Compliance Framework Alignment
ISO/IEC 27001:2022 — Information Security Management Systems ISO/IEC 27002:2022 — Information Security Controls SOC 2 (AICPA) — Trust Services Criteria (Security, Availability, Confidentiality) Digital Personal Data Protection Act, 2023 (DPDP Act, India) CERT-In Incident Reporting Guidelines (India) This policy is aligned with ISO 27001:2022. ISO 27001 certification requires a full ISMS implementation including risk assessment, Statement of Applicability, and internal audits. SOC 2 requires a Type II audit by an accredited CPA firm.
ACME TECHNOLOGIES PVT LTD INFORMATION SECURITY POLICY Aligned with ISO 27001:2022
Effective Date [Effective Date]
Review Date [Review Date]
Framework Alignment ISO 27001:2022
Security Officer Vikram Patel
Incident Reporting security@company.com Management Statement — CEO / MD name (for management statement) , CEO/MD:
The security of information assets is fundamental to the trust of our customers, partners, and employees. Acme Technologies Pvt Ltd is committed to maintaining a robust Information Security Management System (ISMS) aligned with ISO 27001:2022. This Policy establishes our commitment to protecting information assets from threats that could compromise their confidentiality, integrity, or availability.
1. Purpose and Scope
This Information Security Policy ("Policy") establishes the framework for managing information security across Acme Technologies Pvt Ltd . It applies to all employees, contractors, consultants, and third parties who access the Company's information assets, systems, and infrastructure, including cloud-hosted environments. The Policy supports compliance with ISO 27001:2022 and applicable data protection regulations.
2. Information Security Objectives
The Company's information security objectives are to: (a) ensure the Confidentiality of information — protecting information from unauthorised access; (b) maintain the Integrity of information — safeguarding accuracy and completeness; (c) ensure the Availability of information — ensuring authorised users can access information when needed; (d) comply with applicable legal, regulatory, and contractual security requirements; (e) continuously improve the ISMS through risk management and regular review.
3. Information Asset Classification
All information assets shall be classified and protected according to their sensitivity: (a) Public — information approved for public release; (b) Internal — non-sensitive business information for internal use; (c) Confidential — sensitive business, customer, or employee data requiring restricted access; (d) Restricted — highly sensitive data including personal data, trade secrets, financial records, and credentials — access on strict need-to-know basis.
4. Access Control
Access to information assets shall be based on the principle of least privilege: (a) access shall be granted only to the minimum necessary for an individual's job function; (b) user access rights shall be reviewed at least every 6 months and upon role changes; (c) access shall be promptly revoked upon termination of employment or contractor engagement; (d) multi-factor authentication (MFA) is required for all systems without exception; (e) shared or generic accounts are prohibited.
5. Password and Authentication Policy
Passwords must meet the following minimum requirements: (a) minimum length of 12 characters; (b) include uppercase, lowercase, numbers, and special characters; (c) not reuse the last 10 passwords; (d) be changed every 90 days for privileged accounts, 180 days for standard accounts; (e) not be shared. Password managers are approved for use. Default vendor / manufacturer passwords must be changed immediately on deployment.
6. Network and System Security
Network and system security controls shall include: (a) firewalls and network segmentation separating production, development, and corporate environments; (b) all systems patched within 30 days of critical patch release, 7 days for zero-day vulnerabilities; (c) endpoint protection (anti-malware) on all company devices; (d) encryption of all data in transit using TLS 1.2 or higher; (e) regular vulnerability assessments (at least quarterly) and penetration testing (at least annually); (f) web application firewall (WAF) for internet-facing applications. (g) Cloud environments shall follow the shared responsibility model with the cloud provider, with security baselines applied to all cloud accounts.
7. Data Protection and Encryption
All sensitive data (Confidential and Restricted classification) must be encrypted: (a) at rest — using AES-256 or equivalent; (b) in transit — using TLS 1.2 or higher; (c) on portable devices and removable media — full-disk encryption required. Cryptographic keys shall be managed securely, rotated regularly, and stored separately from the data they protect.
8. Security Incident Management
All actual or suspected security incidents must be reported immediately to security@company.com . The incident response process includes: (a) Detection and reporting — within 4 hours of detection; (b) Containment — immediate steps to limit damage; (c) Investigation — root cause analysis; (d) Remediation — address root cause and close vulnerabilities; (e) Post-incident review — lessons learned. Data breaches involving personal data must also be reported to CERT-In within 6 hours as per CERT-In guidelines, and to the Data Protection Board as required under the DPDP Act.
9. Business Continuity and Disaster Recovery
The Company shall maintain a Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP) with the following targets: Recovery Time Objective (RTO): 4 hours; Recovery Point Objective (RPO): 1 hours. BCP/DRP shall be tested at least annually. Critical systems and data shall have automated backups with regular restore testing. Backup data must be stored in geographically separate locations.
10. Third-Party and Vendor Security
Third-party vendors and service providers who access Company information assets must demonstrate adequate information security through: (a) security questionnaires and risk assessments before onboarding; (b) contractual security obligations (Data Processing Agreements where applicable); (c) periodic security reviews for critical vendors; (d) right-to-audit clauses for high-risk processors. Cloud service providers must provide SOC 2 reports or equivalent attestations.
11. Security Awareness and Training
All employees shall complete information security awareness training within 30 days of joining and annually thereafter. Phishing simulation exercises shall be conducted at least twice per year. Security training for developers shall include secure coding practices (OWASP Top 10). Personnel who fail phishing simulations or security assessments shall receive additional targeted training.
12. Policy Compliance and Enforcement
Compliance with this Policy is mandatory for all Personnel. Violations may result in disciplinary action up to and including termination of employment and, where applicable, criminal prosecution. The CISO is responsible for monitoring compliance. Internal audits of the ISMS shall be conducted at least annually.
13. Policy Review and Update
This Policy shall be reviewed at least annually, following significant security incidents, major organisational changes, or changes in the threat landscape. Policy changes must be approved by the CISO and management, and communicated to all Personnel. The next scheduled review date is [Review Date].
This Information Security Policy has been approved by the management of Acme Technologies Pvt Ltd and is effective from [Effective Date].
CEO / Managing Director
CEO / MD name (for management statement)
______________________
CISO / Information Security Officer
Vikram Patel
______________________