Information Security and Business Continuity Policy
​
Purpose of this Policy:
The purpose of this document is to demonstrate the management commitment to information security and business continuity and to provide the over-arching policy statements to which all subordinate policies and control must adhere.
Policy:
The Director and management of Dolanto Pty LTD, Australia, operate primarily in the business of AI-powered infrastructure assurance and strategic consulting for asset-centric organisations. We are committed to preserving the confidentiality, integrity and availability of all the physical and electronic information and information-related assets relevant to meet the purpose and goals of the organisation. This includes the handling of personal data or “Personally Identifiable Information” (PII).
​
We are committed to preserving the confidentiality, integrity, and the continued availability of prioritised physical and electronic information and information-related assets to meet the purpose and goals of the organisation as summarised in 4.1 (Understanding the organisation and its context).
​
Information, information security and business continuity requirements will continue to be aligned with the organisation’s business goals and will consider the internal and external issues affecting the organisation and the requirements of interested parties.
The Information Security Management System (ISMS) is intended as a mechanism for managing information security and business continuity related risks and improving the organisation to help deliver its overall purpose and goals.
​
Our ISMS Objectives are outlined and measured in accordance with the requirements of the ISO/IEC standard 27001:2022 and ISO22301:2019
The online platform environment including our approach to risk management provides the context for identifying, assessing, evaluating and controlling information-related risks through the establishment and maintenance of an ISMS.
​
The approach taken towards Risk Assessment and management, the Statement of Applicability and the wider requirements set out for meeting ISO 27001:2022 and ISO22301:2019 identify how business continuity and information security and related risks are addressed.
The ISMS Committee is responsible for the overall management and maintenance of the risk treatment plan with specific risk management activity tasked to the appropriate owner within the organisation. Additional risk assessments may, where necessary, be carried out to determine appropriate controls for specific risks, for example during special projects that are completed within the context.
​
Control objectives for each of these areas are supported by specific documented policies and procedures in the online environment and they align with the comprehensive controls listed in Annex A of the ISO 27001:2022 standard and requirements of the ISO22301:2019 standard.
All employees and relevant Interested Parties associated to the ISMS must comply with this policy. Appropriate training and materials to support it are available for those in scope of the ISMS and communication forums such as the ISMS communications group as per clause 7 (Leadership) are available to ensure engagement on an ongoing basis.
​
The ISMS is subject to review and improvement by the ISMS Committee which is chaired by the Chief Information Security Officer (CISO) and has ongoing senior representation from appropriate parts of the organisation. Other executives/specialists needed to support the ISMS framework and to periodically review the security policy and broader ISMS are invited in the committee meetings and complete relevant work as required, all of which is documented in accordance with the standard.
​
We are committed to achieving and maintaining alignment of the ISMS to ISO27001:2022 and ISO22301:2019 along with other relevant accreditations against which our organisation has sought certification.
​
This policy will be reviewed regularly to respond to any changes in the business, its risk assessment or risk treatment plan, and at least annually.
​​
Scope: All employees and relevant interested parties associated to the organisation’s handling of personal data have to comply with this policy. Appropriate training and materials to support it are available.
​​
Definition:
​
In this policy and the related set of policies contained within the online environment that incorporate our ISMS, ‘information security and business continuity’ is defined as:
preserving
This means that all relevant Interested Parties have, and will be made aware of, their responsibilities that are defined in their job descriptions or contracts to act in accordance with the requirements of the ISMS. The consequences of not doing so are described in the Code of Conduct. All relevant Interested Parties will receive information security awareness training and more specialised resources will receive appropriately specialised information security training.
the continued availability
This means that prioritised information and associated assets should be accessible to authorised users when required and therefore physically secure. The environment must be resilient, and the organisation must be able to detect and respond rapidly to incidents or events that threaten the continued availability of assets, systems and information.
confidentiality
This involves ensuring that information is only accessible to those authorised to access it and preventing both deliberate and accidental unauthorised access to the organisations and relevant Interested Parties information, proprietary knowledge, assets and other systems in scope.
and integrity
This involves safeguarding the accuracy and completeness of information and processing methods, and therefore requires preventing deliberate or accidental, partial or complete, destruction or unauthorised modification of either physical assets or electronic data.
of information and other relevant assets
The information can include digital information, printed or written on paper, transmitted by any means, or spoken in conversation, as well as information stored electronically. Assets include all information-based processing devices owned by the organisation or those of relevant Interested Parties and BYOD in scope that are processing organisation related information.
and business continuity
capability of our organisation to continue the delivery of products and services within acceptable time frames at predefined capacity during a disruption.
of our organisation
The organisation and relevant Interested Parties that are within the scope of the ISMS have signed up to our security policy and accepted our ISMS.
​
Contacting Us: If you have any questions, concerns or complaints regarding this Privacy Policy or the handling of personal information, please contact:
-
Contact: Chief Information Security Officer
-
Email: hello@dolanto.com.au
-
Phone: 1800 365 268
Complaints will be handled promptly and in accordance with the Australian Privacy Principles.
​​