General Information Security Policy

Effective as of April 2021
Last updated 1/2/21

Policy Statement

Compono is a SaaS-based software company of end-to-end human capital solutions which involves the holding of customer and user confidential information. Compono holds its own privileged information secure but is also committed to the protection of all customer and end user information.

This Policy mandates that a consistent, risk-based approach is implemented for Information Security in order to maintain information confidentiality, integrity and availability.

It is the policy of Compono to ensure:

  • Information will be protected against unauthorised access while in transit or at rest.

  • Confidentiality of information will be maintained.

  • Information will not be disclosed to unauthorised persons through deliberate or careless action.

  • Integrity of information is maintained through protection from unauthorised modification.

  • Availability of information to authorised users when needed.

  • Information security (IS) training is completed by all Staff.

  • All suspected breaches on Information Security will be reported and investigated.

Any individual dealing with information at Compono, no matter what their status (e.g., Employee, Contractor, or Consultant), must comply with the information security policies and related Information Security documents.

Strategies to achieve the aims of this policy include:

  • Ensure the IS Policy is an accurate reflection of the business context and takes into account our strategic direction and all relevant factors both internal and external.

  • Ensure measurable objectives are established, communicated, monitored and reviewed for effectiveness by Management Team in the annual Management System Review Meeting. Corrective actions will be taken as required based on deviations from our objectives. Our objectives are agreed collectively. Individual teams are then empowered to deliver results, with delegated accountability and decision making.

  • Ensure all non-conformances and corrective / preventative actions are documented and reviewed at least quarterly.

  • Ensure Information Security is addressed for all projects, regardless of type, by way of risk assessments and objectives.

  • Educate Staff to allow them to independently make informed decision with regards to the secure handling of IT assets and information, within the framework of the total range information security policies.

  • Defend IT assets and information that Compono governs, owns, manages, maintains or controls which are both tangible and intangible.

  • Continually improve the QISMS through regular monitoring and reviews. Corrective measures shall be determined, allocated and recorded for follow up in the Continuous Improvement Register.

  • Comply with legislation and industry best practices including ISO27001:2015 that apply to Compono.

All personnel have a responsibility to report perceived and actual IS breaches and/or IT incidents either to the QISO or to their immediate supervisor. Management and employees are responsible for embedding IS risk management in our core business activities, functions and processes. IS risk awareness and our tolerance for risk are key considerations in our decision-making.