Language
Book a demo

ISO 27001: Information Security Policy

Protection of the company’s information assets is a primary objective for safeguarding THRON’s business and ensuring business continuity; it is also a contractual obligation toward stakeholders.

To this end, the Information Security Management System (ISMS) is established, designed by THRON’s Information Security Manager (ISM) and based on:

  1. policies and guidelines;
  2. organizational, physical, technological, and behavioral security measures;
  3. methodologies and methods to verify effectiveness and adequacy to business needs and legal requirements.

The Information Security Management System pursues the following objectives:

  1. safeguard the legitimate interests of shareholders, employees, and all other stakeholders;
  2. ensure the protection of corporate information and the continuity of business activities, by making sure the intended protection level is implemented according to the criticality, risk, and value of the information to be protected;
  3. define a simple, consistent, and promptly updated reference model for the protection of corporate information, aligned with business strategies;
  4. retain documentary evidence of the systems designed and implemented, as well as of activities performed, for legal, tax, and operational purposes;
  5. comply with the requirements imposed by national and European directives on network and information security.

General Principles

The Information Security Management System is founded on the following principles:

  • information is a corporate asset that must be adequately protected in all stages of processing (from design to destruction);
  • cybersecurity must be an integral part of every business process;
  • risk cannot be eliminated entirely, but the objective is to contain it within an acceptable level (to guarantee continuity of the services provided);
  • the accountability – one’s own and toward others – of owners, suppliers, or users of information systems must be explicit;
  • external systems are, by definition, not secure;
  • protections should, where possible, be built in “layers” and consist of a balanced mix of technological and organizational measures;
  • “mission-critical” systems must be segregated from systems with public access;
  • all data access must be authorized according to the principles of “need-to-know” and “least privilege.”

ISMS Model

The Information Security Management System is structured across several interrelated layers of countermeasures to protect the confidentiality, integrity, and availability of information:

  1. organizational layer: identifies the allocation of responsibilities and roles in managing information protection;
  2. technological layer, which comprises:
    1. infrastructure layer: specifies how ICT systems (processing, transmission, and storage) must be designed and implemented to ensure an adequate level of security;
    2. network layer: identifies defense mechanisms to manage access to the corporate network (both from inside and from remote workstations);
    3. application layer: identifies defense mechanisms to manage access to applications and to the data processed by them;
  3. behavioral layer: identifies the rules to be followed by all personnel and any third parties interacting with THRON;
  4. physical layer: identifies the physical protections to be implemented to safeguard devices, ICT equipment, and access to them;
  5. legal layer: identifies the laws and regulations to be observed;
  6. control layer: identifies the organizational and technological mechanisms that allow ongoing oversight of the overall level of information protection.

The principles set out above are detailed in the descriptive document of the Information Protection System (the “Information Security Protection Policy”) and form the basis of specific Guidelines issued by the ISM, published on the internal company portal, and delivered through periodic training to all concerned.

Scope of Application

The Information Security Protection Policy applies to all THRON stakeholders and involves – and binds – all persons who need to access THRON’s information system (including employees, partners, suppliers, and customers).

The architectural design of the information systems – both infrastructure and applications – must comply with and be consistent with the principles of THRON’s Information Security Protection Policy from the design phase onward.

The same principles also apply to the use of corporate assets and resources.

THRON
Chief Executive Officer (CEO)

Revision dated 30/09/2023