Documents & Resources
Security policies, certifications, and compliance documentation.
Policies
Information Security Policy
Establishes the overall direction and principles for information security management across the organization.
Personal Data Protection Policy
Establishes requirements for protecting personal data in accordance with GDPR and applicable data protection regulations.
Human Resource Management Policy
Defines security requirements related to human resources including hiring, training, and termination procedures.
Suppliers and Services Management Policy
Establishes security requirements for managing third-party suppliers and external services.
Physical Security Policy
Establishes requirements for physical access controls and facility security.
Business Continuity Policy
Establishes requirements for maintaining business operations during disruptions and disaster recovery.
Asset Management Policy
Defines requirements for identifying, classifying, and managing information assets throughout their lifecycle.
Remote Work Security Policy
Establishes security requirements for employees working remotely or from home.
Encryption and Cryptography Policy
Establishes requirements for the use of encryption and cryptographic controls to protect data.
Legal Compliance Policy
Establishes the framework for ensuring compliance with applicable laws, regulations, and contractual obligations.
Endpoint Security Policy
Defines security requirements for workstations, laptops, and other endpoint devices.
Vulnerability Management Policy
Establishes the process for identifying, assessing, and remediating security vulnerabilities.
Network and Network Services Management Policy
Defines requirements for securing network infrastructure, segmentation, and network services.
Event Monitoring Policy
Defines requirements for security event logging, monitoring, and analysis.
Backup Policy
Defines requirements for data backup, storage, retention, and recovery procedures.
Passwords and Identifiers Management Policy
Defines requirements for password complexity, management, and user identification.
Incident Management Policy
Establishes procedures for detecting, responding to, and recovering from security incidents.
ISMS Roles and Responsibilities
Internal allocation of tasks divides responsibilities and roles within ISMS scope. Board representatives are assigned for security and risk oversight.
Segregation of Duties - ISMS
ISMS roles documented in the organization's role matrix define separation of responsibilities to prevent conflicts of interest.
Contact with Authorities and Interest Groups
Procedures for contact with legal, regulatory authorities and professional security forums defined in Information Security Policy.
Employment Terms - Security Obligations
Employment contracts include security responsibilities. Failure to comply may result in disciplinary actions per Information Security Policy.
NDA and Confidentiality Agreements
Confidentiality provisions used in contracts with clients and suppliers. Dedicated NDAs for cooperation agreements.
Information Classification and Labelling
Information classified into levels (Legally Protected, Confidential, Internal, Public). Labelling and handling rules documented.
Acceptable Use of Information
Rules for acceptable use of classified information documented in Information Security Policy.
Clear Desk and Clear Screen Policy
Workplace security principles minimizing risks through clear desk/screen practices.
Cloud Security Guidelines
Cloud technology security guidelines. Security recommendations for project and service use.
Legal Documents and Compliance Management
Legal requirements identified, reviewed and monitored. Organization adjusts to customer requirements and regulatory changes.
Software Licensing Compliance
Cloud services implemented per licensing requirements. Operating systems purchased with hardware to ensure compliance.
AI Acceptable Use Policy
Organization-wide policy defining permitted and prohibited uses of AI tools. Specifies which data classifications may be shared with AI services (Public and Internal only — never Confidential or Legally Protected). Lists approved AI platforms (OpenAI, Anthropic, Google Gemini, Mistral, Cursor). Prohibits use of AI for final decisions on hiring, legal matters, or financial approvals without human review. Requires disclosure when AI-generated content is delivered to clients. Covers mandatory human verification of AI-generated output before use in production code, documentation, client deliverables, or decision-making. Defines secure prompt engineering practices and awareness of prompt injection risks. Establishes multi-provider fallback expectations for AI-dependent workflows.
AI Governance Framework and EU AI Act Compliance
Comprehensive AI governance framework aligned with the EU AI Act (Regulation 2024/1689). Maintains a living inventory of all AI systems used across the organization, classified by EU AI Act risk category: Unacceptable Risk (Art. 5 — prohibited practices), High-Risk (Art. 6 & Annex III), Limited Risk (Art. 50 — transparency obligations), and Minimal Risk. Documents each AI system's purpose, data inputs/outputs, provider, data residency, training data opt-out status, and accountable business owner. Addresses key EU AI Act requirements: transparency obligations for general-purpose AI (Art. 52-53), fundamental rights impact assessment for high-risk systems (Art. 27), conformity assessment procedures, and incident reporting obligations. Defines bias monitoring procedures for AI used in sensitive contexts (hiring, assessments, client work). Establishes escalation paths for AI incidents and annual review cycle. Tracks enforcement timeline: prohibited practices (Feb 2025), GPAI rules (Aug 2025), high-risk obligations (Aug 2026). Penalties: up to 35M EUR or 7% of global turnover.