Establish senior management's commitment and leadership by defining the General Information Security Policy in accordance with Aranda Software and with the aim of preserving the integrity, confidentiality, and availability of information.
Applies to the information assets necessary for the operation of the Support, Operations, and Development processes located in the Microsoft Azure cloud for the solutions offered by Aranda Software in SaaS mode, and must be complied with by the entire organization.
All employees and other stakeholders who manage, use, or access Aranda Software's information assets.
This policy is effective as of (December 28, 2023), the date on which it was approved. It must be reviewed annually or updated whenever there are changes in the purpose or context of the organization, the scope of the Information Security Management System, or when there are legal, statutory, or regulatory changes; and compliance with the provisions contained herein must be monitored.
Asset: Any item that has value to the organization. For information security risk management, the following are considered: information, software, physical assets, services, people, and intangible assets.
Confidentiality: The property of information that prevents it from being made available or disclosed to unauthorized individuals, entities, or processes.
Availability: The property of being accessible and usable upon request by an authorized entity. [Source: ISO 27000].
Importance of the asset: A value that reflects the level of protection required for an information asset with respect to the three properties of information security: integrity, confidentiality, and availability.
Integrity: The property of accuracy and completeness. [Source: ISO 27000].
Monitoring: VVerification, supervision, critical observation, or continuous assessment of a condition in order to identify changes relative to the required or expected level of performance.
Party involved: SA person or organization that may affect, be affected by, or perceive itself as affected by a decision or an activity. A decision-maker may be a stakeholder. [Source: ISO 31000].
Risk: EEffect of uncertainty on objectives. An effect is a deviation from what is expected, whether positive, negative, or both. Objectives may have different aspects (economic, image, environmental) and may apply at different levels (strategic, operational, organization-wide) [Source: ISO 31000]
Senior Management: Definition, publication, communication, and implementation of the General Information Security Policy.
Proceso Leaders: LLeading the implementation and adoption of the General Information Security Policy in their processes.
Employees and other stakeholders: Byadopting and complying with the guidelines contained in the General Information Security Policy.
Third parties and/or supply chain: Byadopting and complying with the guidelines containedin the General Information Security Policy issued by Aranda Software in this document.
The The regulations applicable to this policy can be found in the Information Security Management System (ISMS) Regulatory Matrix.
The purpose of this document is to describe the General Policy of the Information Security Management System (ISMS), in accordance with the international standard ISO 27001 and other national and international provisions regarding the principles of information security (integrity, confidentiality, and availability).
The implementation of the Policy must aim to protect Aranda Software’s information assets against any threat that affects the three pillars of information.
Given that information security must constantly evolve—as organizations face persistent and emerging threats driven by technological changes and shifts in their operating environment—the Information Security Management System must adapt to this situation.
Given the above, policies require ongoing review, updating, approval, and adaptation to achieve the goal of continuous improvement.
Aranda Software, recognizing the importance of information security and viewing it as a fundamental factor that must be integrated into its processes and institutional mission, is committed to preserving the confidentiality, integrity, and availability of information through the implementation and continuous improvement of the Information Security Management System – ISMS, by monitoring compliance with objectives, implementing strategies, controls, and guidelines that enable the proper management of its information security assets, risks, and incidents, and by allocating the necessary resources to ensure compliance with legal and organizational requirements and contractual obligations regarding the handling and/or processing of information.
The organization is committed to addressing the potential impacts of climate change on information security by incorporating sustainability and resilience criteria into the risk management of the ISMS.
It promotes the development of an information security culture among its employees and other stakeholders, enabling the effective implementation of security controls and best practices developed within the organization.
- To reduce the likelihood of information security risks materializing—risks that could compromise the confidentiality, integrity, and availability of information—through effective risk management.
- Raise employee awareness of the importance of protecting information assets through training on information security topics, so that compliance with policies, procedures, and other guidelines established within the ISMS management framework can be demonstrated.
- Ensure that information security incidents are addressed in a timely manner by implementing an effective procedure for identifying, reporting, and handling them.
- Address in a timely manner any corrective actions and observations identified through follow-ups, internal/external audits, and planned reviews.
Provide the financial, human, and infrastructure resources required to maintain the Information Security Management System (ISMS) and ensure that risks are properly managed at Aranda Software.
All employees and, in general, all stakeholders identified in Aranda Software’s Information Security Management System must comply fully with the policy.
Failure to comply with this policy and the provisions contained herein may result in disciplinary action, investigations, and/or legal action, in accordance with Aranda Software’s internal procedures and other guidelines applicable to the organization.
NTC ISO 27001:2022
- ISMS Objectives
- Scope of the ISMS