ISO27001-Zertifizierung Solunio
Demo buchen

Information Security Policy

Company name: Solunio

Effective date: 30/06/2025

Version history
Version Date Description Author Approved by
1 30/06/2025 -- N / D -- Paul Leiter Matthias Unterberger
Scope
The purpose of this policy is to declare and communicate Top Management’s commitment to protecting the organization’s information assets. This document defines the framework for establishing, implementing, maintaining, and continually improving the Information Security Management System (ISMS), with the aim of protecting the confidentiality, integrity, and availability of information and supporting the company’s strategic objectives.
Scope of application
This policy applies to all of the organization’s activities, processes, information assets, technology systems and locations. It involves all personnel, including employees, contractors and third parties who have access to information or company systems, regardless of their geographic location.
Regulatory references
  • ISO 27001:2022: Requirements for information security management systems.
  • ISO 27002:2022: Information security controls guidelines.
  • Regulation (EU) 2016/679 (GDPR): Protection of natural persons with regard to the processing of personal data.
Terms and definitions
  • Information security: Protection of Confidentiality, Integrity and Availability of information.
  • Confidentiality: The property whereby information is not made available or disclosed to unauthorized individuals, entities, or processes.
  • Integrity: The property of safeguarding the accuracy and completeness of information and processing methods.
  • Availability: The property of being accessible and usable upon request by an authorized entity.
  • ISMS (Information Security Management System): An organization’s systematic approach to managing sensitive information so that it remains secure.
Roles and responsibilities
ISMS Responsible:
  • Oversee overall compliance with all information security policies, ensuring alignment with regulatory, contractual, and operational requirements.
  • Ensure that policies are regularly reviewed, approved, and updated in accordance with changes in legal obligations, business needs, or security risks.
  • Monitor adherence to the policy through system indicators, internal controls, and reporting mechanisms defined within the ISMS framework.

Employees / Collaborators / Third parties:
  • Understand and apply this policy, including the principles and operational security requirements it outlines, as part of their defined role within Solunio’s ISMS. Training and onboarding processes support this understanding.
  • Immediately report any anomalies, suspected violations, or confirmed breaches of this policy through official reporting channels, including the “MOD Log of information security incidents” and designated escalation paths.
  • External parties are additionally bound by the terms defined in contractual agreements, which reiterates their obligations toward Solunio’s information security posture.
Information security objectives
The organization’s dedication to information security is not an end in itself, but a strategic pillar that translates into a series of clear and measurable objectives that guide every decision in this area. The first and fundamental objective is to ensure strong regulatory compliance, in full compliance with laws, regulations and contractual obligations, ensuring that security practices are always aligned with the latest legal requirements.

Beyond compliance, the primary purpose of the organization is the proactive protection of information assets. In fact, it works constantly to actively safeguard the information that is entrusted to the organization by its customers and the intellectual property of the organization itself, resolutely protecting it from any threat, whether internal or external. This commitment extends to the goal of ensuring operational resilience; it does not simply prevent incidents, but prepares to respond to them. The organization wants to be able to maintain the continuity of critical operations and restore services quickly and effectively, minimizing the impact on the business and customers.

The organization recognizes that technology alone is not enough. Therefore, a crucial goal is to promote a pervasive culture of security, where every member of staff is not only aware of the policies, but deeply understands the value of their role in protecting information. Finally, all the organization’s initiatives are guided by a mature approach to risk management, which allows threats to be identified, assessed and treated intelligently and prioritized, ensuring that resources are always invested where they can generate the greatest value for information security.
Basic safety principles
The organization’s information security strategy is not based on a single control, but on a set of interconnected principles that form the foundation of the adopted Management System.

The pillar on which the entire structure rests is the principle of shared responsibility. Information security is not a task relegated to a single department, but a duty that belongs to every person within the organization. For this reason, a culture is promoted in which every employee is aware of his or her role and feels obliged to promptly report any known or suspected security incident, weakness or anomaly.

This shared responsibility is driven by a proactive approach based on risk management. The decisions taken by the organization regarding information security are not arbitrary, but are derived from a formal analysis of threats and vulnerabilities, which allows for the implementation of proportionate and effective controls. One of the main fruits of this approach is the principle of access control, according to which access to information and systems is granted following the logics of „least privilege“ and „need-to-know“, ensuring that each user has only the authorizations indispensable to perform their duties.

Controls, in turn, are not isolated elements. The principle of integrated security (security-by-design) ensures that security is a native component and not a late addition, being considered from the design phase of new processes, systems or services. Finally, the organization applies a defense in depth strategy, implementing multiple layers of security controls (technological, physical and procedural). In this way, if one barrier were to fail, others would be ready to intervene, creating a layered and resilient protection for our most valuable assets.
Storage and update
This policy is a controlled document and will be reviewed annually, or following significant changes in the organization, technology or threat environment, under the supervision of the ISMS Responsible.
Reference documents
  • Code of conduct
  • Information security roles and responsibilities policy
  • Management system policy
  • Information classification and labelling policy
  • Operational security policy

Ihre Privacy ist uns wichtig. Wir verwenden ausschließlich technische Cookies.