Information Security Policy
Protecting What
Matters Most.
Organogram is committed to maintaining the confidentiality, integrity, and availability of all information assets in accordance with ISO/IEC 27001:2022 and the Nigeria Data Protection Act.
Purpose & Objective
To establish Organogram’s commitment to protecting information assets and to support the implementation, operation, and continual improvement of the Information Security Management System (ISMS).
Organogram and its executive management are committed to establishing, implementing, maintaining, and continually improving an Information Security Management System (ISMS) in accordance with ISO/IEC 27001:2022, while protecting the confidentiality, integrity, and availability of all information assets and ensuring that security supports business objectives and operational resilience.
- ▸Establish Organogram’s information security principles and governance framework
- ▸Define responsibilities for protecting information assets against unauthorized access, disclosure, alteration, destruction, or disruption
- ▸Ensure alignment with applicable legal, regulatory, and contractual requirements
- ▸Ensure all employees, contractors, consultants, and third parties who access Organogram’s assets comply with this policy
Scope
Organogram operates primarily in a cloud-native environment, utilizing Google Cloud Platform (GCP), Google Workspace, and other approved cloud-based services.
Assets in Scope
- ▸All information assets owned, managed, processed, stored, transmitted, or accessed by Organogram, regardless of format or location
- ▸Cloud services, business applications, endpoints, collaboration platforms, networks, and mobile devices
- ▸Remote working environments, APIs, and supporting information processing facilities
Personnel in Scope
- ▸All employees, contractors, consultants, temporary staff, interns, service providers, and third parties
- ▸Any party that accesses, processes, manages, or supports Organogram’s information assets or systems
Roles & Responsibilities
Effective information security depends on clearly defined accountability across the organization.
Executive Management
- ▸Set the overall direction for information security and promote responsible security practices
- ▸Approve security strategy, priorities, and governance approach
- ▸Allocate resources required to implement and maintain security controls
Security Reviewer
- ▸Review the effectiveness of the information security program and control environment
- ▸Identify gaps and recommend practical improvements to strengthen security
- ▸Support periodic audits and compliance assessments
Compliance Lead
- ▸Coordinate the maintenance and communication of security policies and standards
- ▸Track security risks, issues, and remediation activities
- ▸Ensure consistent application of security controls across the organization
Security Team
- ▸Operate, monitor, and maintain security controls and tooling
- ▸Detect and respond to security incidents and suspicious activity
- ▸Support security assessments, reviews, and continuous improvement activities
Department Managers & Business Unit Leaders
- ▸Enforce security requirements within their teams and business units
- ▸Escalate security issues and promote awareness within their areas of responsibility
- ▸Maintain oversight of access rights and local information assets
System & Data Owners
- ▸Own and classify information assets and ensure appropriate protection measures are applied
- ▸Review and approve access rights and changes to systems and data under their responsibility
- ▸Support incident response and remediation activities when required
All Personnel
- ▸Follow information security policies, standards, and acceptable use requirements
- ▸Complete required security awareness and training activities
- ▸Report security incidents, vulnerabilities, and concerns promptly
- ▸Use Organogram information assets only for authorized business purposes
What Is Information Security?
Organogram maintains the confidentiality, integrity, and availability (CIA) of information while complying with applicable legislative, regulatory, and contractual requirements. This policy is based on ISO/IEC 27001:2022 and aligns with the Nigeria Data Protection Act (NDPA) for personal data and PII protection.
Organogram restricts access to information to authorized users only. Sensitive data is protected from unauthorized disclosure, and access is granted based on defined authorization rules.
Organogram ensures that information remains accurate, complete, and protected from unauthorized modification. Controls such as separation of duties and controlled transactions are enforced to prevent improper data changes.
Organogram ensures that authorized users can access information and services when required. Systems are designed to remain available during disruptions, and recovery processes are implemented to restore services promptly.
Core Security Principles
All personnel contribute to the effectiveness of the security program by implementing applicable policy requirements within their roles.
Organogram prioritizes security controls using a risk-based approach to ensure balanced and effective protection.
Organogram grants users and systems only the minimum level of access required to perform their defined functions.
Organogram restricts access to information to only those users who require it to perform approved business functions.
Organogram implements multiple layers of security controls so that a breach of one layer does not compromise the entire system.
Systems transition to a secure state when confidentiality, integrity, or availability is at risk or compromised.
Organogram isolates systems and environments so that compromise of one segment does not expose other segments.
Organogram implements monitoring mechanisms to detect unauthorized activity and support incident investigation and response.
Information Security Risk Management
Organogram ensures that information security risks are identified, assessed, and treated in a consistent manner across the organization.
Organogram operates a risk-based security program in which security decisions are informed by identified risks and the application of appropriate controls and safeguards. Organogram performs IT risk assessments in alignment with its Risk Management Framework, based on ISO/IEC 27001 and ISO 31000.
Risk Assessment Approach
- ▸Organogram identifies and assesses threats and risks using approved methods, including manual reviews, vulnerability scans, incident data, and control testing
- ▸Organogram records risks in a centralized spreadsheet or automated risk management tool
- ▸Organogram defines risk tolerance and risk appetite in accordance with established best practices
- ▸Organogram accepts low and very low risks by default unless specific conditions require further treatment
Risk Treatment Options
Organogram formally accepts residual risk within approved tolerance levels and documents, approves, and reviews such risks periodically.
Organogram implements corrective, preventive, technical, or operational controls to reduce risk likelihood or impact.
Organogram transfers risk to third parties through contractual agreements, insurance, or outsourcing arrangements.
Organogram eliminates activities, systems, or technologies that introduce unacceptable levels of risk.
Organogram temporarily postpones remediation activities with approved business justification and continues periodic monitoring.
Reporting Cadence
- ▸Organogram requires Head of Engineering approval for residual risk, with high-impact risks escalated to business leadership
- ▸Organogram submits risk reports to management at least semi-annually
- ▸Organogram conducts IT risk assessments for all production environments and projects involving information assets
- ▸Organogram performs regular security assessments across production environments
Cybersecurity Operations & Management
Organogram protects its network and IT systems against unauthorized access, malicious code, and cyberattacks, and detects unauthorized use of systems and networks.
Organogram operates cybersecurity functions to protect, monitor, and respond to security threats across its systems and infrastructure.
System Hardening
Organogram ensures that operating systems, endpoints, cloud environments, and network devices are securely configured against known threats.
- ▸Organogram reviews systems regularly for secure configuration compliance
- ▸Organogram tracks and remediates identified configuration issues
Logging & Monitoring
Organogram ensures that security events, user activity, and system operations are logged, monitored, and reviewed to detect unauthorized activity.
- ▸Organogram securely stores logs and reviews them for unusual or suspicious activity
- ▸Organogram uses logs to support security investigations and incident response
Vulnerability & Patch Management
Organogram ensures that vulnerabilities are identified, assessed, prioritized, and remediated in a timely manner to reduce exposure.
Organogram applies security patches and updates through a risk-based vulnerability management process.
Endpoint Detection & Response (EDR)
Organogram continuously monitors endpoint activity and detects and responds to suspicious behavior within defined timelines.
- ▸Organogram monitors endpoints for malicious or suspicious activity
- ▸Organogram escalates high-risk events for investigation and response
Encryption & Key Management
Organogram protects sensitive information using approved encryption mechanisms and securely manages cryptographic keys throughout their lifecycle.
- ▸Organogram encrypts sensitive information using approved cryptographic standards
- ▸Organogram securely manages access credentials and encryption keys
- ▸Organogram promptly revokes expired or compromised keys
Security Assessments
Organogram conducts periodic security assessments and penetration testing to identify and remediate system and application vulnerabilities.
- ▸Organogram performs regular security assessments across systems and applications
- ▸Organogram reviews new or changed systems before production release
Email Filtering
Organogram detects and filters malicious, spam, phishing, and unauthorized emails to protect its environment.
- ▸Organogram filters incoming emails using security controls with defined effectiveness targets
- ▸Organogram records and investigates security-related email events
- ▸Organogram updates filtering rules based on emerging threats and lessons learned
Phishing Awareness
Organogram improves employee awareness and resilience against phishing and social engineering attacks.
- ▸Organogram conducts awareness exercises to help users identify phishing attempts
- ▸Organogram provides follow-up guidance and corrective training where required
Data Loss Prevention (DLP)
Organogram prevents unauthorized disclosure, transfer, or loss of sensitive information.
- ▸Organogram monitors and detects unauthorized data transfers and anomalies
- ▸Organogram triggers alerts for sensitive data activity
- ▸Organogram prompts users to confirm intent for sensitive data transfers
- ▸Organogram restricts external email forwarding for non-approved users and exceptions
Threat Intelligence
Organogram identifies, monitors, and analyzes emerging cyber threats that may impact its operations.
- ▸Organogram tracks emerging threats and external risk signals
- ▸Organogram uses threat intelligence to strengthen security controls
Security Monitoring
Organogram identifies, correlates, and responds to security events and anomalies in a timely manner.
- ▸Organogram monitors and reviews security events continuously
- ▸Organogram uses alerts to support timely incident response
Secure Development Lifecycle
Organogram integrates security requirements into system development and maintenance activities.
- ▸Organogram reviews new systems for security before production release
- ▸Organogram protects sensitive data during development and testing
- ▸Organogram secures access to public-facing systems and applications
Information Security During Incidents
Organogram ensures security controls remain effective during incident response, business continuity, and disaster recovery.
Organogram maintains security controls during incident response, continuity operations, and recovery activities.
Mobile Device Management
Organogram secures mobile devices that access organizational resources against unauthorized access and data leakage.
- ▸Organogram authorizes and manages all mobile devices accessing corporate systems
- ▸Organogram enforces strong authentication and automatic screen locking
- ▸Organogram enforces encryption and prohibits rooted or jailbroken devices
- ▸Organogram requires MFA for access to corporate systems and data
- ▸Organogram restricts storage of corporate data on unsecured personal storage
- ▸Organogram blocks non-compliant devices from accessing systems
Third Party Risk Management
Organogram ensures third-party providers meet minimum security requirements before and during service delivery.
- ▸Organogram assesses third parties before onboarding
- ▸Organogram ensures identified risks are addressed before engagement begins
Security Awareness
Organogram ensures personnel understand and comply with security responsibilities and safe practices.
- ▸Organogram provides security awareness training and guidance
- ▸Organogram includes security onboarding for all new personnel
Cloud Security
Organogram secures cloud infrastructure, platforms, and services using a shared responsibility model.
- ▸Organogram restricts cloud access to authorized users only
- ▸Organogram protects sensitive data in transit and at rest
- ▸Organogram reviews and monitors all cloud configuration changes
Business Continuity Management
Organogram ensures critical business operations and systems continue or recover within acceptable timeframes.
- ▸Organogram develops, maintains, and tests business continuity plans
- ▸Organogram conducts business impact analyses for critical functions
- ▸Organogram defines and maintains RTOs and RPOs for critical systems
- ▸Organogram performs regular backup and restoration testing
- ▸Organogram maintains alternative processing capabilities and tests failover procedures
Asset Management
Organogram identifies, classifies, and protects information assets based on their value and sensitivity.
- ▸Organogram applies stronger controls to sensitive and personal data
- ▸Organogram assigns ownership of all information assets
- ▸Organogram enforces access and handling rules based on classification
Change Management
Organogram ensures all system changes are assessed, approved, tested, and controlled.
Organogram applies formal change management processes to infrastructure, applications, cloud environments, and configurations, including security impact assessment and rollback planning.
Access Control Management
Organogram ensures access to information assets is authorized and granted based on business need and least privilege.
- ▸Organogram enforces least privilege and need-to-know access principles
- ▸Organogram grants access only after documented approval
- ▸Organogram enforces MFA for remote and privileged access
- ▸Organogram reviews access at least quarterly and revokes unnecessary access
- ▸Organogram enforces secure password policies and reuse prevention
- ▸Organogram monitors and alerts on suspicious access activity
Human Resources Security
Organogram manages security responsibilities across the employment lifecycle.
Joiners
- ▸Organogram performs background checks as required
- ▸Organogram includes security obligations in employment agreements
- ▸Organogram grants access only after onboarding completion
- ▸Organogram issues and tracks organizational assets
Movers
- ▸Organogram updates access rights when roles change
- ▸Organogram removes unnecessary access immediately
- ▸Organogram reviews segregation of duties during transitions
- ▸Organogram coordinates role changes across HR and IT teams
Leavers
- ▸Organogram revokes all access upon termination
- ▸Organogram disables accounts, credentials, and tokens immediately
- ▸Organogram retrieves all organizational assets
- ▸Organogram enforces post-employment confidentiality obligations
- ▸Organogram executes offboarding using a formal checklist
Cryptography & Key Management
Organogram ensures cryptographic controls protect confidentiality, integrity, and authenticity of information.
- ▸Organogram encrypts sensitive data using approved algorithms
- ▸Organogram manages cryptographic keys through a formal lifecycle process
- ▸Organogram stores keys in secure hardware or equivalent systems
- ▸Organogram reviews cryptographic standards regularly
Physical & Environmental Security
Organogram protects facilities, equipment, and information from physical and environmental threats.
- ▸Organogram relies on cloud provider physical security controls for GCP infrastructure
- ▸Organogram restricts office access to authorized personnel and approved visitors
- ▸Organogram enforces clear desk and clear screen practices
- ▸Organogram securely disposes of storage media containing organizational data
- ▸Organogram applies remote working physical security requirements
Software Usage & Installation
Organogram ensures only authorized and secure software is used within the organization.
- ▸Organogram permits only approved and licensed software on systems
- ▸Organogram requires authorization before software installation
- ▸Organogram prohibits unauthorized or pirated software
- ▸Organogram installs software only from trusted sources
- ▸Organogram keeps software updated with security patches
Electronic Messaging
Organogram ensures secure and appropriate use of communication platforms.
- ▸Organogram uses messaging systems primarily for business purposes
- ▸Organogram restricts sensitive communication to approved channels
- ▸Organogram prohibits automatic forwarding to external accounts
- ▸Organogram requires reporting of phishing and suspicious messages
- ▸Organogram ensures collaboration tools meet security requirements
Clear Desk & Clear Screen
Organogram prevents unauthorized access to information in physical and digital environments.
- ▸Organogram requires desks to remain clear of sensitive information when unattended
- ▸Organogram enforces automatic screen locking on inactivity
- ▸Organogram prevents sensitive information exposure in shared spaces
- ▸Organogram securely disposes of printed materials
Data Privacy
Organogram ensures that personal and sensitive information is processed lawfully, securely, transparently, and in compliance with applicable privacy, legal, regulatory, and contractual obligations, including the Nigeria Data Protection Act (NDPA).
Organogram treats data privacy governance as a core pillar of its information security program. Organogram requires all personnel handling personal information to comply with the Nigeria Data Protection Act (NDPA) and applicable data protection frameworks.
Protection of Personal Information
Organogram ensures that PII is collected, processed, stored, transmitted, retained, and disposed of securely and in compliance with applicable privacy and regulatory requirements, including the Nigeria Data Protection Act (NDPA).
- ▸Organogram processes personal information in accordance with applicable privacy laws in each operating jurisdiction
- ▸Organogram defines and implements a formal privacy governance structure
- ▸Organogram implements information security controls to protect personal information throughout its lifecycle
- ▸Organogram ensures all employees and third parties are aware of their responsibilities for protecting personal information
- ▸Organogram applies data masking, anonymization, pseudonymization, or equivalent techniques where appropriate
Compliance & Enforcement
Organogram ensures that information security compliance status, risks, findings, and activities are documented, monitored, and reported in a consistent manner.
Organogram requires all employees, contractors, and third parties to comply with this policy and all supporting policies, procedures, and standards. Organogram monitors compliance through security assessments, automated tools, access reviews, and activity logs.
Regulatory Compliance
- ▸Organogram complies with applicable data protection and privacy laws, including the Nigeria Data Protection Act (NDPA)
- ▸Organogram complies with security breach notification requirements
- ▸Organogram complies with applicable electronic transaction regulations and records retention requirements
- ▸Organogram complies with intellectual property protection and export control regulations
Audit Requirements
- ▸Organogram conducts internal security audits at least annually
- ▸Organogram conducts external security audits at least every two years
- ▸Organogram conducts specialized audits as required by applicable regulations
- ▸Organogram tracks audit findings to resolution and reports outcomes to appropriate management
Policy Violations
- ▸Organogram investigates all suspected policy violations promptly through authorized personnel
- ▸Organogram collects and preserves evidence appropriately while maintaining confidentiality during investigations
- ▸Organogram applies disciplinary actions up to and including termination based on severity, intent, impact, and prior violations
- ▸Organogram reviews written appeals through designated authorities whose decisions are final
- ▸Organogram may pursue legal action for violations that result in significant harm or involve criminal activity
Exceptions & Deviations
Organogram ensures that approved exceptions are monitored, reviewed, controlled, and periodically reassessed to minimize security and compliance risks.
Organogram permits policy exceptions only where legitimate business needs exist. Organogram manages all exceptions through a formal approval process that includes documented risk assessments and appropriate compensating controls.
Exception Approval by Risk Level
Exception Review Cadence
- ▸Organogram reviews critical and high-risk exceptions at least quarterly
- ▸Organogram reviews medium-risk exceptions at least semi-annually
- ▸Organogram reviews low-risk exceptions at least annually
- ▸Organogram reviews all exceptions prior to expiration and upon significant changes
Review & Maintenance
Organogram ensures that the Information Security Policy remains current, effective, and aligned with organizational, regulatory, operational, and threat landscape changes.
Review Triggers
- ▸Organogram reviews the policy at least annually
- ▸Organogram reviews the policy when significant organizational changes occur
- ▸Organogram reviews the policy after major security incidents
- ▸Organogram reviews the policy when new threats or vulnerabilities are identified
- ▸Organogram reviews the policy when regulatory requirements change
- ▸Organogram reviews the policy when technology changes impact security requirements
Review Participants
Policy Update Process
- ▸Organogram applies change management procedures with version control and documented change summaries
- ▸Organogram ensures stakeholders review and approve updates before publication
- ▸Organogram communicates updates to all affected parties and incorporates them into training programs
- ▸Organogram publishes the policy in accessible locations and includes it in awareness campaigns
ISO/IEC 27001:2022 Mapping
Organogram demonstrates alignment between its Information Security Policy, ISO/IEC 27001:2022 requirements, Annex A controls, and applicable regulatory obligations.
| Policy Section | ISO Clause(s) | Annex A Controls |
|---|---|---|
| 1. Purpose | Clause 5.2 | |
| 2. Scope | Clause 4.3 | |
| 3. Roles & Responsibilities | Clause 5.3 | A.5.2 Roles & Responsibilities |
| 4. CIA Principles | Clause 4.1, 4.2 | |
| 5. Risk Management | Clause 6.1, 6.1.2, 6.1.3 | A.5.7 Threat Intelligence - A.5.9 Asset Inventory |
| 6. Cyber Operations | Clause 8.1 | A.8.7 Malware - A.8.15 Logging - A.8.8 Vuln Mgmt - A.5.15 Access Control - A.5.23 Cloud |
| 7. Data Privacy | Clause 6.1.3 | A.5.34 Privacy & PII |
| 8. Protection of PII | Clause 6.1.3 | A.5.34 Privacy & PII |
| 9. Compliance | Clause 9.1, 9.2, 10.1 | A.5.25 Compliance Assessment - A.5.36 Policy Compliance |
| 10. Exceptions | Clause 10.1 | A.5.6 Contact with Authorities |
| 11. Review | Clause 9.3, 10.2 | |
| 12. ISO Mapping | Clause 7.5 |