2.1. Scope of the ISMS

For the purposes of certification within Digicore Ltd, the boundaries of the Management Systems are defined in the Digicore Ltd ISMS0401 Context, Requirements and Scope.

2.2. Requirements

A clear definition of the requirements for the Management System will be agreed and maintained within the business so that all activities are focused on the fulfilment of those requirements. Statutory, regulatory and contractual requirements will also be documented and inputted into the planning process.

Specific requirements regarding the security of new or changed systems and services will be captured as part of the design stage of each project.

It is a fundamental principle of the Digicore Ltd Information Security Management System that the controls implemented are driven by business requirements and this will be regularly communicated to all staff through team meetings and briefing documentation.

2.3. Top Management Leadership and Commitment

Commitment to the Management Systems extends to senior levels of the organisation and will be demonstrated through this ISMS Policy and the provision of appropriate resources to provide and develop the management systems and associated controls.

Top management will also ensure that a systematic review of performance of the programme is conducted on a regular basis to ensure that objectives are being met and issues are identified through the audit programme and management processes. Management Review can take several forms including departmental and other management meetings.

2.4. Framework for Setting Objectives and Policy

The high-level objectives for information security within Digicore Ltd are defined within the document “DL_ISMS 0401 Context Requirements and Scope”. These are fundamental to the nature of the business and should not be subject to frequent change.

These overall objectives will be used as guidance in the setting of lower level, more short-term objectives within an annual cycle timed to coincide with organisational budget planning. This will ensure that adequate funding is obtained for the improvement activities identified. These objectives will be based upon a clear understanding of the overall business requirements, informed by the annual management review with stakeholders.\

ISMS objectives will be documented for the relevant financial year, together with details of how they will be achieved. These will be reviewed on a biannual basis to ensure that they remain valid. If amendments are required, these will be managed through the change management process.

In accordance with ISO/IEC 27001:2013 the control objectives and policy statements detailed in Annex A of the standard will be adopted where appropriate by Digicore Ltd. These will be reviewed on a regular basis in the light of the outcome from risk assessments and in line with DL_ISMS0801 Information Security Risk Assessment and Treatment Plan. For references to the controls that implement each of the policy statements given, please see DL_ISMS0602 Statement of Applicability.

2.5. Roles and Responsibilities

Within the field of Information Security Management, there are several key roles that need to be undertaken to ensure successful protection of the business from risk.

Full details of the responsibilities associated with each of the roles and how they are allocated within Digicore Ltd are given in the document DL_ ISMS 0502 Roles, Responsibilities and Authorities.

The Information Security Management System Manager shall have overall authority and responsibility for the implementation and management of the Management Systems, specifically:

• The identification, documentation and fulfilment of applicable requirements
• Implementation, management and improvement of risk management processes
• Integration of processes
• Compliance with statutory, regulatory and contractual requirements in the management of assets used to deliver products and services
• Reporting to top management on performance and improvement

2.6. Continual Improvement Policy

Digicore Ltd policy regarding Continual Improvement is to:

• Continually improve the effectiveness of the ISMS across all areas within scope.
• Enhance current processes to bring them into line with good practice as defined within ISO/IEC 27001:2013.
• Achieve certification to the management systems and maintain them on an on-going basis.
• Increase the level of proactivity (and the stakeholder perception of proactivity) regarding the ongoing management of the ISMS.
• Make processes and controls more measurable to provide a sound basis for informed decisions
• Achieve an enhanced understanding of and relationship with the business units to which the ISMS applies.
• Review relevant metrics on an annual basis to assess whether it is appropriate to change them, based on collected historical data.
• Obtain ideas for improvement via regular meetings with stakeholders and document them in DL_ISMS 1003 Improvement Action Log.
• Review the Improvement Action Log at regular management meetings to prioritize and assess timescales and benefits.

• Cost
• Business Benefit
• Risk
• Implementation timescale
• Resource requirement

2.7. Approach to Managing Risk

A risk management strategy and process will be used which is in line with the requirements and recommendations of the Management Systems. This requires that relevant assets be identified, and the following aspects considered:

• Threats
• Vulnerabilities
• Impact and likelihood before risk treatment
• Risk Treatment (e.g. reduction, removal, transfer)
• Impact and Likelihood after risk treatment
• Function responsible/Owner
• Timescale and Review Frequency

• Management planning – risks to the achievement of objectives
• Information security and business continuity risk assessments
• Assessment of the risk of changes via the change management process
• At the project level as part of the management of significant business change

2.8. Human Resources

Digicore Ltd will ensure that all staff involved in ISMS are competent based on appropriate education, training, skills and experience. The skills required will be determined and reviewed on a regular basis together with an assessment of existing skill levels within Digicore Ltd. Training needs will be identified, and a plan maintained to ensure that the necessary competencies are in place. Training, education and other relevant records will be kept by the Human Resources Department to document individual skill levels attained.

2.9. Auditing and Review

Once in place, it is vital that regular reviews take place of how well the ISMS processes and procedures are being adhered to. This will happen at three levels:

• Structured regular management review of conformity to policies and procedures.
• Internal audit reviews against the management system standards by the Digicore Ltd Audit Team.
• External audit against the standards to gain and maintain certification.

2.10. Documentation Structure and Policy

All policies and plans that form part of the ISMS must be documented. This section sets out the main documents that must be maintained in each area. Details of documentation conventions and standards are given in the DL_ISMS0702 Procedure for the Control of Documents and Records. Several core documents have been created and will be maintained as part of the ISMS. They are uniquely numbered, and the current versions are tracked in DL_ISMS0703 Documentation Log.

2.12. Consequence Management

Employees, suppliers or other stakeholders who observe any deviations to the guidelines of this Policy, may report the fact to the ISMS Manager via email on aadebolatan@digicoreltd.com and may choose to identify themselves. Internally, the failure to comply with the guidelines of this Policy envisages the application of measures to charge the agents who do not comply with this Policy according to related seriousness of such non-compliance.

2.11. Control of Records

The keeping of records is a fundamental part of the ISMS. Records are key information resources and represent evidence that processes are being carried out effectively. The controls in place to manage records are defined in the document DL_ISMS0702 Procedure for the Control of Documents and Records.