The scope of amasol’s ISMS are all business processes of amasol Group.
1 • Information Security goals
amasol's Information Security Management System (ISMS) shall enable and support amasol's efforts in protecting its information assets and IT infrastructure as well as our customers' information assets and infrastructure during the consulting process. The amasol top management commits to allocating sufficient resources (financial as well as human) to the establishment, implementation, maintenance and continuous improvement of the ISMS.
The main goal of all amasol information security efforts is to ensure the confidentiality, integrity and availability of information assets.
• Confidentiality is a "property that information is not made available or disclosed to unauthorized individuals, entities, or processes" (Reference: DIN ISO 27000 3.10). This information security goal is closely linked to amasol's efforts to comply with relevant local data protection regulation (e.g. GDPR or Bundesdatenschutzgesetz in Germany).
• Integrity is a "property of accuracy and completeness" of information (Reference: DIN ISO 27000 3.36).
• Availability is a "property of being accessible and usable on demand by an authorized entity" (reference: DIN ISO 27000 3.7).
It is imperative, that amasol continuously identifies, asesses and manages risks imposed on its information assets. A risk management process has been established.
2 • How we make sure to achieve our Information Security goals
In order to achieve our Informations security goals an ISMS has been planned and developed and is maintained and continuously improved. Key components of amasol's ISMS are:
2.1 Roles and Responsibilities
amasol Top Management established an Information Security function by appointing an Information Security Officer as well as an Information Security Team. The Information Security Team is responsible for designing, implementing and maintaining the ISMS. The Information Security Officer advises amasol top management on all information security related issues and takes a leading role in implementing and maintaining the ISMS.
All amasol employees are asked and required to contribute to the group's information security efforts.
Information Security has been made an integrated part of all amasol processes.
2.3 Classification of information assets
All information assets including but not limited to documents, applications, and databases can only be used in line with their classification.
Classification is imposed on any of the information assets by the respective asset owner.
The classification matrix will help determine the appropriate protection level as well as the accepted uses related to the classification.
Pieces of information that can be read by any interested party or, in other words: free to read for everybody, such as press releases, our website, whitpaper and etc.
Pieces of information that can be shared with everybody within amasol, but are as a rule not meant to be shared with external parties.
Pieces of information that are only shared with a specific group of people within amasol, due to legal requirements (e.g. data protection), customer information, project information. This information can only be shared with amasol employees in third countries, when the customer signed off on the third country transfer in a legally binding DPA.
Information that can even be shared with a smaller group of people mainly due to the nature of the information itself (e.g. salary information, applications, financial data, credentials for crucial applications).
2.4 Inventory of Information Assets and Risk Management Process
• amasol keeps an inventory of its information assets that is updated continuously by the information security team.
• a risk management process has been implemented.
2.5 Training and Awareness
• all of amasol staff and management will be trained on and off the job including yearly mandatory training on information security basics as well as situation based training whenever necessary.
• amasol management makes sure to address information security issues in regular staff meetings, project meetings and sales meetings to rise awareness and ensure compliance.
• the information security team is committed to rise awareness for information security aspects of amasol's business as appropriate
3 • Commitment
• amasols' top management commits to making information security a priority and to comply with all applicable rules and regulations.
• amasol as an organisation commits to maintain, evaluate and continuously improve its ISMS.
4 • Consequences in case of non-conformance
All of amasol staff, partners and service providers with access to amasols' information assets are expected to comply with the rules and regulations as per this policy. However, as a learning organisation, amasol believes, that most non-conformities will happen by accident as part of a learning process. In our effort to continuously improve our ISMS we rely on the information given by employees and third parties. Whenever a nonconformity is brought to our attention, we will investigate, raise awareness for the issue in question and use the information gathered to improve our ISMS.
If at any point in time amasol finds one of the employees deliberately violating information security standards, consequences following labour law will be applied.