Information security policy

1. Introduction

1.1 Purpose

The purpose of this Information Security Policy is to establish and maintain an effective information security management system (ISMS) at Vertiseit AB and all subsidiaries. This policy outlines the commitment, responsibilities, and guidelines to safeguard the confidentiality, integrity, and availability of information assets.

1.2 Scope

This policy is applicable to all employees, contractors, third-party vendors, and any individuals who have access to the information assets of Vertiseit AB and all its subsidiaries, including the business brands Grassfish and Dise. For the purposes of this document, these entities and their subsidiaries will hereinafter be collectively referred to as ‘the organisation’.

2. Information Security Management System (ISMS)

2.1 ISO 27001 and SOC 2 Compliance

The organisation is committed to maintaining compliance with ISO 27001 and SOC 2. The organisation will undergo regular assessments and audits to ensure the ISMS meets these requirements.

2.2 Risk Management

The organisation will conduct regular risk assessments to identify, assess, and manage information security risks. Risk mitigation measures will be implemented to minimize potential threats.

2.3 Continuous Improvement

The ISMS will be continuously reviewed and improved to adapt to changes in technology, business processes, and security threats.

3. Information Classification and Handling

3.1 Data Classification

All information assets will be classified based on sensitivity, and appropriate security controls will be implemented to protect each classification level.

3.2 Data Handling

Employees must follow established procedures for the secure handling, storage, and transmission of information assets.

Employees must ensure their desks are clear of all confidential documents and removable storage media when not in use or upon leaving their desks. Screens must be locked when stepping away to prevent unauthorised viewing of information.

4. Access Control

4.1 User Access Management

Access to information systems and data will be granted based on the principle of least privilege. Access requests, modifications, and terminations will be documented and regularly reviewed.

4.2 Authentication and Authorization

Strong authentication mechanisms will be implemented, and authorization processes will ensure that users have access only to the resources necessary for their roles.

4.3 Single Sign-On and Multi-Factor Authentication

As part of our commitment to streamline access and enhance security, the organisation aims to implement Single Sign-On (SSO) and Multi-Factor Authentication (MFA) across all products used within the organisation.

5. Physical and Environmental Security

5.1 Secure Work Environments

Physical security measures will be implemented to protect information assets, including controlled access to facilities, surveillance, and protection against environmental threats.

6. Incident Response and Management

6.1 Incident Reporting

Users are encouraged to report any observed or suspected security breaches, misuse of IT assets, or violations of this policy to their supervisor, the IT department, or through the organisation’s designated reporting channels.

6.2 Incident Response Plan

The organisation will maintain an incident response plan outlining procedures for detecting, responding to, and recovering from security incidents.

The organisation will comply with all applicable laws and regulations related to information security in the countries where we operate.

7.2 Monitoring and Audit

Regular monitoring and audits of the ISMS will be conducted to ensure compliance with ISO 27001 and SOC 2.

8. Employee Training and Awareness

8.1 Security Awareness

All employees will receive regular training on information security policies and practices to foster a security-aware culture.

8.2 Responsibilities

Employees are responsible for understanding and complying with this Information Security Policy and related procedures.

9. Review and Approval

This Information Security Policy will be reviewed annually and updated as needed. Approval for changes will be obtained from the Information Security Officer.

10. Contact Information

For questions or concerns related to information security, employees can contact the Information Security Officer.

Information Security Officer: Emil Brandt 073-35 70 104