Information security policy (draft)
This policy captures the top-level information security intent for LEF. It is designed to support ISO/IEC 27001 readiness, and should be finalized only when the ISMS scope is explicitly approved.
| Owner | Information Security Officer |
| Contact | infra@lef.tec.br |
| Version | 0.1 |
| Last updated | 2025-12-24 |
| Review cadence | Annual (and on major changes) |
1. Purpose
Section titled “1. Purpose”Define LEF’s management intent and direction for protecting information and systems, and establish the foundation for an Information Security Management System (ISMS).
2. Scope
Section titled “2. Scope”This policy applies to the ISMS scope defined in ISMS scope (draft).
3. Policy statement (draft)
Section titled “3. Policy statement (draft)”LEF commits to:
- Protect the confidentiality, integrity, and availability of information within scope.
- Apply a risk-based approach to selecting and improving controls (see Risk management).
- Comply with applicable legal, regulatory, and contractual requirements within scope.
- Ensure access is based on least privilege and need-to-know.
- Respond to incidents and vulnerabilities in a consistent, documented way.
- Continually improve the ISMS through review, audits, and corrective actions.
4. Responsibilities (high level)
Section titled “4. Responsibilities (high level)”- Information Security Officer: maintains the ISMS documentation set and coordinates improvement activities.
- Control owners: maintain the specific policies/procedures for their area.
- All collaborators: follow policies, report security issues promptly, and protect credentials and data.
5. Supporting policies and procedures
Section titled “5. Supporting policies and procedures”Use these as the canonical requirements:
- Access: Access control policy
- Data: Information classification policy and Data retention and deletion policy
- Operations: Incident response procedure and Vulnerability management procedure
- Continuity: BCDR plan and Backup and recovery policy
- Suppliers: Supplier security policy (draft)
6. Exceptions and risk acceptance
Section titled “6. Exceptions and risk acceptance”Exceptions to policy requirements should be documented as risk decisions and mapped to treatment/acceptance in the risk register and SoA.