1. Introduction
This Information Security Policy outlines the guidelines and principles that Smart Solutions Company Group (SSG) follows to protect the confidentiality, integrity, and availability of its information and information systems. The policy is aligned with ISO/IEC 27001:2013 and is applicable to all personnel within the organization, including the IT department.
2. Objectives
The objectives of this Information Security Policy are as follows:

• To ensure the protection of SSG's information assets from unauthorized access, disclosure, alteration, destruction, and disruption.
• To establish a security framework that complies with legal, regulatory, and contractual requirements.
• To foster a culture of information security awareness and responsibility among all employees.
• To ensure the availability and reliability of information systems and services.
• To continuously monitor and improve the effectiveness of SSG's information security management system (ISMS).

3. Roles and Responsibilities
CEO:

• Plays a crucial role in an organization's IT information security policy. As the highest-ranking executive, responsible for ensuring that IT and security controls are implemented in line with the organization's risk management strategy.
• Ensuring that information security controls and processes are aligned with the business strategy and operations.
• Establishing a culture of security within the organization and demonstrating a commitment to protecting the organization's assets.
• Ensuring that information security policies are integrated with strategic and operational planning processes.
• Providing the necessary resources, including personnel and budget, to support effective information security management.

IT/Telecoms Director:

• Has the overall responsibility for the implementation and maintenance of the information security management system (ISMS).
• Ensures that the necessary resources are provided for the successful implementation of information security measures.
• Approves and monitors information security policies, procedures, and guidelines.

IT Service Delivery Manager:

• Implements and maintains technical security controls, including firewalls, intrusion detection systems, and encryption mechanisms.
• Conducts regular vulnerability assessments and assists in remediation efforts.
• Assists in incident response and investigation activities.

Helpdesk Engineer:

• Provides support in implementing information security measures and controls.
• Assists in managing user access rights, including granting, reviewing, and revoking privileges.
• Educates users on the importance of information security practices.

System Administrator:

• Administers and maintains the security of servers, databases, and other IT infrastructure.
• Implements access controls and ensures user authentication mechanisms are in place.
• Performs routine system patching and updates.

4. Information Security Controls
Access Control:

• Users are granted access to information and systems on a need-to-know and least privilege basis.
• Strong authentication mechanisms, such as passwords and multi-factor authentication, are implemented.
• Regular reviews and audits are conducted to ensure access rights are appropriate and up to date.

Physical Security:

• Physical access to SSG's premises and critical information assets is restricted and controlled.
• Video surveillance systems are in place to monitor critical areas.
• Asset management procedures are implemented to track and protect IT equipment.

Security Incident Management:

• A Security incident management process is established to detect, respond to, and recover from security incidents.
• Security incidents are reported to the IT department and escalated as necessary.
• Lessons learned from incidents are used to improve the security posture of SSG.

Change Management:

• Changes to information systems and infrastructure are planned, tested, and documented to prevent unintentional security vulnerabilities.
• Change management procedures are established to authorize, implement, and review changes.

Employee Awareness and Training:

• All employees undergo regular information security awareness training.
• Security policies and procedures are communicated to employees and contractors.
• Reporting mechanisms are in place to encourage the reporting of security incidents, risks, or vulnerabilities

5. Compliance and Auditing
Compliance:

• SSG is committed to complying with all applicable legal, regulatory, and contractual requirements related to information security.
• Regular assessments are conducted to ensure compliance with security policies and controls.

Auditing:

• Regular audits and assessments of the information security management system are conducted to verify its effectiveness.
• Audit results are used to identify areas for improvement and to address any non-compliance issues.

6. Continual Improvement
SSG is committed to continually improving its information security management system. This commitment includes regular review and updates to security policies and controls, learning from security incidents, and benchmarking against industry best practices.
7. Review and Approval
This Information Security Policy has been reviewed by the IT/Telecoms Director and is effective as of 26 December 2025. It will be reviewed annually or as needed to ensure its ongoing suitability, adequacy, and effectiveness.