Information Security Policy
The information security policy is established by the company management and sets out Talentwise’s basic approach and direction at an overall level regarding information security work.
Purpose and definitions
The information assets that Talentwise manages - both for itself and for its customers - are fundamental to Talentwise’s business. Proper management of these assets is important for the trust of employees, customers and partners. Information assets are defined as all information that is of value to Talentwise and its customers, whether it is processed analogue or digitally, automatically or manually, and regardless of its form or the environment in which it exists. The purpose of this Information Security Policy is to demonstrate management's commitment to ensuring that these assets are treated in accordance with stated objectives and principles.
Information security can be summarised according to the following requirement areas:
Availability - that information is available to the expected extent, to authorised users and within the desired time.
Accuracy - that information is protected against unwanted alteration or deletion, whether intentional or unintentional.
Confidentiality - that information in violation of legal requirements, rules, policies or agreements is not made available or disclosed to unauthorized parties.
Objectives and principles
In establishing this policy, Talentwise commits to comply with applicable requirements related to information security. The policy covers the whole of Talentwise and contains the following objectives and principles:
- that knowledge exists, and is continuously developed, on how information security is ensured, maintained and continuously improved.
- all information assets are classified in accordance with the established methodology,
- threats to information assets and services are continuously assessed and managed according to the established risk management process,
- crisis management capability is continuously analysed and maintained,
- preventing unexpected and undesirable events leading to negative consequences,
- that information security work is a natural and integral part of the business, and
- the management system and related security measures are periodically reviewed to achieve continuous improvement.
Liability conditions
Responsibility for Talentwise’s information security work should follow the normal delegated operational responsibility at all levels.
The owners express the goals and principles by establishing the Talentwise Information Security Policy.
Management has ultimate responsibility for Talentwise’s information security work and approves and establishes the related information security framework. Management owns and is responsible for Talentwise’s infrastructure, services, systems and applications and appoints the information and system owners for these.
The Chief Information Security Officer (CISO) works on behalf of senior management. The CISO has the overall and strategic responsibility to lead, develop, coordinate and audit information security activities. The CISO is also responsible for strategic and operational work on risk management.
Each department owns and is responsible for its own business-specific infrastructure, services, systems and applications and appoints owners for these.
All employees have a responsibility to ensure that information security is maintained.
Deviations and exemptions
In the event of deviations or exemptions from this policy, or the associated regulations, these must be reported to the immediate superior. Incidents and occurrences that may have negative consequences for Talentwise must be reported promptly to senior management in order to minimise damage and prevent similar incidents.
Review and follow-up
The information security policy and the associated information security framework shall be reviewed and updated at least every three years, or if significant changes in the organisation or the environment occur. This is to ensure the continued appropriateness, accuracy and effectiveness of the policy. The review shall include an assessment of Talentwise’s ability to improve its framework and its approach to information security based on changes in Talentwise’s environment, business conditions, legal requirements and technical environment.
Related documents
The Information Security Policy describes Talentwise’s objectives regarding information security. To ensure the needs of the business, there are additional, and more specified rules and guidelines regarding what should be implemented and in what way in order for the policy to be complied with.
Validity of the information security policy
The Information Security Policy is reviewed once per year.
This version was adopted by Talentwise’s management on 3 November 2023 and is valid until 3 November 2024.