ISMS Compliance
CyFun BasicIdentify

ID.GV-1: Cybersecurity policy

Organisational cybersecurity policy is established and communicated

IDENTIFYID.GV-1

Requirement

Policies and procedures for information security and cybersecurity shall be created, documented, reviewed, approved, and updated when changes occur.

Our Implementation

An Information Security Policy has been established, approved by the CEO, and is effective as of March 2026. The policy framework includes five documented and active policies:

  1. Information Security Policy — overarching security objectives and principles
  2. Access Control Policy — authentication, authorisation, and access management
  3. Incident Response Plan — incident detection, response, and recovery procedures
  4. Data Classification Policy — information classification levels and handling requirements
  5. Acceptable Use Policy — acceptable use of organisational IT resources

All policies are version-controlled (v1.0), owned by CEO or CTO, and subject to annual review. Policies are published on the internal ISMS documentation site for team access.

Gaps / Planned improvements:

  • Detailed user guidelines not yet formally documented (NEX-361)
  • Policy acknowledgment/sign-off by team members pending — planned for Q2 2026 (NEX-361)

Evidence

ImplementedL2 — Repeatable

ID.AM-5: Resource prioritisation

Resources are prioritised based on their classification, criticality, and business value

ID.GV-3: Legal and regulatory requirements

Legal and regulatory requirements regarding cybersecurity are understood and managed

On this page

RequirementOur ImplementationEvidence