Introduction
This page defines the information security policy of OpenApp. As a modern, forward-looking business, OpenApp recognises at senior levels the need to ensure that its business operates smoothly and without interruption for the benefit of its customers, shareholders and other stakeholders. In order to provide such a level of continuous operation, OpenApp has implemented an Information Security Management System (ISMS) in line with the International Standard for Information Security, ISO/IEC 27001. This standard defines the requirements for an ISMS based on internationally recognised best practice.

This Information security policy applies to all stakeholders of our organization.

Legislation and standards
We should also be aware of and apply the laws, regulations and requirements of the countries our clients operate in. Primarily this is the application of the EU GDPR, and the associated national legislation. Although the GDPR seems to be the highest standard for data protection yet, we need to be aware of other national initiatives where our clients are active.

There are other national standards and guidelines we should also be aware of and monitor, these include HIPAA and Good Clinical Practice. A comparisson of GDPR, HIPAA and GCP is available here.

Information security requirements
A clear definition of the requirements for information security within OpenApp will be agreed and maintained with the internal business and cloud service customers so that all ISMS activity is focussed on the fulfilment of those requirements. Statutory, regulatory and contractual requirements will also be documented and input to the planning process. Specific requirements about the security of new or changed systems or services will be captured as part of the design stage of each project.

It is a fundamental principle of the OpenApp's Information Security Management System that the controls implemented are driven by business needs and this will be regularly communicated to all staff through team meetings and briefing documents.

Framework for setting objectives
A regular cycle will be used for the setting of objectives for information security. These Objectives will be based upon a clear understanding of the business requirements, informed by the management review process during which the views of relevant interested parties may be obtained.

Information security objectives will be documented for an agreed time period, together with details of how they will be achieved. These will be evaluated and monitored as part of management reviews to ensure that they remain valid. If amendments are required, these will be managed through the change management process.

In accordance with ISO/IEC 27001 the reference controls detailed in Annex A of the standard will be adopted where appropriate by OpenApp These will be reviewed on a regular basis in the light of the outcome from risk assessments and in line with information security risk treatment plans. For details of which Annex A controls have been implemented and which have been excluded please see the Statement of Applicability.

Continual improvement of the ISMS
OpenApp policy regarding continual improvement is to:

• Continually improve the effectiveness of the ISMS
• Enhance current processes to bring them into line with good practice as defined within ISO/IEC 27001 and related standards
• Achieve ISO/IEC 27001 certification and maintain it on an on-going basis
  Increase the level of proactivity (and the stakeholder perception of proactivity) with regard to information security
• Make information security processes and controls more measurable in order to provide a sound basis for informed decisions
• Review relevant metrics on at least an annual basis to assess whether it is appropriate to change them, based on collected historical data
• Obtain ideas for improvement via regular meetings and other forms of communication with interested parties
• Review ideas for improvement at regular management meetings in order to prioritise and assess timescales and benefits
  Ideas for improvements may be obtained from any source including employees, customers, suppliers, IT staff, risk assessments and service reports. Once identified they will be recorded and evaluated as part of management reviews.

Information security policy areas
OpenApp defines policy in a wide variety of information security-related areas which are described in detail in a comprehensive set of policy documentation that accompanies this overarching information security policy.

Each of these policies is defined and agreed by one or more people with competence in the relevant area and, once formally approved, is communicated to an appropriate audience, both within and external to, the organization.