ISMS Information Security Policy

1. Purpose

As a provider of managed services in the cloud, information security is a valuable assets for VSHN. The availability and protection of information is essential for ensuring the provision of VSHN’s services. Data, information, applications, systems, and connections must be protected from influences such as technical failure, force majeure, attacks, and human error to the best of our knowledge and belief.

This is the top-level policy regarding information security and is valid within the defined scope. All VSHN employees and relevant external parties must be aware of this policy and comply with it.

2. Information Security: Basic Concepts

Information security has the goal to ensure the confidentiality, integrity, and availability (known as C-I-A) of information.

Confidentiality: Only authorized persons or systems are allowed to access this information.
Integrity: Only authorized persons or systems may make changes to the information in an authorized manner.
Availability: Information is available when needed by authorized persons or systems.

An Information Security Management System (ISMS) as part of the overall management process ensures that the planning, implementation, maintenance, review and improvement of information security is addressed.

3. Information Security Management

VSHN’s top management (represented by the ISMS Governance role) is committed to supporting the maintenance and continuous improvement of an ISMS. Adequate resources will be made available to achieve all the objectives set out in this policy.

3.1. Information Security Requirements

Information security is everyone’s responsibility: employees at all levels are trained and encouraged to take responsibility for information security. VSHN is committed to using the best available technology, taking into account the economic possibilities. Compliance with all relevant requirements (legal, regulatory and customer requirements) is a matter of course. In addition, VSHN undertakes to work continuously on improving information security.

3.2. Objectives

VSHN operates an ISMS with the aim of promoting information security in a targeted manner and continuously improving the company’s performance. Processes and procedures are defined in such a way that information security is complied with. The entire system is audited at regular intervals, including services provided by third parties.

High level goals of VSHN regarding information security are:

Maintain an ISMS according to ISO/IEC 27001 and maintain its certification.
Conduct regular risk assessments within VSHN’s domains to identify areas for improvement.
Build customer confidence in VSHN’s information security.
Reduce the audit effort by external parties.
Assist the sales process information security.
Support internal IT to run secure services.
Enhance information security awareness among all employees.
Oversee and ensure adherence to policies regarding information security.

To achieve that goal VSHN…

assign the role CISO,
ensure its ISMS is ISO/IEC 27001 certified and provides with additional reports and certifications as needed to show customers our strong commitment to information security,
ensure its ISMS is aligned to VSHN’s Company’s OKRs and sets objecitves according to 6.2 Informationssicherheitsziele und Planung zu deren Erreichung.

4. Responsibilities

The following responsibilities apply to VSHN’s ISMS:

The ISMS Governance role is responsible for ensuring that the ISMS is implemented and maintained in accordance with this policy and that all necessary resources are available.
VSHN must review the ISMS at least once a year (or always in the event of significant changes) and prepare a record of this with an annual Management Review.
The CISO is responsible for the operation of the ISMS according to the role description.
The CISO ensures this policy is communicated within VSHN.
The protection of the integrity, availability and confidentiality of the assets is the responsibility of the owner of the respective assets.
All security incidents or vulnerabilities must be reported to the CISO in accordance with incident management procedures.
All VSHNeers must adhere ISMS policies.

5. Reference documents

ISO/IEC 27001:2022 Standard,
- Section 5.1 — Leadership and commitment
- Section 5.2 — Policy
- Section 5.3 — Organizational roles, responsibilities and authorities
Scope of the ISMS
Business Strategy decisions dated
- 2015-02-17 2015-02-17 GL Meeting Notes
- 2015-12-15 2015-12-15 GL Meeting Notes
- 2023-05-08 2023-05-08 - VIP-293 - Approve Scope of ISMS

_ This policy is tracked and reviewed with ticket ISMS-150

Approval date	2024-06-25
Approved with	ISMS-1334 in MR 1037
Last reviewed	2024-06-25 with ISMS-1334
Classification	Public

Approval date

2024-06-25

Approved with

ISMS-1334 in MR 1037

Last reviewed

2024-06-25 with ISMS-1334

Classification

Public