Information Security Policy - CROZ d.o.o.

Information Security Policy - CROZ d.o.o.

Strategic Importance and Policy Framework:

• The management of CROZ d.o.o. considers information security to be of strategic importance to the company and its services.
• The Information Security Policy defines the need for a security system, its scope, goals, methods to achieve those goals, security controls, roles, responsibilities, and policy management.

Concept and Importance of Information Security:

• Information security encompasses the protection of the confidentiality, integrity, availability, inviolability, accountability, credibility, and reliability of information assets.
• Protecting information assets includes data, software, physical assets, services, personnel, and intangible assets.

Threats and Protection:

• Threats to information systems arise from organizational failures, human actions, technical reasons, force majeure, and non-compliance with regulations.
• Information security protects business operations from disruptions, misuse, and errors, ensuring business continuity and risk reduction.

Principles and Sources of Security Controls:

• Principles include complying with legal obligations, risk assessment, defining roles and responsibilities, internal agreements, global objectives, and managing the system lifecycle.
• Security controls are based on legal obligations, risk assessments, and CROZ's business strategy.

Global Information Security Objectives:

1. Raising Awareness: Promote a culture of information security through education and measure goal achievements.
2. Effective Security Organization: Define security roles, provide necessary resources and rights.
3. Risk Management: Identify and classify assets, assess risks, and manage them regularly.
4. Effective Security Controls: Select controls based on justification and cost-effectiveness.
5. Business Continuity: Manage business continuity to protect critical system parts.
6. Individual Responsibility: Each user is responsible for security within their scope of work.
7. Documentation: Maintain a well-documented information security management system.
8. Internal Audits and Certification: Regularly conduct audits to improve the system.

Organization and Responsibilities:

• Management: Approves the policy, provides resources, and support.
• CISO: Coordinates security measures implementation and education.
• Security Office: Implements policies, manages documentation, and incidents.
• Unit Managers: Implement the policy in their areas.
• Asset Owners: Classify assets and implement controls.
• Specialist Team: Resolves security incidents.
• Internal Auditors: Conduct audits.

Implementation Method:

• The Information Security Policy is based on ISO 27001:2022 and ISO 27002:2022 standards.
• System establishment includes risk assessment, selecting security controls, and continuous system improvement through monitoring and audits.

This document serves as the fundamental framework for CROZ's information security system, obligating all employees and external collaborators to implement the defined policy.