Establish the commitment and leadership of senior management by defining the General Information Security Policy in accordance with Aranda Software's Information Security Management System Software and with the purpose of preserving the integrity, confidentiality, and availability of information.
Applies to the information assets necessary for the operation of the Support, Operations, and Development processes located in the Microsoft Azure cloud for the solutions offered by Aranda Software in SaaS mode and must be complied with by the entire organization.
All employees and other stakeholders who manage, use, or access Aranda Software's information assets.
This policy is effective as of (12/28/2023), the date on which it was approved. It must be reviewed annually or updated whenever there are changes in the purpose or context of the organization, in the scope of the Information Security Management System, or when there are legal, statutory, or regulatory changes. Compliance with the provisions contained herein must be monitored.
Asset: Any element that has value for the organization. For information security risk management, the following are considered: information, software, physical elements, services, people, and intangibles.
Confidentiality: The property of information that prevents it from being made available or disclosed to unauthorized individuals, entities, or processes.
Availability: The property of being accessible and usable upon demand by an authorized entity. [Source: ISO 27000].
Asset importance: Value that reflects the level of protection required for an information asset in relation to the three properties of information security: integrity, confidentiality, and availability.
Integrity: The property of accuracy and completeness. [Source: ISO 27000].
Monitoring: VVerification, supervision, critical observation, or continuous determination of status in order to identify changes with respect to the required or expected level of performance.
Party involved: PA person or organization that can affect, be affected by, or perceive itself to be affected by a decision or activity. A decision maker can be a stakeholder. [Source: ISO 31000].
Risk: Eeffect of uncertainty on objectives. An effect is a deviation from what is expected, whether positive, negative, or both. Objectives can have different aspects (economic, image, environmental) and can be applied at different levels (strategic, operational, entire organization) [Source: ISO 31000]
Senior Management: Definition, publication, communication, and implementation of the General Information Security Policy.
Process Leaders: LLeading the implementation and adoption of the General Information Security Policy in their processes.
Collaborators and other interested parties: Adopting and complying with the guidelines contained in the General Information Security Policy.
Third parties and/or supply chain: ByAdopting and complying with the guidelines containedin the General Information Security Policy issued by Aranda Software within this document.
The regulations applicable to this policy can be consulted in the Information Security Management System (ISMS) Normogram.
The purpose of this document is to describe the General Policy of the Information Security Management System - ISMS, in accordance with the international framework NTC ISO 27001 and other national and international provisions regarding the principles of information security (integrity, confidentiality and availability).
The application of the Policy should seek to protect the information assets of Aranda Software against any threat that affects the three pillars of information.
Considering that information security must remain in constant evolution, since organizations face persistent and new threats according to technological changes and the conditions of their environment, the Information Security Management System must adapt to this situation.
By virtue of the above, policies require permanent review, updating, approval and adaptation to achieve the purpose of continuous improvement.
Aranda Software aware of the importance of information security and considering it as a fundamental factor that must be incorporated into its processes and institutional mission, is committed to preserving the confidentiality, integrity and availability of information through the implementation and continuous improvement of the Information Security Management System - ISMS, monitoring the fulfillment of the objectives, implementing strategies, controls and guidelines that allow to adequately manage its assets, risks and incidents of information security and allocating the necessary resources to ensure compliance with legal requirements, organizational and contractual obligations in relation to the handling and / or processing of information.
The organization is committed to considering the potential impacts of climate change on information security, integrating sustainability and resilience criteria into the ISMS risk management process.
Promotes among its collaborators and other related persons, the formation of an information security culture, which allows the effective adoption of controls and good security practices designed within the organization.
- To reduce the probability of materialization of risks associated with information security, which may violate the confidentiality, integrity and availability of information, by means of adequate risk management.
- Raise awareness among employees about the importance of protecting information assets through training on topics related to information security, so that compliance with policies, procedures, and other guidelines designed within the ISMS management framework can be demonstrated.
- Ensure timely attention to information security incidents by implementing an effective procedure for identifying, reporting, and handling them.
- Address in a timely manner corrective actions and observations issued by follow-ups, internal/external audits and planned reviews.
Provide the financial, human and infrastructure resources required to maintain the Information Security Management System - ISMS and ensure adequate treatment of risks in Aranda Software.
All employees and, in general, all stakeholders identified in Aranda Software's Information Security Management System must comply with the policy in full.
Failure to comply with this policy and the provisions contained herein may lead to disciplinary actions, investigations and / or legal actions, according to the internal procedures of Aranda Software and other guidelines applicable to the organization.
NTC ISO 27001:2022
- ISMS Objectives
- ISMS Scope