Information Security Policy Statement

Purpose

The objective of the Information Security Policy is to maintain and improve the security of information held by Simple. Information is a major asset that Simple has a responsibility and requirement to protect.

Protecting information assets is not limited to covering the stocks of information (electronic data or paper records) that Simple maintains. It also addresses the people that use them, the processes they follow, and the physical computer equipment used to access them.

The Simple ISMS Team have carefully assessed all the requirements as identified by information owners and clients, for maintaining confidentiality, integrity, and availability of information assets. This Information Security Policy Statement addresses the breadth of the policy and how this will be achieved.

The Chief Executive Officer has approved the information security policy.

Policy Statement

Simples’ Policy is to ensure that:

• Information Security and business continuity risks will be maintained at an acceptable level.
• Risk resulting from organisational, physical, environmental and the use of 3^rd Parties will be assessed and appropriately managed.
• The confidentiality of corporate and customer information will be assured. Sensitive information will be protected against unauthorised access and the integrity of information will be maintained. Information will only be made available to authorised business processes, employees, suppliers, and other interested parties when required.
• The protection of information will be considered when business continuity plans for mission critical activities are produced maintained, tested, or invoked.
• Information security training will be made available to all employees where appropriate.
• All breaches of information security, actual or suspected, will be reported and investigated.
• The tools, methods and data therein used to create, manage, and develop information and processes adhere to this policy
• The third-party services and solutions employed by Simple to help with any of the above also adhere to our policy and standards
• All parts of Simple’s Information security policies and procedures – the ISMS are regularly reviewed by the IS committee, senior management and internal and external audits are carried out to maintain its integrity and address changes when they occur.

To support this Policy:

• Simple shall establish an Information Security Management System (ISMS) which incorporates a systemic approach to information security risk management. The ISMS shall identify business needs and the needs of interested parties regarding information security requirements (including contractual, regulatory and any other relevant requirements) and create an effective operational security framework.
• Objectives shall be agreed on an annual basis, supported by a set of key performance indicators (KPI’s).
• Simple shall ensure continual improvement of the ISMS. The improvements shall be reviewed by management. The need for continual improvement will be communicated to all employees.
• Simple shall fully comply with and certify to the IEC/ISO 27001 standard for information.

Policy Scope

The ISMS is applicable to the provision of software and services that are carried out in Australia, in accordance with the Statement of Applicability, including all the people and processes involved in relation to the management of information security and data.