Information Security Management System Policy(ISMS Policy)

  1. 1. Introduction

    This policy defines how Information Security will be set up, managed, measured, reported on and developed within VDL Technologies.

    The International Standard for Information Security, BS ISO/IEC 27001:2022 (referred to in this document as ISO/IEC 27001), is a development of the earlier British Standard, BS 7799.

    VDL Technologies has decided to pursue full certification to ISO/IEC 27001 in order that the effective adoption of information security best practice may be validated by an external third party

  2. 2. Scope of the ISMS

    For the purposes of certification within VDL Technologies, the boundaries of the Information Security Management System are defined as follows:

    ISMS Scope Statement for VDL Technologies Limited

    1. Organization Overview

      VDL Technologies is a technology company based in Lagos, Nigeria, specializing in digital transformation services. Its offerings include:

      • Mobile marketing
      • Gamification
      • Consumer intelligence
      • Shortcode and USSD services
      • Payment solutions
      • Web and mobile application development
      • Airtime and data vending
      • Corporate Ring Back Tunes (RBTs)

      These services are tailored to clients in sectors such as FMCG, finance, retail, energy, transportation, government, and healthcare.

    2. Physical Location

      The ISMS applies to the company’s head office located at: Block B, Suite 16, 1st Floor, LSPC Mall, 129/131 Obafemi Awolowo Way, Ikeja, Lagos, Nigeria.

    3. Assets Covered

      The scope includes all information assets supporting the above services, including:

      • Software platforms (e.g., PayEazi, MOVIL)
      • APIs and backend systems
      • Customer and transaction data
      • Web and mobile applications
      • Internal IT infrastructure (servers, networks, databases)
      • Employee devices and communication tools
      • Third-party integrations (e.g., telecom operators, payment gateways)

    4. Technologies Included

      The scope includes all information assets supporting the above services, including:

      • USSD and SMS platforms
      • Mobile applications
      • Web portals and dashboards
      • Payment processing systems
      • Data analytics and AI tools
      • Cloud services and hosting environments

    5. Exclusions from Scope

      The ISMS excludes:

      • Personal devices not used for company operations
      • Third-party systems not managed or controlled by VDL Technologies
      • Services not provided by VDL Technologies

      Justification for Exclusions:

      These elements are excluded due to lack of direct control or relevance to the core services and operations managed by VDL Technologies.

  3. 3. Information Security Requirements

    A clear definition of the requirements for information security will be agreed and maintained with the business so that all ISMS activity is focussed on the fulfilment of those requirements. Statutory, regulatory and contractual requirements will also be documented and input to the planning process. Specific requirements with regard to the security of new or changed systems or services will be captured as part of the design stage of each project.

    It is a fundamental principle of the VDL Technologies Information Security Management System that the controls implemented are driven by business needs and this will be regularly communicated to all staff through team meetings and briefing documents.

  4. 4. Top Management Leadership and Commitment

    Commitment to information security extends to senior levels of the organisation and will be demonstrated through this ISMS Policy and the provision of appropriate resources to provide and develop the ISMS and associated controls.

    Top management will also ensure that a systematic review of performance of the programme is conducted on a regular basis to ensure that quality objectives are being met and quality issues are identified through the audit programme and management processes. Management Review can take several forms including departmental and other management meetings.

  5. 5. Management Representative

    The Chief Technology Officer shall have overall authority and responsibility for the implementation and management of the Information Security Management System, specifically:

    • The identification, documentation and fulfilment of information security requirements
    • Implementation, management and improvement of risk management processes
    • Integration of processes
    • Compliance with statutory, regulatory and contractual requirements
    • Reporting to top management on performance and improvement

  6. 6. Framework for Setting Objectives and Policy

    Objectives for information security will be set on an annual basis, aligned with the budget planning cycle, to secure sufficient funding for improvement activities. These objectives will be determined based on a comprehensive understanding of business requirements, informed by the annual management review involving stakeholders.

    ISMS objectives for the financial year will be documented, along with a plan for their achievement. Quarterly reviews will be conducted to ensure their continued relevance, and any necessary amendments will be managed through the change management process.

    In accordance with ISO/IEC 27001:2022 the control objectives and policy statements detailed in Annex A of the standard will be adopted where appropriate by VDL Technologies. These will be reviewed on a regular basis in the light of the outcome from risk assessments and in line with ISMS06004 Information Security Risk Treatment Plan. For references to the controls that implement each of the policy statements given please see ISMS06005 Statement of Applicability

  7. 7. Roles and Responsibilities

    Within the field of information security, there are a number of management roles that correspond to the areas defined within the scope set out above. In a larger organisation, these roles will often be filled by an individual in each area. In a smaller organisation these roles and responsibilities must be allocated between the members of the team.

    Full details of the responsibilities associated with each of the roles and how they are allocated within VDL Technologies are given in a separate document ISMS05002 Information Security Roles and Responsibilities

    It is the responsibility of the Chief Technology Officer to ensure that staff understand the roles they are fulfilling and that they have appropriate skills and competence to do so.

  8. 8. Continual Improvement Policy

    VDL Technologies policy with regard to Continual Improvement is to:

    • Continually improve the effectiveness of the ISMS
    • Enhance current processes to bring them into line with good practice as defined within ISO/IEC 27001
    • Achieve ISO/IEC 27001 certification and maintain it on an on-going basis
    • Increase the level of proactivity (and the stakeholder perception of proactivity) with regard to information security
    • Review relevant metrics on an annual basis to assess whether it is appropriate to change them, based on collected historical data
    • Obtain ideas for improvement via regular meetings with stakeholders and document them in a Continual Improvement Plan
    • Review the Continual Improvement Plan at regular management meetings in order to prioritise and assess timescales and benefits

    Ideas for improvements may be obtained from any source including employees, customers, suppliers, IT staff, risk assessments and service reports. Once identified they will be added to the Continual Improvement Plan and evaluated by the staff member responsible for Continual Service Improvement.

    As part of the evaluation of proposed improvements, the following criteria will be used:

    • Cost
    • Business Benefit
    • Risk
    • Implementation timescale
    • Resource requirement

    If accepted, the improvement proposal will be prioritised in order to allow more effective planning.

  9. 9. Approach to Managing Risk

    Risk management will take place at several levels within the ISMS, including:

    • Management planning – risks to the achievement of objectives
    • Information security and IT service continuity risk assessments
    • Assessment of the risk of changes via the change management process
    • As part of the design and transition of new or changed services

    High level risk assessments will be reviewed on an annual basis or upon significant change to the business or service provision.

  10. 10. Risk Assessment Process

    A risk assessment process will be used which is line with the requirements and recommendations of ISO/IEC 27001, the International Standard for Information Security. This is documented in ISMS06002 Risk Assessment and Treatment Process.

    This requires that the assets of a function are identified and then the following aspects are considered:

    • Threats
    • Vulnerabilities
    • Impact and likelihood before risk treatment
    • Risk treatment (e.g. reduction, removal, transfer)
    • Impact and likelihood after risk treatment

    From this analysis, a risk assessment report will be generated followed by a risk treatment plan. This will then give rise to the selection of appropriate controls.

  11. 11. Risk Evaluation Criteria

    Risk will be evaluated according to two main criteria:

    Likelihood

    How likely is the combination of the threat and any identified vulnerabilities to result in an impact to the asset under consideration? This will be judged on a scale of 1 (low) to 5 (high) and will take into account the following considerations:

    • Has the risk happened before? If so, how long ago and what (if anything) has changed since then to make it more or less likely?
    • Are there any available statistics or other information that can give an objective view of how likely the risk is to occur? e.g. crime figures by post code
    • Has the risk previously come to pass to any other organisations in the geographical area, similar industry or with the same assets etc.?

    Such information will help to inform the discussion about likelihood and arrive at a realistic estimate. Risks which are very unlikely to happen will almost certainly not warrant the use of business resources to address them (unless perhaps their impact is catastrophic).

    Impact

    The other criterion that must be considered is the impact to the asset and therefore the wider organisation should the risk occur. Again this will be assessed on a scale from 1 (low) to 5 (high) and should be evaluated in several different ways:

    • Cost - what will the financial impact be to the organisation if this risk happens. This may consist of direct cost such as lost productivity or indirect such as lost sales. What will it cost to put the situation right again in the short and long term?
    • Reputation – will our organisation’s reputation in the marketplace be damaged if this risk were to occur?
    • Legal, Contractual and Regulatory – will we be put into a position where the law is being broken? Will we be in breach of contract or out of compliance with regulatory requirements?

    The overall risk factor will then be calculated by multiplying the two numbers together to give a score. This will then give a risk classification of Low, Medium or High.

  12. 12. Risk Acceptance Criteria

    In general the following criteria will be adopted for the acceptance of risks according to their classification:

    • Low - these risks will generally be accepted with no further action required
    • Medium – these will be carefully reviewed and monitored and actions decided on an individual basis
    • High – these risks must be addressed as a matter of urgency to prevent significant impact to the organisation

    These criteria will be reviewed on an annual basis to ensure they remain appropriate to the organisation’s needs.

  13. 13. Human Resources

    VDL Technologies will ensure that all staff involved in information security are competent on the basis of appropriate education, training, skills and experience.

    The skills required will be determined and reviewed on a regular basis together with an assessment of existing skill levels within VDL Technologies. Training needs will be identified and a plan maintained to ensure that the necessary competencies are in place.

    Training, education and other relevant records will be kept by the HR Department to document individual skill levels attained.

  14. 14. Auditing and Review

    Once in place, it is vital that regular reviews take place of how well information security processes and procedures are being adhered to. This will happen at three levels:

    1. Structured regular management review of conformity to policies and procedures
    2. Internal audit reviews against the ISO/IEC 27001 standard by the VDL Technologies Quality Team
    3. External audit against the standard in order to gain and maintain certification

    Details of how internal audits will be carried out can be found in ISMS09001 Procedure for ISMS Audits.

  15. 15. Documentation Structure and Policy

    All information security policies and plans must be documented. This section sets out the main documents that must be maintained in each area

    Details of documentation conventions and standards are given in the ISMS07002 Procedure for the Control of Documented Information. A number of core documents has been created and will be maintained as part of the ISMS. They are uniquely numbered and the current versions are tracked in ISMS07001 ISMS Documentation Log.

  16. 16. Control of Records

    The keeping of records is a fundamental part of the ISMS. Records are key information resources and represent evidence that processes are being carried out effectively.

    The controls in place to manage records are defined in the document ISMS07003 Procedure for the Control of Records.