As defined by The Constitution, implementing a standardized Information Security Management System (ISMS) according to ISO/IEC27001, adhering to contracts and following legal requirements is mandatory for our business success in the markets we serve.

<aside> 💡 The board of OX sponsors and fully supports establishing, implementing, maintaining and continually improving this Information Security Management System (ISMS).

</aside>

To achieve that we implement a security program and a related CISO role that formally reports directly to the board of OX. This role has the responsibility, ability and authority to guide, review and report on the performance of the ISMS implementation of each Cell and the entire organization.

While the board of OX maintains ownership and ultimate formal accountability for the ISMS, it directs responsibility for the implementation of policy and selection of specific controls to employees of Open-Xchange Group, regardless of location, employment model or rank, and their respective Cells. Cells are required to participate in Audits to provide evidence of a successful implementation of the ISMS.

The ISMS has been documented in Confluence and contains the default set of policy and controls. All OX employees are required to apply Information Security in accordance with the established policy, controls, topic-specific standards and cell-specific procedures.

Requirements

While detailed requirements are defined at the ISMS, the requirements for cells include:

• Understand, implement and review policy and control requirements of ISO/IEC27001
• Perform background checks for employees and external staff
• Secure the onboarding and offboarding process for personnel
• Provide awareness, qualification and training related to Information Security topics
• Perform disciplinary action in case employees fail to implement Information Security requirements
• Implement and enforce information classification rules
• Manage information assets and systems, including procurement and secure disposal
• Supplier management and monitoring
• Information Security Risk management, Business Impact Analysis and Business Continuity Management
• Physical security for offices, datacenters and mobile work environments
• Logical access control, reviews and revocation
• Implementing applicable legal requirements like deletion periods and record keeping
• Manage and implement value-stream and customer-specific security requirements
• Define a person as point of contact for Information Security matters related to the cell
• Implement and document cell-specific Information Security procedures
• Report and escalate Information Security events to the CISO
• Produce evidence for continuous implementation of Information Security requirements
• Participate in Internal Audits and External Audits to demonstrate compliance

Implementation of those requirements may be pulled from other cells, however, the responsibility to fulfil the requirement remains with the cell at all time.