Information Security Management System (ISMS) Policy

**1. Introduction**

Together Software Ltd is committed to maintaining the confidentiality, integrity, and availability of its information assets and protecting them from unauthorized access, disclosure, alteration, and destruction. This Information Security Management System (ISMS) policy outlines the principles and practices that govern information security within our organization.

**2. Scope**

This policy applies to all employees, contractors, and third parties who have access to Together Software Ltd's information assets, including but not limited to electronic data, physical records, communication systems, and IT infrastructure. It encompasses all areas of information security, including data protection, access control, risk management, incident response, and compliance with relevant laws and regulations.

**3. Information Security Objectives**

- Ensure the confidentiality of sensitive information by implementing appropriate access controls, encryption measures, and data protection mechanisms.
- Maintain the integrity of data and prevent unauthorized modification, deletion, or corruption through secure storage and transmission practices.
- Ensure the availability of information assets and IT systems by implementing redundancy, backup, and disaster recovery measures.
- Minimize the risk of security incidents and data breaches through proactive risk assessment, vulnerability management, and security awareness training.
- Comply with all applicable laws, regulations, and industry standards related to information security, privacy, and data protection.

**4. Responsibilities**

- Senior Management: Senior management is responsible for establishing and maintaining the ISMS, providing adequate resources and support for information security initiatives, and demonstrating leadership and commitment to information security.
- Information Security Officer (ISO): The ISO is responsible for overseeing the implementation of the ISMS, conducting risk assessments, developing security policies and procedures, and coordinating incident response activities.
- Employees: All employees are responsible for adhering to information security policies and procedures, safeguarding sensitive information, reporting security incidents or breaches, and participating in security awareness training.

**5. Information Security Controls**

- Access Control: Access to information assets shall be restricted to authorized individuals based on the principle of least privilege. User access rights shall be granted, revoked, and reviewed periodically to ensure appropriate access levels.
- Data Protection: Sensitive information shall be encrypted during transmission and storage, and access to confidential data shall be protected through strong authentication mechanisms and encryption technologies.
- Incident Response: An incident response plan shall be developed and maintained to address security incidents and data breaches promptly. This plan shall include procedures for reporting incidents, assessing impact, containing the incident, and recovering affected systems.
- Risk Management: Regular risk assessments shall be conducted to identify, evaluate, and mitigate information security risks. Controls shall be implemented to address identified risks, and risk management activities shall be reviewed and updated as necessary.
- Compliance: Together Software Ltd shall comply with all applicable laws, regulations, and industry standards related to information security, privacy, and data protection, including but not limited to GDPR, CCPA and industry-specific regulations.

**6. Training and Awareness**

All employees shall receive regular training and awareness programs on information security policies, procedures, and best practices to ensure awareness and compliance with the ISMS.

**7. Monitoring and Review**

The effectiveness of the ISMS shall be monitored through regular audits, security assessments, and performance metrics. The ISMS policy and associated procedures shall be reviewed and updated periodically to reflect changes in technology, regulations, and business practices.

**8. Policy Review and Approval**

This ISMS policy has been reviewed and approved by senior management and is effective as of 1st January 2024. It shall be communicated to all employees, contractors, and third parties with access to Together Software Ltd's information assets, and compliance with the policy shall be enforced accordingly.