, ownership, classification, handling, secure disposal.
Access Control: Least privilege, authentication (including MFA), privileged access.
Cryptography: Data-at-rest and in-transit encryption, key management.
Physical & Environmental: Facility access, equipment security.
Operations Security: Malware protection, logging and monitoring, vulnerability and patch management, backups, change and configuration management.
Secure Development & DevOps: SDLC policy, code review, SAST/DAST/penetration testing, secrets management, CI/CD hardening.
Supplier & Cloud Security: Due diligence, contractual clauses, ongoing assurance, exit/transition.
Incident Management: Detection, reporting, triage, investigation, containment, eradication, recovery, lessons learned, external communications.

7. Legal, Regulatory & Contractual Compliance

CertCrowd identifies and complies with applicable laws, regulations, and contractual requirements related to information security and privacy in the jurisdictions where it operates. Compliance obligations and evidence of adherence are maintained and reviewed periodically. Data protection requirements (for example customer agreements, privacy laws, breach-notification obligations) are addressed within procedures and incident response.

8. Awareness & Training

All personnel must complete security induction upon onboarding and refresher training at least annually. Role-based training is provided for developers, system administrators, and other high-risk roles. Awareness activities (for example phishing simulations, micro-learnings) are conducted to reinforce secure behaviour.

9. Monitoring, Measurement, Audit & Review

Monitoring and Measurement: KPIs/KRIs are collected and analysed at least quarterly.
Internal Audit: Planned audits evaluate conformity and effectiveness of the ISMS.
Management Review (Clause 9.3): Held at least annually; inputs include KPIs, audit results, incidents, risks, opportunities for improvement, resource needs, and changes in context.

10. Continual Improvement & Corrective Action

Nonconformities are addressed via root-cause analysis and corrective actions per Clause 10.2. Opportunities for improvement are tracked and implemented. Lessons learned from incidents, tests, and audits inform improvements to controls, processes, and this policy.

11. Exceptions & Violations

Exceptions to this policy must be requested in writing, supported by risk assessment and compensating controls, approved by the ISM and relevant Information Owner, and time-bound. Violations are investigated and may lead to disciplinary action and/or contractual remedies.

12. Communication & Availability

This policy is published on the CertCrowd "CIS" manuals section of the CertCrowd system and communicated to all personnel. A summary may be provided to customers or other interested parties upon request.