Uppwise’s Information Security Management System Achieves Global ISO 27001:2022 Certification
Information Security Management Policy
The COMPANY POLICY requires that, in line with the company mission, the management of all company processes is set up with the rules of application of the Management System according to the ISO/IEC 27001:2022 standard.
PURPOSE AND OBJECTIVES
Uppwise’s management has defined, disseminated and is committed to maintaining this Information Security Management policy at all levels of its organization.
The purpose of this policy is:
to ensure the protection and protection from all threats, internal or external, intentional or accidental, of the information in the context of its activities in accordance with the
indications provided by the ISO/IEC 27001 standard and by the guidelines contained in the ISO/IEC standard 27002 in their latest versions.
FIELD OF APPLICATION
This policy applies without distinction to all bodies and levels of the Company.
The implementation of this policy is mandatory for all personnel and must be included in the regulation of agreements with any external subject who, for whatever reason, may be involved with the processing of information that falls within the scope of application of the Management System (ISMS).
The company allows the communication and dissemination of information externally only for the correct performance of company activities which must take place in compliance with the mandatory rules and regulations.
INFORMATION SECURITY POLICY
The information assets to be protected consist of all the information managed through the services provided and located in all company offices.
It is necessary to ensure:
The lack of adequate levels of security can lead to damage to the corporate image, lack of customer satisfaction, the risk of incurring penalties related to the violation of current regulations as well as damages of an economic and financial nature.
An adequate level of security is also essential for sharing information.
The company identifies all security needs through risk analysis which allows you to gain awareness of the level of exposure to threats of your information system. The risk
assessment makes it possible to evaluate the potential consequences and damages that may derive from the failure to apply security measures to the information system and
what is the realistic probability of implementation of the identified threats.
The results of this assessment determine the actions necessary to manage the identified risks and the most suitable security measures.
The general principles of information security management embrace various aspects:
RESPONSIBILITY FOR COMPLIANCE AND IMPLEMENTATION
Compliance with and implementation of the policies are the responsibility of:
Whoever, employees, consultants and/or external collaborators of the Company, intentionally or negligently, disregards the established safety rules and in this way
causes damage to the Company, may be prosecuted in the appropriate offices and in full compliance with the legal and contractual obligations.
REVIEW
The Management will check periodically and regularly or in conjunction with significant changes, the effectiveness and efficiency of the Management System, in order to ensure adequate support for the introduction of all the necessary improvements and in order to favor the activation of a process continuous, with which the control and adjustment of the policy is maintained in response to changes in the corporate environment, business, legal conditions.
The Management System Manager is responsible for reviewing the policy. The review should verify the status of preventive and corrective actions and adherence to
the policy.
Must take into account all changes that may affect the company’s approach to information security management, including organizational changes, technical environment, resource availability, legal, regulatory or contractual conditions and the results of previous reviews. The result of the review shall include all decisions and actions relating to the improvement of the company’s approach to information security management.
MANAGEMENT COMMITMENT
Management actively supports information security in the company through clear direction, clear commitment, explicit assignments and acknowledgment of responsibilities
related to information security.
The management’s commitment is implemented through a structure whose tasks are:
Milan, 04/05/2022