Information Security Policy
EITCA Academy Information Security Policy
This document specifies the European IT Certification Institute’s Information Security Policy (ISP), which is regularly reviewed and updated to ensure its effectiveness and relevance. The last update to the EITCI Information Security Policy was made on 7th January 2023.
Part 1. Introduction and Information Security Policy Statement
1.1. Introduction
The European IT Certification Institute recognizes the importance of information security in maintaining the confidentiality, integrity, and availability of information and the trust of our stakeholders. We are committed to protecting sensitive information, including personal data, from unauthorized access, disclosure, alteration, and destruction. We maintain an effective Information Security Policy to support our mission of providing reliable and impartial certification services to our clients. The Information Security Policy outlines our commitment to protecting information assets and meeting our legal, regulatory, and contractual obligations. Our policy is based on the principles of ISO 27001 and ISO 17024, the leading international standards for information security management and certification bodies operations standards.
1.2. Policy Statement
The European IT Certification Institute is committed to:
- Protecting the confidentiality, integrity, and availability of information assets,
- Complying with legal, regulatory, and contractual obligations related to information security and processing of data implementing its certification processes and operations,
- Continually improving its information security policy and related management system,
- Providing adequate training and awareness to employees, contractors and participants,
- Involving all employees and contractors in the implementation and maintenance of the information security policy and the related information security management system.
1.3. Scope
This policy applies to all information assets owned, controlled, or processed by the European IT Certification Institute. This includes all digital and physical information assets, such as systems, networks, software, data, and documentation. This policy also applies to all employees, contractors, and third-party service providers accessing our information assets.
1.4. Compliance
The European IT Certification Institute is committed to complying with relevant information security standards, including ISO 27001 and ISO 17024. We regularly review and update this policy to ensure its ongoing relevance and compliance with these standards.
Part 2. Organizational Security
2.1. Organization Security Goals
By implementing organizational security measures, we aim to ensure that our informationa assets and data processing practices and procedures are conducted with the highest level of security and integrity, and that we comply with relevant legal regulations and standards.
2.2. Information Security Roles and Responsibilities
The European IT Certification Institute defines and communicates roles and responsibilities for information security across the organization. This includes assigning clear ownership for information assets in contaxt of the information security, establishing a governance structure, and defining specific responsibilities for various roles and departments across the organization.
2.3. Risk Management
We conduct regular risk assessments to identify and prioritize information security risks to the organization, including risks related to personal data processing. We establish appropriate controls to mitigate these risks, and regularly review and update our risk management approach based on changes in the business environment and threat landscape.
2.4. Information Security Policies and Procedures
We establish and maintain a set of information security policies and procedures that are based on industry best practices and comply with relevant regulations and standards. These policies and procedures cover all aspects of information security, including personal data processing, and are regularly reviewed and updated to ensure their effectiveness.
2.5. Security Awareness and Training
We provide regular security awareness and training programs to all employees, contractors, and third-party partners who have access to personal data or other sensitive information. This training covers topics such as phishing, social engineering, password hygiene, and other information security best practices.
2.6. Physical and Environmental Security
We implement appropriate physical and environmental security controls to protect against unauthorized access, damage, or interference to our facilities and information systems. This includes measures such as access controls, surveillance, monitoring, and backup power and cooling systems.
2.7. Information Security Incident Management
We have established an incident management process that enables us to respond quickly and effectively to any information security incidents that may occur. This includes procedures for reporting, escalation, investigation, and resolution of incidents, as well as measures for preventing recurrence and improving our incident response capabilities.
2.8. Operational Continuity and Disaster Recovery
We have established and tested operational continuity and disaster recovery plans that enable us to maintain our critical operations functions and services in the event of a disruption or disaster. These plans include procedures for backup and recovery of data and systems, and measures for ensuring the availability and integrity of personal data.
2.9. Third-Party Management
We establish and maintain appropriate controls for managing the risks associated with third-party partners who have access to personal data or other sensitive information. This includes measures such as due diligence, contractual obligations, monitoring, and audits, as well as measures for terminating partnerships when necessary.
Part 3. Human Resources Security
3.1. Employment Screening
The European IT Certification Institute has established a process for employment screening to ensure that individuals with access to sensitive information are trustworthy and have the necessary skills and qualifications.
3.2. Access Control
We have established access control policies and procedures to ensure that employees only have access to the information necessary for their job responsibilities. The access rights are reviewed and updated regularly to ensure that employees have access to only the information that they need.
3.3. Information Security Awareness and Training
We provide information security awareness training to all employees on a regular basis. This training covers topics such as password security, phishing attacks, social engineering and other aspects of cybersecurity.
3.4. Acceptable Use
We have established an acceptable use policy that outlines the acceptable use of information systems and resources, including personal devices used for work purposes.
3.5. Mobile Device Security
We have established policies and procedures for the secure use of mobile devices, including the use of passcodes, encryption, and remote wiping capabilities.
3.6. Termination Procedures
The European IT Certification Institute has established procedures for the termination of employment or contract to ensure that access to sensitive information is revoked promptly and securely.
3.7. Third-Party Personnel
We have established procedures for the management of third-party personnel who have access to sensitive information. These policies involve screening, access control, and information security awareness training.
3.8. Reporting Incidents
We have established policies and procedures for reporting information security incidents or concerns to the appropriate personnel or authorities.
3.9. Confidentiality Agreements
The European IT Certification Institute requires employees and contractors to sign confidentiality agreements to protect sensitive information from unauthorized disclosure.
3.10. Disciplinary Actions
The European IT Certification Institute has established policies and procedures for disciplinary actions in case of information security policy violations by employees or contractors.
Part 4. Risk Assessment and Management
4.1. Risk Assessment
We conduct periodic risk assessments to identify potential threats and vulnerabilities to our information assets. We use a structured approach to identify, analyze, evaluate, and prioritize risks based on their likelihood and potential impact. We assess risks associated with our information assets, including systems, networks, software, data, and documentation.
4.2. Risk Treatment
We use a risk treatment process to mitigate or reduce risks to an acceptable level. The risk treatment process includes selecting appropriate controls, implementing controls, and monitoring the effectiveness of controls. We prioritize the implementation of controls based on the risk level, available resources, and business priorities.
4.3. Risk Monitoring and Review
We regularly monitor and review the effectiveness of our risk management process to ensure it remains relevant and effective. We use metrics and indicators to measure the performance of our risk management process and identify opportunities for improvement. We also review our risk management process as part of our periodic management reviews to ensure its ongoing suitability, adequacy, and effectiveness.
4.4. Risk Response Planning
We have a risk response plan in place to ensure that we can respond effectively to any identified risks. This plan includes procedures for identifying and reporting risks, as well as processes for assessing the potential impact of each risk and determining appropriate response actions. We also have contingency plans in place to ensure business continuity in the event of a significant risk event.
4.5. Operational Impact Analysis
We conduct periodic business impact analyses to identify the potential impact of disruptions to our business operations. This analysis includes an assessment of the criticality of our business functions, systems, and data, as well as an evaluation of the potential impact of disruptions on our customers, employees, and other stakeholders.
4.6. Third-Party Risk Management
We have a third-party risk management program in place to ensure that our vendors and other third-party service providers are also managing risks appropriately. This program includes due diligence checks before engaging with third parties, ongoing monitoring of third-party activities, and periodic assessments of third-party risk management practices.
4.7. Incident Response and Management
We have an incident response and management plan in place to ensure that we can respond effectively to any security incidents. This plan includes procedures for identifying and reporting incidents, as well as processes for assessing the impact of each incident and determining appropriate response actions. We also have a business continuity plan in place to ensure that critical business functions can continue in the event of a significant incident.
Part 5. Physical and Environmental Security
5.1. Physical Security Perimeter
We have established physical security measures to protect the physical premises and sensitive information from unauthorized access.
5.2. Access Control
We have established access control policies and procedures for the physical premises to ensure that only authorized personnel have access to sensitive information.
5.3. Equipment Security
We ensure that all equipment containing sensitive information is physically secured, and access to this equipment is restricted to authorized personnel only.
5.4. Secure Disposal
We have established procedures for the secure disposal of sensitive information, including paper documents, electronic media, and hardware.
5.5. Physical Environment
We ensure that the physical environment of the premises, including temperature, humidity, and lighting, is appropriate for the protection of sensitive information.
5.6. Power Supply
We ensure that the power supply to the premises is reliable and protected against power outages or surges.
5.7. Fire Protection
We have established fire protection policies and procedures, including the installation and maintenance of fire detection and suppression systems.
5.8. Water Damage Protection
We have established policies and procedures for protecting sensitive information from water damage, including the installation and maintenance of flood detection and prevention systems.
5.9. Equipment Maintenance
We have established procedures for the maintenance of equipment, including the inspection of equipment for signs of tampering or unauthorized access.
5.10. Acceptable Use
We have established an acceptable use policy that outlines the acceptable use of physical resources and facilities.
5.11. Remote Access
We have established policies and procedures for remote access to sensitive information, including the use of secure connections and encryption.
5.12. Monitoring and Surveillance
We have established policies and procedures for monitoring and surveillance of the physical premises and equipment to detect and prevent unauthorized access or tampering.
Part. 6. Communications and Operations Security
6.1. Network Security Management
We have established policies and procedures for the management of network security, including the use of firewalls, intrusion detection and prevention systems, and regular security audits.
6.2. Information Transfer
We have established policies and procedures for the secure transfer of sensitive information, including the use of encryption and secure file transfer protocols.
6.3. Third-Party Communications
We have established policies and procedures for the secure exchange of sensitive information with third-party organizations, including the use of secure connections and encryption.
6.4. Media Handling
We have established procedures for the handling of sensitive information in various forms of media, including paper documents, electronic media, and portable storage devices.
6.5. Information Systems Development and Maintenance
We have established policies and procedures for the development and maintenance of information systems, including the use of secure coding practices, regular software updates and patch management.
6.6. Malware and Viruses Protection
We have established policies and procedures for protecting information systems against malware and viruses, including the use of anti-virus software and regular security updates.
6.7. Backup and Restoration
We have established policies and procedures for the backup and restoration of sensitive information to prevent data loss or corruption.
6.8. Event Management
We have established policies and procedures for the identification, investigation, and resolution of security incidents and events.
6.9. Vulnerability Management
We have established policies and procedures for the management of information system vulnerabilities, including the use of regular vulnerability assessments and patch management.
6.10. Access Control
We have established policies and procedures for the management of user access to information systems, including the use of access controls, user authentication, and regular access reviews.
6.11. Monitoring and Logging
We have established policies and procedures for the monitoring and logging of information system activities, including the use of audit trails and security incident logging.
Part 7. Information Systems Acquisition, Development and Maintenance
7.1. Requirements
We have established policies and procedures for the identification of information system requirements, including business requirements, legal and regulatory requirements, and security requirements.
7.2. Supplier Relationships
We have established policies and procedures for the management of relationships with third-party suppliers of information systems and services, including the evaluation of suppliers’ security practices.
7.3. System Development
We have established policies and procedures for the secure development of information systems, including the use of secure coding practices, regular testing, and quality assurance.
7.4. System Testing
We have established policies and procedures for the testing of information systems, including functionality testing, performance testing, and security testing.
7.5. System Acceptance
We have established policies and procedures for the acceptance of information systems, including the approval of testing results, security assessments, and user acceptance testing.
7.6. System Maintenance
We have established policies and procedures for the maintenance of information systems, including regular updates, security patches, and system backups.
7.7. System Retirement
We have established policies and procedures for the retirement of information systems, including the secure disposal of hardware and data.
7.8. Data Retention
We have established policies and procedures for the retention of data in compliance with legal and regulatory requirements, including the secure storage and disposal of sensitive data.
7.9. Security Requirements for Information Systems
We have established policies and procedures for the identification and implementation of security requirements for information systems, including access controls, encryption, and data protection.
7.10. Secure Development Environments
We have established policies and procedures for the secure development environments for information systems, including the use of secure development practices, access controls, and secure network configurations.
7.11. Protection of Testing Environments
We have established policies and procedures for the protection of testing environments for information systems, including the use of secure configurations, access controls, and regular security testing.
7.12. Secure System Engineering Principles
We have established policies and procedures for the implementation of secure system engineering principles for information systems, including the use of security architectures, threat modeling, and secure coding practices.
7.13. Secure Coding Guidelines
We have established policies and procedures for the implementation of secure coding guidelines for information systems, including the use of coding standards, code reviews, and automated testing.
Part 8. Hardware Acquisition
8.1. Adherence to Standards
We adhere to ISO 27001 standard for information security management system (ISMS) to ensure that hardware assets are procured in accordance with our security requirements.
8.2. Risk Assessment
We conduct risk assessment before procuring hardware assets to identify potential security risks and ensure that the selected hardware meets the security requirements.
8.3. Vendors Selection
We procure hardware assets only from trusted vendors who have a proven track record of delivering secure products. We review vendor’s security policies and practices, and require them to provide assurance that their products meet our security requirements.
8.4. Secure Transport
We ensure that hardware assets are securely transported to our premises to prevent tampering, damage, or theft during transit.
8.5. Authenticity Verification
We verify the authenticity of hardware assets upon delivery to ensure they are not counterfeit or tampered with.
8.6. Physical and Environmental Controls
We implement appropriate physical and environmental controls to protect hardware assets from unauthorized access, theft, or damage.
8.7. Hardware Installation
We ensure that all hardware assets are configured and installed in accordance with established security standards and guidelines.
8.8. Hardware Reviews
We conduct periodic reviews of hardware assets to ensure that they continue to meet our security requirements and are up-to-date with the latest security patches and updates.
8.9. Hardware Disposal
We dispose hardware assets in a secure manner to prevent unauthorized access to sensitive information.
Part 9. Malware and Viruses Protection
9.1. Software Updating Policy
We maintain up-to-date anti-virus and malware protection software on all information systems used by the European IT Certification Institute, including servers, workstations, laptops, and mobile devices. We ensure that the anti-virus and malware protection software is configured to automatically update its virus definition files and software versions on a regular basis, and that this process is tested regularly.
9.2. Anti-Virus and Malware Scanning
We perform regular scans of all information systems, including servers, workstations, laptops, and mobile devices, to detect and remove any viruses or malware.
9.3. No-Disabling and No-Altering Policy
We enforce policies that prohibit users from disabling or altering anti-virus and malware protection software on any information system.
9.4. Monitoring
We monitor our anti-virus and malware protection software alerts and logs to identify any incidents of virus or malware infections, and respond to such incidents in a timely manner.
9.5. Records Maintainance
We maintain records of anti-virus and malware protection software configuration, updates, and scans, as well as any incidents of virus or malware infections, for auditing purposes.
9.6. Software Reviews
We conduct periodic reviews of our anti-virus and malware protection software to ensure it meets the current industry standards and is adequate for our needs.
9.7. Training and Awareness
We provide training and awareness programs to educate all employees on the importance of virus and malware protection, and how to recognize and report any suspicious activities or incidents.
Part 10. Information Asset Management
10.1. Information Asset Inventory
The European IT Certification Institute maintains an inventory of information assets that includes all digital and physical information assets, such as systems, networks, software, data, and documentation. We classify information assets based on their criticality and sensitivity to ensure that appropriate protection measures are implemented.
10.2. Information Asset Handling
We implement appropriate measures to protect information assets based on their classification, including confidentiality, integrity, and availability. We ensure that all information assets are handled in accordance with applicable laws, regulations, and contractual requirements. We also ensure that all information assets are properly stored, protected, and disposed of when no longer needed.
10.3. Information Asset Ownership
We assign information asset ownership to individuals or departments responsible for managing and protecting information assets. We also ensure that information asset owners understand their responsibilities and accountabilities for protecting information assets.
10.4. Information Asset Protection
We use a variety of protection measures to safeguard information assets, including physical controls, access controls, encryption, and backup and recovery processes. We also ensure that all information assets are protected against unauthorized access, modification, or destruction.
Part 11. Access Control
11.1. Access Control Policy
The European IT Certification Institute has an Access Control Policy that outlines the requirements for granting, modifying, and revoking access to information assets. Access control is a critical component of our information security management system, and we implement it to ensure that only authorized individuals have access to our information assets.
11.2. Access Control Implementation
We implement access control measures based on the principle of least privilege, which means that individuals have access only to the information assets necessary to perform their job functions. We use a variety of access control measures, including authentication, authorization, and accounting (AAA). We also use access control lists (ACLs) and permissions to control access to information assets.
11.3. Password Policy
The European IT Certification Institute has a Password Policy that outlines the requirements for creating and managing passwords. We require strong passwords that are at least 8 characters long, with a combination of uppercase and lowercase letters, numbers, and special characters. We also require periodic password changes and prohibit the reuse of previous passwords.
11.4. User Management
We have a user management process that includes creating, modifying, and deleting user accounts. User accounts are created based on the principle of least privilege, and access is granted only to the information assets necessary to perform the individual’s job functions. We also regularly review user accounts and remove accounts that are no longer needed.
Part 12. Information Security Incident Management
12.1. Incident Management Policy
The European IT Certification Institute has an Incident Management Policy that outlines the requirements for detecting, reporting, assessing, and responding to security incidents. We define security incidents as any event that compromises the confidentiality, integrity, or availability of information assets or systems.
12.2. Incident Detection and Reporting
We implement measures to detect and report security incidents promptly. We use a variety of methods to detect security incidents, including intrusion detection systems (IDS), antivirus software, and user reporting. We also ensure that all employees are aware of the procedures for reporting security incidents and encourage reporting of all suspected incidents.
12.3. Incident Assessment and Response
We have a process for assessing and responding to security incidents based on their severity and impact. We prioritize incidents based on their potential impact on information assets or systems and allocate appropriate resources to respond to them. We also have a response plan that includes procedures for identifying, containing, analyzing, eradicating, and recovering from security incidents, as well as notifying relevant parties, and conducting post-incident reviews Our incident response procedures are designed to ensure a swift and effective response to security incidents. The procedures are regularly reviewed and updated to ensure their effectiveness and relevance.
12.4. Incident Response Team
We have an Incident Response Team (IRT) that is responsible for responding to security incidents. The IRT is composed of representatives from various units and is led by the Information Security Officer (ISO). The IRT is responsible for assessing the severity of incidents, containing the incident, and initiating the appropriate response procedures.
12.5. Incident Reporting and Review
We have established procedures for reporting security incidents to relevant parties, including clients, regulatory authorities, and law enforcement agencies, as required by applicable laws and regulations. We also maintain communication with affected parties throughout the incident response process, providing timely updates on the status of the incident and any actions being taken to mitigate its impact. We also conduct a review of all security incidents to identify the root cause and prevent similar incidents from occurring in the future.
Part 13. Business Continuity Management and Disaster Recovery
13.1. Business Continuity Planning
Although the European IT Certification Institute is a non-profit organization it has a Business Continuity Plan (BCP) that outlines the procedures for ensuring the continuity of its operations in the event of a disruptive incident. The BCP covers all critical operating processes and identifies the resources required to maintain operations during and after a disruptive incident. It also outlines the procedures for maintaining business operations during a disruption or disaster, assessing the impact of disruptions, identifying most critical operating processes in the context of a particular diruptive incident, and developing response and recovery procedures.
13.2. Disaster Recovery Planning
The European IT Certification Institute has a Disaster Recovery Plan (DRP) that outlines the procedures for recovering our information systems in the event of a disruption or disaster. The DRP includes procedures for data backup, data restoration, and system recovery. The DRP is regularly tested and updated to ensure its effectiveness.
13.3. Business Impact Analysis
We conduct a Business Impact Analysis (BIA) to identify the critical operation processes and the resources required to maintain them. The BIA helps us prioritize our recovery efforts and allocate resources accordingly.
13.4. Business Continuity Strategy
Based on the results of the BIA, we develop a Business Continuity Strategy that outlines the procedures for responding to a disruptive incident. The strategy includes procedures for activating the BCP, restoring critical operation processes, and communicating with relevant stakeholders.
13.5. Testing and Maintenance
We regularly test and maintain our BCP and DRP to ensure their effectiveness and relevance. We conduct regular tests to validate the BCP / DRP and identify areas for improvement. We also update the BCP and DRP as necessary to reflect changes in our operations or the threats landscape. Testing includes tabletop exercises, simulations, and live testing of procedures. We also review and update our plans based on the results of testing and lessons learned.
13.6. Alternate Processing Sites
We maintain alternate online processing sites that can be used to continue business operations in the event of a disruption or disaster. The alternate processing sites are equipped with the necessary infrastructures and systems, and can be used to support critical business processes.
Part 14. Compliance and Audit
14.1. Compliance with Laws and Regulations
The European IT Certification Institute is committed to complying with all applicable laws and regulations related to information security and privacy, including data protection laws, industry standards, and contractual obligations. We regularly review and update our policies, procedures, and controls to ensure compliance with all relevant requirements and stanadrds. The main standards and frameworks we follow in the information security context include:
- The ISO/IEC 27001 standard providing guidelines for the implementation and management of an Information Security Management System (ISMS) which includes vulnerability management as a key component. It provides a reference framework for implementing and maintaining our information security management system (ISMS) including vulnerability management. In compliance with this standard provisions we identify, assess, and manage information security risks, including vulnerabilities.
- The US National Institute of Standards and Technology (NIST) Cybersecurity Framework providing guidelines for identifying, assessing, and managing cybersecurity risks, including vulnerability management.
- The National Institute of Standards and Technology (NIST) Cybersecurity Framework for improving cybersecurity risk management, with a core set of functions including vulnerability management that we adhere to to manage our cybersecurity risks.
- The SANS Critical Security Controls containing a set of 20 security controls to improve cybersecurity, covering a range of areas, including vulnerability management, providing specific guidance on vulnerability scanning, patch management, and other aspects of vulnerability management.
- The Payment Card Industry Data Security Standard (PCI DSS), requiring handling of credit card information in regards to vulnerability management in this context.
- The Center for Internet Security Controls (CIS) including vulnerability management as one of the key controls to ensure secure configurations of our information systems.
- The Open Web Application Security Project (OWASP), with its Top 10 list of the most critical web application security risks, including vulnerabilities assessment such as injection attacks, broken authentication and session management, cross-site scripting (XSS), etc. We use the OWASP Top 10 to prioritize our vulnerability management efforts and focus on the most critical risks in regard to our web systems.
14.2. Internal Audit
We conduct regular internal audits to assess the effectiveness of our Information Security Management System (ISMS) and ensure that our policies, procedures, and controls are being followed. The internal audit process includes the identification of non-conformances, the development of corrective actions, and the tracking of remediation efforts.
14.3. External Audit
We periodically engage with external auditors to validate our compliance with applicable laws, regulations, and industry standards. We provide auditors with access to our facilities, systems, and documentation as required to validate our compliance. We also work with external auditors to address any findings or recommendations identified during the audit process.
14.4. Compliance Monitoring
We monitor our compliance with applicable laws, regulations, and industry standards on an ongoing basis. We use a variety of methods to monitor compliance, including periodic assessments, audits, and reviews of third-party providers. We also regularly review and update our policies, procedures, and controls to ensure ongoing compliance with all relevant requirements.
Part 15. Third-Party Management
15.1. Third-Party Management Policy
The European IT Certification Institute has a Third-Party Management Policy that outlines the requirements for selecting, assessing, and monitoring third-party providers that have access to our information assets or systems. The policy applies to all third-party providers, including cloud service providers, vendors, and contractors.
15.2. Third-Party Selection and Assessment
We conduct due diligence before engaging with third-party providers to ensure that they have adequate security controls in place to protect our information assets or systems. We also assess the third-party providers’ compliance with applicable laws and regulations related to information security and privacy.
15.3. Third-Party Monitoring
We monitor third-party providers on an ongoing basis to ensure that they continue to meet our requirements for information security and privacy. We use a variety of methods to monitor third-party providers, including periodic assessments, audits, and reviews of security incident reports.
15.4. Contractual Requirements
We include contractual requirements related to information security and privacy in all contracts with third-party providers. These requirements include provisions for data protection, security controls, incident management, and compliance monitoring. We also include provisions for the termination of contracts in the event of a security incident or non-compliance.
Part 16. Information Security in Certification Processes
16.1 Security of Certification Processes
We take adequate and systemic measures to ensure the security of all information related to our certification processes, including personal data of individuals seeking certification. This includes controls for access, storage, and transmission of all certification related information. By implementing these measures, we aim to ensure that the certification processes are conducted with the highest level of security and integrity, and that the personal data of individuals seeking certification is protected in compliance with relevant regulations and standards.
16.2. Authentication and Authorization
We use authentication and authorization controls to ensure that only authorized personnel have access to certification information. Access controls are regularly reviewed and updated based on changes in personnel roles and responsibilities.
16.3. Data Protection
We protect personal data throughout the certification process by implementing appropriate technical and organizational measures to ensure confidentiality, integrity, and availability of the data. This includes measures such as encryption, access controls, and regular backups.
16.4. Security of Examination Processes
We ensure the security of the examination processes by implementing appropriate measures to prevent cheating, monitor, and control of the examination environment. We also maintain the integrity and confidentiality of examination materials through secure storage procedures.
16.5. Security of Examination Content
We ensure the security of examination content by implementing appropriate measures to protect against unauthorized access, alteration, or disclosure of the content. This includes the use of secure storage, encryption, and access controls for examination content, as well as controls for preventing unauthorized distribution or dissemination of examination content.
16.6. Security of Examination Delivery
We ensure the security of examination delivery by implementing appropriate measures to prevent unauthorized access to, or manipulation of, the examination environment. This includes measures such as monitoring, auditing and control of the examination environment and particular examination approaches, to prevent cheating or other security breaches.
16.7. Security of Examination Results
We ensure the security of examination results by implementing appropriate measures to protect against unauthorized access, alteration, or disclosure of the results. This includes the use of secure storage, encryption, and access controls for examination results, as well as controls for preventing unauthorized distribution or dissemination of examination results.
16.8. Security of Certificates Issuance
We ensure the security of certificates issuance by implementing appropriate measures to prevent fraud and unauthorized issuance of certificates. This includes controls for verifying the identity of individuals receiving certificates and secure storage and issuance procedures.
16.9. Complaints and Appeals
We have established procedures for managing complaints and appeals related to the certification process. These procedures include measures to ensure confidentiality and impartiality of the process, and the security of information related to the complaints and appeals.
16.10. Certification Processes Quality Management
We have established a Quality Management System (QMS) for the certification processes that includes measures for ensuring the effectiveness, efficiency, and security of the processes. The QMS includes regular audits and reviews of the processes and their security controls.
16.11. Continuous Improvement of Certification Processes Security
We are committed to continuous improvement of our certification processes and their security controls. This includes regular reviews and updates of certification related policies and procedures security based on changes in the business environment, regulatory requirements, and best practices in information security management, in compliance with the ISO 27001 standard for information security management, as well as with the ISO 17024 certification bodies operating standard.
Part 17. Closing Provisions
17.1. Policy Review and Update
This Information Security Policy is a living document that undergoes continues reviews and updates based on changes in our operational requirements, regulatory requirements, or best practices in information security management.
17.2. Compliance Monitoring
We have established procedures for monitoring compliance with this Information Security Policy and related security controls. Compliance monitoring includes regular audits, assessments, and reviews of security controls, and their effectiveness in achieving the objectives of this policy.
17.3. Reporting Security Incidents
We have established procedures for reporting security incidents related to our information systems, including those related to personal data of individuals. Employees, contractors, and other stakeholders are encouraged to report any security incidents or suspected incidents to the designated security team as soon as possible.
17.4. Training and Awareness
We provide regular training and awareness programs to employees, contractors, and other stakeholders to ensure that they are aware of their responsibilities and obligations related to information security. This includes training on security policies and procedures, and measures for protecting personal data of individuals.
17.5. Responsibility and Accountability
We hold all employees, contractors, and other stakeholders responsible and accountable for complying with this Information Security Policy and related security controls. We also hold management accountable for ensuring that appropriate resources are allocated for implementing and maintaining effective information security controls.
This Information Security Policy is a critical component of the Euroepan IT Certification Institute’s information security management framework and demonstrates our commitment to protecting information assets and processed data, ensuring the confidentiality, privacy, integrity and availability of information, and complying with regulatory and contractual requirements.