Elastx Information Security Policy

Elastx AB is a ISO 27001 certified company. We are committed to continuous improvement of our Information Security Management System and strive for better security policies. Goals are in line with the organization's business objectives, strategy and business plans. Date of version: 2023-02-28

1. Purpose, scope and users

The aim of this top-level Policy is to define the purpose, direction, principles and basic rules for information security management. This policy is part of Elastx entire Information Security Management System (ISMS).

This document is the public version of Elastx Information Security Policy and can be shared with external parties.

2. Basic information security Terminology

Confidentiality – characteristic of the information by which it is available only to authorized persons or systems.

Integrity – characteristic of the information by which it is changed only by authorized persons or systems in an allowed way.

Availability – characteristic of the information by which it can be accessed by authorized persons when it is needed.

Information security – preservation of confidentiality, integrity and availability of information.

Information Security Management System – part of overall management processes that takes care of planning, implementing, maintaining, reviewing, and improving the information security.

3. Managing the information security

3.1 Objectives and measurement

General objectives for the information security management system are the following: creating a better market image and reducing the damage caused by potential incidents. Elastx is committed to continuous improvement of their Information Security Management System and strive for better security policies. Goals are in line with the organization's business objectives, strategy and business plans. COO is responsible for reviewing these general ISMS objectives and setting new ones.

Objectives for individual security controls or groups of controls are proposed by CloudOps Engineers or Site Reliability Engineers (which have the appropriate authorization), and approved by COO or CTO according to Statement of Applicability.

All the objectives must be reviewed at least once a year.

Elastx will measure the fulfillment of the objectives by:

  1. In case of platform incidents, provide all affected customers with an Incident report containing; incident events, reason (known and possible), actions taken (short and long term).
  2. Risk analysis and Risk treatment reports are done minimum twice a year (every 6 months)
  3. Capacity Management reviews.
  4. Minimum annual test of our Business Continuity Plan (BCP).
  5. Annual audit of Elastx suppliers.
  6. Management Reviews are being held quarterly.
  7. Make sure Corrective actions are taken for nonconformities to the ISO standard. This is handled via Corrective Action Policy.

COO is responsible for setting the method for measuring the achievement of the objectives and COO will analyze and evaluate the measurement results and report them to top management as input materials for the Management review.

3.2 Information security requirements

This Policy and the entire ISMS must be compliant with legal and regulatory requirements relevant to the organization in the field of information security, as well as with contractual obligations.

A detailed list of all contractual, legal requirements and interested parties is provided in the List of Legal, Regulatory and Contractual Obligations.

3.3 Information security controls

The process of selecting the controls (safeguards) is defined in the Risk Assessment and Risk Treatment Methodology (Internal use).

The selected controls and their implementation status are listed in the Statement of Applicability (Internal use).

3.4 Business continuity

Business continuity management is prescribed in Elastx Business Continuity Management Policy (BCMS) (Internal use).

4. Support for ISMS implementation

Top management declares that ISMS implementation and continuous improvement will be supported with adequate resources in order to achieve all objectives set in this Policy, as well as satisfy all identified requirements.

A complete audit report is also available upon request.

Versions

Previous version: 2019-03-03

This website uses cookies to ensure you get the best experience on our website. Read more.