Information Security Policy

1. Purpose

This policy establishes Swedwise AB's commitment to protecting information assets and defines the principles for managing information security across the organization. It provides direction for implementing and maintaining an Information Security Management System (ISMS) aligned with ISO 27001:2022 requirements.

2. Scope

This policy applies to:

• All Swedwise employees, contractors, and temporary staff
• All information assets, regardless of format (digital, paper, verbal)
• All locations (Karlstad HQ, Stockholm, Uddevalla offices, remote work, customer sites)
• All technology systems and infrastructure owned, managed, or used by Swedwise
• Third-party service providers with access to Swedwise information
• SaaS services and platforms operated by Swedwise

3. Information Security Objectives

Swedwise commits to:

1. Confidentiality: Protect information from unauthorized access and disclosure
2. Integrity: Maintain accuracy and completeness of information and systems
3. Availability: Ensure authorized access to information and services when needed
4. Compliance: Meet legal, regulatory, and contractual security obligations
5. Customer Trust: Demonstrate security competence to win and retain customer confidence
6. Continuous Improvement: Regularly assess and enhance security controls

Measurable Targets

• Zero material security breaches per year
• 100% staff completion of annual security awareness training
• All high-risk vulnerabilities remediated within [TBD - e.g., 30 days]
• Security incidents acknowledged within [TBD - e.g., 1 hour] of detection

4. Management Commitment

Swedwise management commits to:

• Provide adequate resources for information security
• Integrate security into business processes and decision-making
• Establish clear roles and accountability for security
• Support security initiatives and risk treatment actions
• Lead by example in following security practices
• Review security performance in regular management reviews

5. Policy Statements

5.1 Information Classification and Handling

All information assets must be:

• Classified according to sensitivity (Public, Internal, Confidential, Restricted)
• Labeled appropriately when classification affects handling requirements
• Handled, stored, transmitted, and disposed of according to classification level
• Reviewed periodically for classification accuracy

Staff must understand classification levels and handle information accordingly. Customer information is classified at minimum as Confidential unless specified otherwise.

5.2 Access Control Principles

Access to information and systems is based on:

• Need-to-know: Access granted only when required for job duties
• Least privilege: Minimum access rights necessary to perform tasks
• Segregation of duties: Critical functions require multiple authorized parties
• User accountability: Individuals responsible for actions under their credentials

All access must be:

• Authorized by appropriate manager or system owner
• Documented and regularly reviewed
• Revoked promptly when no longer required
• Protected by appropriate authentication mechanisms

5.3 Risk Management Approach

Information security risks are managed through:

1. Risk Identification: Systematic identification of threats, vulnerabilities, and impacts
2. Risk Assessment: Evaluation of likelihood and consequence
3. Risk Treatment: Selection of controls to reduce, transfer, avoid, or accept risk
4. Risk Monitoring: Ongoing review of risk landscape and control effectiveness

Risk assessments are conducted:

• Annually as part of the management review cycle
• When significant changes occur (new services, technologies, threats)
• Following security incidents or near-misses
• Before launching new SaaS services or major customer engagements

5.4 Incident Management

Security incidents and events must be:

• Reported immediately through designated channels
• Logged and tracked through resolution
• Investigated to determine root cause
• Responded to with appropriate containment and remediation
• Analyzed for lessons learned and improvement opportunities

All staff are responsible for reporting suspected security incidents. No reprisals will be taken against staff reporting incidents in good faith.

5.5 Business Continuity and Resilience

Swedwise maintains capabilities to:

• Continue critical operations during disruptions
• Recover systems and data within acceptable timeframes
• Protect against data loss through regular backups
• Test recovery procedures periodically

Business continuity and disaster recovery arrangements are documented, tested annually, and updated as the business evolves.

5.6 Compliance Obligations

Swedwise complies with:

• Legal requirements: GDPR, e-Privacy Directive, Swedish data protection law
• Contractual obligations: Customer security requirements and SLAs
• Industry standards: ISO 27001, relevant sector-specific standards
• Internal policies: All IMS policies and procedures

Compliance is verified through:

• Regular internal audits
• Management reviews
• External assessments when required
• Continuous monitoring of regulatory changes

5.7 Third-Party Security

Third parties with access to Swedwise information must:

• Undergo security assessment before engagement
• Agree to appropriate security terms in contracts
• Demonstrate compliance with security requirements
• Be monitored for ongoing security performance
• Report security incidents affecting Swedwise

This applies to:

• Cloud service providers and SaaS platforms
• Subcontractors and consultants
• Partners with system integration or data access
• Managed service providers

5.8 Asset Management

Information assets are:

• Identified and inventoried
• Assigned owners responsible for protection
• Classified according to value and sensitivity
• Protected throughout their lifecycle
• Disposed of securely when no longer needed

Asset owners are accountable for implementing appropriate controls and ensuring proper use.

5.9 Security by Design

Security is integrated into:

• New service development and deployment
• System changes and upgrades
• Process design and improvement
• Procurement and vendor selection
• Project planning and execution

Security considerations are addressed early in initiatives, not as an afterthought.

5.10 Security Awareness and Training

All staff must:

• Complete security awareness training during onboarding
• Participate in annual security awareness refresher training
• Receive role-specific security training as applicable
• Stay informed of security updates and threats
• Report security concerns without fear of reprisal

5.11 Physical and Environmental Security

Offices and facilities are protected through:

• Controlled access to premises and secure areas
• Visitor management procedures
• Protection against environmental threats
• Secure equipment disposal
• Clear desk and clear screen practices

Consultants working at customer sites must follow customer security requirements while maintaining Swedwise baseline standards.

5.12 Cryptography

Cryptographic controls are used to protect:

• Data in transit over untrusted networks
• Sensitive data at rest
• Authentication credentials
• Digital signatures and non-repudiation where required

Cryptographic standards and key management practices follow industry best practices and compliance requirements.

6. Roles and Responsibilities

Chief Information Security Officer (CISO)

Assigned to: [TBD - name]

Responsibilities:

• Overall accountability for information security management
• ISMS implementation, maintenance, and improvement
• Security risk assessment and treatment planning
• Security incident coordination and response
• Reporting to management on security performance
• Security policy development and maintenance

Management Team

Responsibilities:

• Approve security policies and risk treatment plans
• Allocate resources for security initiatives
• Support security culture and awareness
• Review security performance quarterly
• Ensure security integration in strategic decisions

Department Heads / Team Leads

Responsibilities:

• Implement security policies within their areas
• Ensure staff complete required security training
• Participate in risk assessments for their operations
• Report security incidents and concerns
• Support security initiatives and controls

All Staff

Responsibilities:

• Follow security policies and procedures
• Complete required security training
• Protect credentials and access privileges
• Handle information according to classification
• Report security incidents and suspicious activity
• Use company systems and assets responsibly

IT Operations [TBD - if separate team/role exists]

Responsibilities:

• Implement and maintain technical security controls
• Monitor systems for security events
• Apply security patches and updates
• Conduct vulnerability assessments
• Support incident response activities
• Maintain security documentation and records

Security Champions [TBD - consider establishing]

Optional role to promote security awareness:

• Act as security contact point in their teams
• Promote security best practices
• Provide feedback on security usability
• Assist with security awareness initiatives

7. Exceptions

Temporary exceptions to this policy may be granted only when:

• Business justification is documented
• Compensating controls are identified
• Risk is assessed and accepted by [TBD - CEO/CISO]
• Exception is time-limited with review date
• Exception is formally documented and tracked

Exceptions are reviewed quarterly and do not create precedent.

8. Consequences of Non-Compliance

Non-compliance with this policy may result in:

• Retraining requirements
• Access restrictions or removal
• Disciplinary action up to and including termination
• Legal action if warranted
• Notification to affected parties or authorities as required

The severity of consequences depends on whether non-compliance was:

• Unintentional (training and process improvement focus)
• Negligent (disciplinary action)
• Intentional (serious disciplinary or legal action)

9. Review and Update

This policy is:

• Reviewed annually by the CISO
• Updated when significant changes occur in:
  • Business operations or strategy
  • Threat landscape or risk profile
  • Legal or regulatory requirements
  • Technology environment
  • Organizational structure
• Approved by [TBD - CEO/Management Team]
• Communicated to all staff following updates

10. Related Documents

Policies:

• SW-IMS-POL-001: Integrated Management System Policy
• [TBD - SW-ISMS-POL-002: Acceptable Use Policy]
• [TBD - SW-ISMS-POL-003: Data Protection and Privacy Policy]

Procedures:

• [TBD - SW-ISMS-PRO-001: Access Control Procedure]
• [TBD - SW-ISMS-PRO-002: Incident Management Procedure]
• [TBD - SW-ISMS-PRO-003: Risk Assessment Procedure]
• [TBD - SW-ISMS-PRO-004: Change Management Procedure]
• [TBD - SW-ISMS-PRO-005: Backup and Recovery Procedure]

Guidelines:

• [TBD - SW-ISMS-GUI-001: Information Classification Guideline]
• [TBD - SW-ISMS-GUI-002: Remote Working Security Guideline]
• [TBD - SW-ISMS-GUI-003: Password and Authentication Guideline]

Supporting Documents:

• [TBD - Statement of Applicability]
• [TBD - Risk Assessment and Treatment Plan]
• [TBD - Asset Inventory]
• [TBD - Business Continuity Plan]

11. Document Control

Version	Date	Author	Changes	Approved By
1.0	[TBD]	[TBD - CISO name]	Initial policy creation	[TBD - CEO name]

Next Review Date: [TBD - typically 12 months from effective date]

Document Classification: Internal

Document Owner: CISO

---

This policy is approved by Swedwise AB management and is effective from the date specified above. All staff are required to read, understand, and comply with this policy.