Information Security Policy

Document ID: DPWAT-ISMS-POL-001
Version: 1.0
Owner: ISMS Manager / CISO (RMSI) — Timo Andreas Bejan
Approved by: Administrator (ADM) — Anna Boros
Effective date: 2025-08-18
Next review: 2027-02-01 (or on major change)

1. Policy statement

DP WAT is committed to protecting information and systems that support our software development and consulting services.

We manage information security through an Information Security Management System (ISMS) aligned to ISO/IEC 27001:2022 (as adopted on our certificate as SR EN ISO/IEC 27001:2023) and based on a risk management approach.

2. Objectives and principles

DP WAT’s information security objectives are to:

• Protect confidentiality, integrity, and availability of information.
• Meet applicable legal, regulatory, and contractual requirements.
• Reduce information security risks to an acceptable level through risk treatment and continual improvement.
• Ensure all personnel understand their responsibilities through training and awareness.
• Maintain secure relationships with suppliers and other third parties.

3. Applicability

This policy applies to:

• All DP WAT employees
• Contractors and consultants working for/with DP WAT
• Third parties that access DP WAT information or systems

4. Governance

• Top management provides direction and resources for the ISMS.
• The ISMS Manager / CISO coordinates implementation, monitoring, and reporting.
• Process Owners implement security controls within their areas and projects.

4.1 Resources (ISO 27001 clause 7.1)

Top management ensures adequate resources are available to establish, implement, maintain, and continually improve the ISMS. This includes personnel time, tools, training, and external expertise as needed.

4.2 Continual improvement (ISO 27001 clause 10.1)

DP WAT continually improves the suitability, adequacy, and effectiveness of the ISMS through:

• Management reviews identifying improvement opportunities
• Internal audits identifying nonconformities and areas for enhancement
• Corrective actions addressing root causes
• Lessons learned from incidents
• Feedback from personnel and interested parties

5. Review

This policy is reviewed at least annually during management review, and whenever significant changes occur (e.g., major tool changes, new customer requirements, major incidents).