IMS Policy
Introduction
This policy defines how the Integrated Management System comprising of the Information Security Management System (ISMS), Service Management System (SMS) and Business Continuity Management System (BCMS) will be set up, managed, measured, reported on and developed within Paga Limited (also known as “Paga”)
Paga is committed to providing services according to clients’ expectations, ensuring that we take all aspects of Information Security, Business Continuity and Service Management under consideration in delivering these services to our clients.
Paga’s policy is to commit to and maintain an Integrated Management System designed to meet the requirements of ISO27001:2022, ISO 20000:2018 and ISO 22301:2019 in pursuit of its primary objectives.
To drive continual improvement within the Integrated Management System, Paga Limited has set objectives on an annual basis as part of the Management Review Process; these objectives ensure the system is appropriately monitored and measured. All objectives are communicated to all staff and include key responsibilities, timescales, and appropriate measures of success.
1.1 It is our Policy to ensure that:
All information and systems will be protected against unauthorized access and disclosure.
Confidentiality of information will be maintained.
Integrity of information is protected from unauthorized modification.
Regulatory and legislative requirements will be met.
Business continuity plans will be maintained and tested (as far as practicable)
All suspected breaches of information security will be reported and investigated.
Adequate prevention and detection of malware is in place.
Information Security Policies are in place to ensure the safe use of our computer and information systems.
Quality products and services are always rendered to customers.
Customers’ needs and expectations are met in line with the agreed service and requirements.
Competent external providers that meet all pre-qualification requirements are engaged.
Optimal internal business processes and customer satisfaction, delight, and retention.
Continually improve the effectiveness of the Service Management System and services.
IMS Policy Statement
“Paga is committed to upholding and enhancing information security, business continuity, and service management operations by implementing an integrated management system to meet and exceed the expectations of its stakeholders while also complying with all applicable regulations and guidelines.”
Setting the Integrated Management Objectives
The high-level objectives for the Integrated Management System within Paga Limited are defined within the document PAGA-IMS-DOC- Context, Requirements and Scope Version1.0. These are fundamental to the nature of the business and are not subject to frequent change.
These overall objectives will be used as guidance in the setting of the lower level, more short-term objectives for planning within an annual cycle timed to coincide with organizational budget planning. This will ensure that adequate funding is obtained for the improvement of activities identified. These objectives will be based on understanding the overall business requirements and how they may change during the year.
Integrated Management objectives will be documented in the PAGA-IMS- DOC- Objectives and Management Plan Version 1.0 for the relevant financial year, with details of a plan for achieving them. Once approved, this plan will be reviewed annually as part of the management review process, at which time the objectives will also be reviewed to ensure that they remain valid. These will be managed through the organizational change management process if amendments are required.
3.1 Top Management Leadership and Commitment
Commitment to the Integrated Management System Objectives extends to senior levels of the organization. It will be demonstrated through this IMS Policy and the provision of appropriate resources to provide and develop the IMS and associated controls.
Top management will also ensure that a systematic review of the program’s performance is conducted regularly to ensure that quality objectives are being met and relevant issues are identified through the audit program and management processes. Management review can take several forms, including departmental and other management meetings.
The Top management shall have overall authority and responsibility for the implementation and management of the Integrated Management System, specifically:
The identification, documentation, and fulfillment of the Integrated Management System Objectives.
Implementation, management, and improvement of risk management processes
Integration of operational processes, procedures, and controls
Compliance with statutory, regulatory, and contractual requirements
Reporting to top management on performance and improvement
3.2 Top Management Leadership and Commitment
Commitment to the delivery of the Integrated Management System extends to senior levels of the organization. It will be demonstrated through this Integrated Management System Policy and the provision of appropriate resources to establish and develop the Integrated Management System.
Top management will also ensure that a systematic review of the program’s performance is conducted regularly to ensure that Integrated Management System objectives are being met and information security, Service Management and Business Continuity issues are identified through the audit program and management processes. Management Review can take several forms, including departmental and other management meetings. Within the field of Integrated Management Systems, several key roles need to be undertaken to ensure the success of the IMS and protect the business from risk.
Paga Top Management is also committed to satisfying the following applicable requirements concerning the IMS:
Ensuring improvement of the information security management systems
Providing necessary human, financial and technological resources to establish and develop an information security management system.
Providing direction and support for information security following business requirements and relevant laws and regulations.
Establishing a management framework to initiate and control the implementation and operation of information security within the organization.
Ensuring that employees and contractors understand their responsibilities and are suitable for their considered roles.
Ensuring that information receives appropriate protection by its importance to the organization.
Ensuring authorized user access and preventing unauthorized access to systems and services.
Making users accountable for safeguarding their authentication information.
Limiting access to information and information processing facilities.
Ensuring proper and effective use of cryptography to protect the confidentiality, authenticity and integrity of information in Resident Fintech.
Preventing unauthorized physical access, damage and interference to the organization’s information and information processing facilities.
Ensuring correct and secure operations of information processing facilities.
Ensuring the protection of information in networks and its supporting information processing facilities using technologies.
Ensure that information security is integral to information systems across the entire lifecycle. This also includes the requirements for information systems which provide services over public networks.
Ensuring the operation of the service management system in the organization.
Operating the SMS, ensuring coordination of the activities and the resources.
Ensuring Control of parties involved in the service lifecycle
Ensuring business relationship management and agreement between parties involve in the service lifecycle.
Budgeting and accounting for services or groups of services in accordance with its financial management policies and processes.
Ensuring effective release and deployment management in the organization.
Ensuring proper incident and problem management within the organization.
Ensuring regular conduct and treatment of risks to service availability.
Conducting business impact analysis and risk assessment.
Establishing business continuity strategies and solutions
Establishing business continuity plans and procedures
Conducting business continuity exercises and testing
Ensuring business continuity evaluation.
3.3 Commitment to Continual Improvement of the IMS
Paga Limited’s policy concerning continual improvement is to:
Continually improve the effectiveness of the IMS
Enhance current processes to bring them into line with good practice as defined within ISO/IEC 27001:2022, ISO/IEC 20000:2018 and ISO/IEC 22301:2019
Achieve Certification and maintain it on an ongoing basis.
Review relevant metrics annually to assess whether it is appropriate to change them based on collected historical data.
Obtain ideas for improvement via regular meetings and other forms of communication with interested parties, including cloud service customers.
Review ideas for improvement at regular management meetings to prioritize and assess timescales and benefits.
Ideas for improvements may be obtained from any source, including employees, customers, suppliers, IT staff, risk assessments and service report
