Back to Trust Hub
ISO 27001:2022

Information Security Policy

Comprehensive Information Security Management System (ISMS) policy governing the protection of information assets, risk management, and security controls across CUI Labs operations.

Policy Owner

CISO

Approved By

CEO / Board

Effective Date

Q2 2026+

Review Cycle

Annual

1. Policy Statement

CUI Labs is committed to protecting the confidentiality, integrity, and availability of all information assets under our control. This Information Security Policy establishes the framework for our Information Security Management System (ISMS) in accordance with ISO 27001:2022 requirements.

Information security is fundamental to our business operations, customer trust, and regulatory compliance. We recognize that information assets are critical business resources that must be protected from unauthorized access, disclosure, modification, destruction, or disruption.

Scope: This policy applies to all CUI Labs employees, contractors, third-party service providers, and any individual or system with access to CUI Labs information assets, regardless of location or employment status.

2. Information Security Objectives

CUI Labs establishes the following strategic information security objectives:

Protect Customer Data

Safeguard customer data and intellectual property through defense-in-depth security controls and encryption

Ensure Business Continuity

Maintain operational resilience with <4hr RTO and <1hr RPO for critical systems

Regulatory Compliance

Comply with legal, regulatory, and contractual obligations (PDPA, GDPR, MAS TRM, MiCA)

Maintain Trust

Preserve customer, partner, and stakeholder trust through transparent security practices

3. Governance & Accountability

Chief Information Security Officer (CISO)

  • Overall accountability for ISMS implementation and effectiveness
  • Report security posture and incidents to executive leadership and Board
  • Approve security policies, standards, and risk treatment decisions
  • Lead incident response and security awareness programs

Management Responsibilities

  • Ensure adequate resources for information security
  • Integrate security into business processes and decision-making
  • Conduct quarterly management reviews of ISMS performance

Employee Responsibilities

  • Complete annual security awareness training (mandatory)
  • Report security incidents within 1 hour of discovery
  • Comply with acceptable use policy and security procedures
  • Protect credentials and access tokens (no sharing)

4. Risk Management

CUI Labs employs a risk-based approach to information security, ensuring that security controls are proportionate to identified risks and aligned with business objectives.

Risk Management Process

Risk Assessment

  • • Annual comprehensive risk assessment
  • • Quarterly risk register reviews
  • • Event-driven assessments (new systems, threats)
  • • 5x5 risk matrix (likelihood × impact)

Risk Treatment

  • • Avoid: Eliminate risk source
  • • Reduce: Implement controls
  • • Transfer: Insurance, contracts
  • • Accept: Documented justification (CISO approval)

Risk Appetite: CUI Labs has a low risk appetite for security incidents affecting customer data, regulatory compliance, or business continuity. All high and critical risks require executive approval and documented treatment plans.

See Risk Management Framework for detailed methodology.

5. Security Controls Framework

CUI Labs implements a comprehensive set of security controls aligned with ISO 27001:2022 Annex A, NIST Cybersecurity Framework, and CIS Controls v8.

Organizational Controls (ISO 27001 Annex A.5)

  • Information security policies and procedures
  • Information security roles and responsibilities
  • Segregation of duties and least privilege access
  • Asset inventory and classification
  • Supplier security and third-party risk management

People Controls (ISO 27001 Annex A.6)

  • Background screening for sensitive roles
  • Security awareness training (annual, mandatory)
  • Disciplinary process for security violations
  • Secure termination procedures

Physical Controls (ISO 27001 Annex A.7)

  • Physical access controls (badge, biometric)
  • Secure areas for sensitive equipment
  • Equipment disposal and media sanitization
  • Clear desk and clear screen policy

Technological Controls (ISO 27001 Annex A.8)

  • Zero-trust network architecture
  • Multi-factor authentication (MFA) for all access
  • Encryption at rest and in transit (AES-256, TLS 1.3)
  • Post-quantum cryptography (ML-KEM, ML-DSA, SLH-DSA)
  • Vulnerability management and patching (14-day SLA)
  • Security logging and monitoring (SIEM, 90-day retention)
  • Backup and recovery (daily backups, monthly testing)

See Statement of Applicability for complete control mapping.

6. Incident Management

CUI Labs maintains a 24/7 Security Operations Center (SOC) and formal Incident Response Plan (IRP) to detect, respond to, and recover from security incidents.

Incident Response Process

1. Detection
Real-time
SIEM, EDR, alerts
2. Triage
<15 min
Severity classification
3. Containment
<1 hr
Isolate affected systems
4. Eradication
Varies
Remove threat
5. Recovery
<4 hr
Restore operations

Breach Notification Requirements

  • PDPA (Singapore): Notify PDPC within 3 calendar days of assessment
  • GDPR (EU): Notify DPA within 72 hours; affected individuals without undue delay
  • Customers: Notify affected customers within 24 hours of confirmation

Incident Reporting: All employees must report suspected security incidents to security@cuilabs.io within 1 hour of discovery.

7. Business Continuity

Information security is integrated with business continuity planning to ensure resilience against disruptions.

Recovery Objectives

  • • RTO (Recovery Time Objective): <4 hours
  • • RPO (Recovery Point Objective): <1 hour
  • • Daily automated backups (encrypted)
  • • Monthly disaster recovery testing

Resilience Measures

  • • Multi-region infrastructure (3+ regions)
  • • Automated failover capabilities
  • • Redundant critical systems (N+1)
  • • Alternative work arrangements (remote)

See Business Continuity Policy for detailed plans.

8. Compliance & Audit

CUI Labs maintains compliance with applicable legal, regulatory, and contractual requirements through continuous monitoring and independent audits.

Internal Audit Program

  • Annual comprehensive ISMS audit (all controls)
  • Quarterly targeted audits (high-risk areas)
  • Independent auditors (no conflicts of interest)
  • Audit findings tracked with remediation deadlines

External Certifications

  • CSA STAR Level 1 (current)
  • ISO 27001:2022 (in progress)
  • ISO 22301 (in progress)

Management Review

Executive management conducts quarterly ISMS reviews covering:

  • Security incidents and trends
  • Audit findings and corrective actions
  • Risk register changes
  • Performance metrics and KPIs
  • Opportunities for improvement

9. Training & Awareness

Security awareness is critical to our defense-in-depth strategy. All personnel receive regular training appropriate to their role and responsibilities.

General Security Awareness

  • • Annual mandatory training (all staff)
  • • Phishing simulations (quarterly)
  • • Security newsletters and alerts
  • • Incident reporting procedures
  • • Password and MFA best practices

Role-Specific Training

  • • Developers: Secure coding, SAST/DAST
  • • Operations: Incident response, forensics
  • • Security: Advanced threat hunting, OSCP
  • • Management: Risk management, compliance
  • • All: Data classification and handling

10. Policy Review & Updates

This policy is reviewed annually or following significant changes to the threat landscape, regulatory environment, or business operations.

Review Triggers

  • • Annual scheduled review (minimum)
  • • Significant security incidents
  • • New regulatory requirements
  • • Major business or technology changes
  • • Audit findings or recommendations

Version Control: All policy changes are tracked with version numbers, approval dates, and change summaries. Previous versions are archived for audit purposes.

11. Enforcement & Consequences

Violations of this policy may result in disciplinary action up to and including termination of employment or contract, and may involve legal action where applicable.

Violation Examples

  • • Unauthorized access to systems or data
  • • Sharing credentials or access tokens
  • • Bypassing security controls
  • • Failure to report security incidents
  • • Intentional introduction of malware
  • • Unauthorized data exfiltration

Reporting Violations: Suspected policy violations should be reported to security@cuilabs.io or through the confidential ethics hotline.

12. Related Policies & Documents

Business Continuity PolicyRisk Management FrameworkISMS Scope StatementStatement of ApplicabilityPrivacy & Data ProtectionAcceptable Use Policy

Policy Acknowledgment

All employees and contractors are required to read, understand, and acknowledge this Information Security Policy as part of onboarding and annually thereafter.

Document ID

POL-SEC-001

Version

1.0

Classification

Internal