Integrated Management System Policy

1. Purpose

This policy establishes the overarching framework for Swedwise AB's Integrated Management System (IMS), which brings together our quality, environmental, and information security management disciplines. It defines our commitment to systematic, integrated management of operations that deliver value to customers, protect the environment, and safeguard information assets.

This policy supports our compliance with:

• ISO 9001:2015 (Quality Management)
• ISO 14001:2015 (Environmental Management)
• ISO 27001:2022 (Information Security Management)

It reinforces our brand promise: "Make Time For The Good" by enabling efficient, effective, and responsible business operations.

2. Scope

This policy applies to:

Organizational Scope

• All Swedwise AB employees, contractors, and temporary staff
• All organizational locations:
  • Karlstad (Head Office)
  • Stockholm office
  • Uddevalla office
  • Remote workers
  • Consultants working at customer sites

Operational Scope

• All products and services offered by Swedwise:
  • Software licensing (OpenText, Salesforce, other platforms)
  • Consulting and implementation services
  • SaaS offerings (OpenText Communications and Notifications platform)
  • Support and maintenance services
• All business processes including:
  • Customer acquisition, development, and success
  • Service delivery and operations
  • Resource management
  • Internal support functions
  • Management and governance

Management System Scope

• Quality Management System (QMS) - ISO 9001:2015
• Environmental Management System (EMS) - ISO 14001:2015
• Information Security Management System (ISMS) - ISO 27001:2022

3. Integration Principles

Swedwise operates a unified Integrated Management System based on the following principles:

3.1 Single System Architecture

Rather than maintaining separate parallel management systems, we integrate quality, environmental, and information security requirements into a cohesive framework:

• Unified Governance: Single management review process covering all three disciplines
• Shared Processes: Common processes for document control, internal audit, corrective action, risk management, and training
• Integrated Planning: Objectives and initiatives are planned holistically across disciplines
• Combined Resources: Efficiency through shared resources, tools, and infrastructure
• Consistent Documentation: Standardized document structure and version control across all policy areas

3.2 Process Approach

We manage the organization as a network of interconnected processes:

• Process Identification: Critical business processes are identified and documented
• Process Ownership: Each process has a designated owner accountable for performance
• Process Interaction: Interfaces between processes are defined and managed
• Process Measurement: Processes are monitored using relevant performance indicators
• Process Improvement: Regular review and optimization based on data and feedback

3.3 Risk-Based Thinking

Risk and opportunity assessment is embedded throughout our operations:

• Context Understanding: We analyze our internal and external environment, including stakeholder needs
• Risk Assessment: Systematic identification and evaluation of risks and opportunities across quality, environmental, and security domains
• Risk Treatment: Implementation of controls to address risks and exploit opportunities
• Risk Monitoring: Ongoing review of risk landscape and control effectiveness
• Integrated Risk View: Quality, environmental, and security risks are considered together in decision-making

3.4 Plan-Do-Check-Act (PDCA) Cycle

Continuous improvement follows the PDCA methodology:

• Plan: Establish objectives, processes, and resources needed to deliver results aligned with requirements and organizational strategy
• Do: Implement planned processes and controls
• Check: Monitor and measure processes and outcomes against policies, objectives, and requirements; report results
• Act: Take actions to continually improve process performance based on findings

3.5 Leadership and Commitment

Senior management demonstrates leadership and commitment to the IMS:

• Accountability: CEO has ultimate accountability for IMS effectiveness
• Policy and Objectives: Management establishes and communicates policies and objectives
• Resources: Adequate resources are allocated for IMS implementation and improvement
• Integration: Management system requirements are integrated into business processes
• Culture: Management promotes a culture of quality, environmental responsibility, security awareness, and continuous improvement
• Performance Review: Regular management reviews assess IMS performance and drive improvement

4. Policy Statements

4.1 Customer Focus and Stakeholder Value

We are committed to:

• Understanding and meeting customer and stakeholder needs and expectations
• Delivering products and services that consistently meet requirements
• Enhancing customer satisfaction through effective management system application
• Building long-term partnerships based on trust and quality delivery

4.2 Quality Excellence

We are committed to:

• Delivering high-quality services that meet or exceed customer expectations
• Maintaining service reliability, particularly for SaaS offerings (≥99.9% uptime)
• Ensuring staff competence through training and development
• Measuring and improving quality performance continuously

Detailed quality commitments are specified in SW-QMS-POL-001 Quality Policy.

4.3 Environmental Responsibility

We are committed to:

• Protecting the environment through pollution prevention and sustainable practices
• Minimizing our environmental footprint from office operations, travel, and IT equipment
• Complying with environmental legal and regulatory requirements
• Considering environmental impacts in procurement and service delivery decisions

Detailed environmental commitments are specified in SW-EMS-POL-001 Environmental Policy.

4.4 Information Security

We are committed to:

• Protecting the confidentiality, integrity, and availability of information assets
• Implementing appropriate security controls based on risk assessment
• Complying with information security legal, regulatory, and contractual obligations
• Maintaining an information security management system aligned with ISO 27001:2022
• Ensuring security for SaaS operations and customer data

Detailed security commitments are specified in SW-ISMS-POL-001 Information Security Policy.

4.5 Compliance

We are committed to:

• Complying with all applicable legal, regulatory, and statutory requirements
• Meeting contractual obligations to customers and other interested parties
• Adhering to industry standards and best practices
• Maintaining ISO 9001, ISO 14001, and ISO 27001 certifications
• Demonstrating compliance through regular audits and assessments

4.6 Continuous Improvement

We are committed to:

• Continually improving the effectiveness and efficiency of our IMS
• Using data and analysis to drive improvement decisions
• Learning from both successes and failures
• Empowering staff to identify and implement improvements
• Regularly reviewing performance against objectives and taking corrective action
• Adapting to changes in our business environment, technology, and stakeholder needs

4.7 Competence and Awareness

We are committed to:

• Ensuring all personnel are competent for their responsibilities
• Providing necessary training and awareness programs
• Promoting understanding of the IMS and individual contributions to its effectiveness
• Maintaining a learning organization culture aligned with "The Machine" framework
• Sharing knowledge through discipline forums and collaborative practices

5. Management System Objectives

Swedwise establishes integrated objectives across quality, environmental, and information security domains. High-level objectives include:

5.1 Customer Satisfaction

• Maintain customer satisfaction ratings of [TBD - e.g., ≥4.0/5.0] annually
• Achieve [TBD - e.g., ≥90%] customer retention rate

5.2 Service Reliability

• SaaS platform availability ≥99.9%
• Critical incident response within [TBD - e.g., 15 minutes]

5.3 Environmental Performance

• Reduce carbon emissions from business travel by [TBD - e.g., 10%] year-over-year
• Maintain [TBD - e.g., 90%+] electronic waste recycling rate

5.4 Information Security

• Zero material security breaches annually
• 100% staff completion of annual security awareness training
• High-risk vulnerabilities remediated within [TBD - e.g., 30 days]

5.5 Continuous Improvement

• Implement minimum [TBD - e.g., 20] documented improvements across all IMS areas annually
• Internal audit nonconformities resolved within [TBD - e.g., 30 days]

5.6 Competence

• 100% of staff complete required role-specific training annually
• Maintain [TBD - e.g., ≥80%] technical certification rate among consultants

Detailed objectives, targets, and action plans are established at departmental levels and reviewed during management reviews.

6. Roles and Responsibilities

CEO

Assigned to: [TBD - name]

Responsibilities:

• Ultimate accountability for IMS establishment, implementation, and effectiveness
• Approve IMS policies, objectives, and strategic direction
• Ensure IMS requirements are integrated into business processes
• Allocate resources for IMS implementation and improvement
• Chair management review meetings
• Promote quality, environmental, and security culture
• Ensure customer focus throughout the organization

Management Team

Responsibilities:

• Support IMS implementation within their areas of responsibility
• Establish and monitor departmental objectives aligned with IMS objectives
• Allocate resources for IMS activities in their departments
• Ensure staff competence and awareness
• Participate in management reviews
• Support corrective actions and improvement initiatives
• Lead by example in following IMS requirements

Quality Lead

Assigned to: [TBD - name]

Responsibilities:

• Coordinate Quality Management System (QMS) implementation
• Monitor quality objectives and performance
• Plan and coordinate quality-focused internal audits
• Lead quality improvement initiatives
• Maintain quality documentation and records
• Report quality performance to management

Environmental Lead

Assigned to: [TBD - name]

Responsibilities:

• Coordinate Environmental Management System (EMS) implementation
• Monitor environmental aspects and compliance obligations
• Plan and coordinate environmental audits and assessments
• Lead environmental improvement initiatives
• Maintain environmental documentation and records
• Report environmental performance to management

Chief Information Security Officer (CISO)

Assigned to: [TBD - name]

Responsibilities:

• Coordinate Information Security Management System (ISMS) implementation
• Manage information security risk assessment and treatment
• Plan and coordinate security audits and assessments
• Lead security incident response coordination
• Maintain security documentation and records
• Report security performance to management

IMS Coordinator [TBD - may combine with one of above roles]

Assigned to: [TBD - name]

Responsibilities:

• Coordinate integrated management review process
• Maintain integrated documentation and records
• Facilitate cross-functional IMS activities (document control, corrective action, internal audit planning)
• Monitor overall IMS performance
• Support IMS audits (internal and external)
• Drive IMS awareness and training initiatives

Internal Auditors

Responsibilities:

• Conduct internal audits according to the audit program
• Remain objective and impartial
• Report audit findings accurately
• Verify effectiveness of corrective actions
• Identify improvement opportunities

All Staff

Responsibilities:

• Understand and comply with IMS policies and procedures relevant to their roles
• Complete required IMS training and awareness programs
• Report issues, incidents, and improvement opportunities
• Participate in IMS initiatives and improvement activities
• Contribute to achieving IMS objectives
• Represent Swedwise responsibly to customers and external parties

7. Management Review

Senior management reviews the IMS at planned intervals (minimum annually) to ensure its continuing suitability, adequacy, and effectiveness. Management reviews address:

Review Inputs

• Status of actions from previous reviews
• Changes in external and internal issues relevant to the IMS
• Performance against objectives and targets
• Customer and stakeholder feedback
• Quality, environmental, and security performance trends
• Nonconformities and corrective actions
• Monitoring and measurement results
• Audit results (internal and external)
• Opportunities for improvement
• Resource adequacy

Review Outputs

• Decisions on improvement opportunities
• Changes needed to the IMS
• Resource allocation decisions
• Updated objectives and targets
• Actions assigned with responsibilities and timelines

Management review meetings are documented, with records maintained as evidence of system performance.

8. Documentation Structure

The IMS documentation hierarchy consists of:

Level 1: Policies

High-level statements of intent and commitment approved by senior management:

• This Integrated Management System Policy (SW-IMS-POL-001)
• Quality Policy (SW-QMS-POL-001)
• Environmental Policy (SW-EMS-POL-001)
• Information Security Policy (SW-ISMS-POL-001)
• Specific functional policies (HR Security, Data Protection, Acceptable Use, etc.)

Level 2: Procedures

Documented processes describing "what" and "who":

• Document control
• Internal audit
• Management review
• Corrective action
• Risk assessment and treatment
• Incident management
• Change management
• Specific operational procedures

Level 3: Work Instructions and Guidelines

Detailed "how-to" documents for specific tasks:

• Technical guidelines
• Forms and templates
• Checklists
• Best practice guides

Level 4: Records

Evidence of system operation and conformance:

• Audit reports
• Management review minutes
• Training records
• Incident logs
• Risk registers
• Measurement and monitoring results

All documentation follows standardized naming conventions (SW-[SYSTEM]-[TYPE]-[NUMBER]) and version control practices.

9. Internal Audit

A comprehensive internal audit program is maintained to:

• Verify IMS conformance to planned arrangements, requirements of ISO standards, and Swedwise's own requirements
• Assess effectiveness of the IMS in achieving objectives
• Identify opportunities for improvement
• Provide objective evidence for management review and external audits

Audits are:

• Planned based on risk and importance of processes
• Conducted by competent personnel independent of the area being audited
• Documented with findings reported to relevant management
• Followed by timely corrective actions for nonconformities

A unified audit program covers quality, environmental, and information security requirements efficiently.

10. Continual Improvement

Swedwise systematically pursues continual improvement through:

Improvement Sources

• Management reviews
• Internal and external audit findings
• Analysis of data and metrics
• Corrective actions from nonconformities and incidents
• Customer and stakeholder feedback
• Staff suggestions and innovation
• Benchmarking and best practice reviews
• Changes in requirements or technology

Improvement Process

1. Identify: Opportunity or need for improvement
2. Analyze: Root cause or potential for enhancement
3. Plan: Define improvement objectives, actions, resources, and success criteria
4. Implement: Execute improvement actions
5. Verify: Measure effectiveness of improvement
6. Standardize: Embed successful improvements into standard practice
7. Share: Communicate learnings across the organization

Improvement Culture

• Staff are encouraged to identify and implement improvements within their authority
• Improvement ideas are welcomed and evaluated fairly
• Successful improvements are recognized and celebrated
• Learning from failures is supported without blame

11. Communication and Awareness

The IMS and this policy are communicated through:

• Onboarding: All new staff receive IMS orientation
• Training: Regular awareness and role-specific training
• Intranet: Policies and key documents accessible on company intranet
• Meetings: IMS performance discussed in team and management meetings
• Updates: Changes and improvements communicated promptly
• External: Relevant information shared with customers, partners, and authorities as appropriate

Staff must understand:

• The IMS policy and their contribution to its effectiveness
• The benefits of improved performance
• The implications of not conforming to IMS requirements
• Relevant objectives and how they contribute

12. Review and Update

This policy is:

• Reviewed annually by the CEO with input from Quality Lead, Environmental Lead, and CISO
• Updated when significant changes occur in:
  • Business strategy, structure, or operations
  • Products, services, or markets
  • Legal, regulatory, or contractual requirements
  • Stakeholder expectations
  • Risk profile or operating environment
• Approved by the CEO
• Communicated to all staff and relevant external parties following updates

13. Related Documents

System Policies:

• SW-QMS-POL-001: Quality Policy
• SW-EMS-POL-001: Environmental Policy
• SW-ISMS-POL-001: Information Security Policy

Functional Policies:

• SW-ISMS-POL-002: Acceptable Use Policy
• SW-ISMS-POL-003: Data Protection and Privacy Policy
• SW-ISMS-POL-004: Access Control Policy
• SW-ISMS-POL-005: Business Continuity Policy
• SW-ISMS-POL-006: HR Security Policy
• SW-ISMS-POL-007: Information Classification Policy

Core Procedures:

• [TBD - SW-IMS-PRO-001: Document Control Procedure]
• [TBD - SW-IMS-PRO-002: Internal Audit Procedure]
• [TBD - SW-IMS-PRO-003: Management Review Procedure]
• [TBD - SW-IMS-PRO-004: Corrective Action Procedure]
• [TBD - SW-IMS-PRO-005: Risk Management Procedure]

Supporting Documents:

• [TBD - IMS Manual]
• [TBD - Context Analysis and Stakeholder Register]
• [TBD - Integrated Risk Register]
• [TBD - IMS Objectives and Targets]

14. Document Control

Version	Date	Author	Changes	Approved By
1.0	[TBD]	[TBD - IMS Coordinator/CEO]	Initial policy creation	[TBD - CEO name]

Next Review Date: [TBD - typically 12 months from effective date]

Document Classification: Internal

Document Owner: CEO

---

This policy is approved by Swedwise AB management and is effective from the date specified above. All staff are required to read, understand, and comply with this policy.