Information Security PolicyInformation Security PolicyInformation Security PolicyInformation Security PolicyInformation Security PolicyInformation Security PolicyInformation Security PolicyInformation Security PolicyInformation Security PolicyInformation Security PolicyInformation Security PolicyInformation Security PolicyInformation Security Policy
Last updated: June 24, 2026
This Information Security Policy sets out Security Matterz’s (“SM”) commitment to protecting its information assets and forms the foundation of our Information Security Management System (ISMS), aligned with ISO/IEC 27001:2022.
1. Purpose
The purpose of this policy is to protect Security Matterz’s (SM) information assets from all threats — whether internal or external, deliberate or accidental.
2. Scope
This policy applies to all information created or received by SM in the course of providing its services.
It forms the basis of SM’s Information Security Management System (ISMS) and its related policies and procedures. Built on the International Standard ISO/IEC 27001, it takes a risk-based approach to embed appropriate levels of information security controls and countermeasures.
3. Compliance
SM is committed to complying with the requirements of ISO/IEC 27001:2022 and other applicable standards and regulations including, but not limited to, the National Cybersecurity Authority (NCA), the Ministry Security Operations Center (MSOC), and the Personal Data Protection Law (PDPL).
The organization shall ensure that its information security practices meet all legal, regulatory, and contractual obligations, and shall monitor changes to these requirements to remain compliant.
4. Owner
This policy is owned by the Information Security Management System Committee (ISMS-SC). The committee is responsible for reviewing, maintaining, and updating this policy and ensuring its alignment with the strategic direction and objectives of SM.
The ISMS-SC reports to top management and ensures the effective implementation of the Information Security Management System across the organization.
5. Policy Statement
It is the policy of Security Matterz to ensure that appropriate controls and countermeasures are put in place to protect corporate and client data, as well as the information technology systems, services, and equipment of SM.
The aim is to ensure that all of SM’s information assets — its people, intellectual property, computer systems, data, and equipment — are adequately protected from all threats, whether internal or external, deliberate or accidental, on a cost-effective basis. This is achieved with minimum inconvenience to authorized users while maintaining the level of service required by SM to conduct its business.
- SM protects information assets from unauthorized access.
- SM commits to comply with regulatory and legislative requirements.
- SM commits to provide information security training and awareness to its staff.
- SM adopts the ISO 27001 Information Security Management System (ISMS) as a tool to implement a formal system for protecting the confidentiality, integrity, and availability of information.
- Information security is aligned with SM’s strategic direction and business objectives.
- Information security risks are managed based on SM’s Risk Management Methodology.
- SM commits to continually improve its ISMS and information security.
- SM is committed to satisfying the expectations and requirements of interested parties.
- SM controls and restricts access to information assets based on the need-to-know and least-privilege principles.
- SM is committed to meeting all information security requirements from our clients and to providing the necessary resources to achieve this.
- SM is committed to encouraging information security improvements by engaging with our employees and enhancing their competences.
- SM continually reviews this policy and its information security performance to ensure it improves over time.
- Objectives relating to information security performance are set, monitored, and reviewed annually by the Information Security Management System Committee (ISMSC).
- This policy is available to all our customers and relevant interested parties, and our employees are made aware of our commitment and the contents of this policy.
- Security incidents and suspected vulnerabilities are treated and resolved according to their respective nature.
- All managers are responsible for implementing the ISMS Policy and for ensuring adherence among their staff.
- Compliance with this policy and all other supporting policies, standards, and procedures is mandatory for all staff and third parties. Violations will result in corrective action by management, consistent with the severity of the violation as determined by an investigation and as deemed appropriate by management.
- SM complies with multiple regulatory and industry frameworks, including ISO/IEC 27001:2022, the National Cybersecurity Authority (NCA) guidelines, Ministry Security Operations Center (MSOC) controls, and the Personal Data Protection Law (PDPL).
6. Validity and Document Management
The owner of this document is the ISMS Manager, who must review and, if necessary, update the document at least once a year.
When evaluating the effectiveness and adequacy of this document, the following criteria are considered:
- The number of ISMS document updates made without a proper Document Change Request being initiated and/or proper approvals being obtained.
- The number of ISMS document updates made without having been recorded in the Document Change Log.
