DECLARATION
by the Management of AVVI Ltd. regarding:
Information Security Policy
Based on company-developed and rented information environment, AVVI Ltd. provides insurance services to counterparties and end customers with professionally guaranteed quality and security.
The provision of insurance services that meet the requirements of the companies’ clients are a key factor for the successful business of AVVI Ltd.
Our desire and strategic goal is to meet the needs and expectations of our current and potential clients related to the insurance services we provide.
Considering the importance of information security and personal data protection, the management of AVVI Ltd. is committed to:
- developing and implementing information security policies, and objectives for their achievement, in full compliance with the vision for the organization’s growth;
- creating conditions for full, comprehensive integration of the Information Security Management System into the processes running in the organization;
- providing all necessary resources for the design, implementation, operation, monitoring, review, maintenance and upgrade of the Information Security Management System (ISMS), in compliance with the requirements of the international standard EN ISO/IEC 27001:2017;
- promoting the importance of efficient management of the Information Security System and compliance with its requirements, by developing and implementing mechanisms that support and encourage employees to contribute to improving its effectiveness;
- strengthening the company’s leading role and position in the process of continuous improvement of the Information Security Management System.
The company’s Information Security Management System shall have the following scope:
Security of company and client strategic business information, including financial, legal, economic and project information; protection of personal data of employees, clients and service providers of the organization, in connection with the insurance and consultant services and products the company provides.
The Information Security Management System shall aim to create conditions for protection of the information and processed personal data in terms of:
- Availability
Data processed and stored by AVVI Ltd. and related information shall be available and accessible for use only to authorized persons, whenever necessary.
- Integrity
AVVI Ltd. provides protection in terms of the integrity and completeness of the information that is processed, stored and exchanged in the organization, as well as of the processing methods, in order to prevent deliberate, accidental, partial or full destruction or unauthorized modification of data in electronic and non-electronic form.
- Confidentiality
The information that is processed and stored by AVVI Ltd. shall only be shared with or disclosed to authorized individuals.
- Personal data protection and privacy of natural persons
The company's personal data protection policy is fully compliant with the Personal Data Protection Act and the EU regulations (Regulation EU 2016/679 - General Data Protection Regulation).
The management of AVVI Ltd. declares its intention and commitment to maintain the objectives and principles of information security and personal data protection in compliance with the vision and business goals of the organization.
An iterative approach shall be applied to the identification and assessment of information security risks and the possibility of their occurrence, taking into consideration changes in the security requirements, the risk environment and risk prioritization.
AVVI Ltd. has defined and established criteria for risk acceptance in accordance with the nature of its business activity, technical capabilities, the regulatory requirements, and financial, social and human factors. The identified risks shall be addressed by applying appropriate control mechanisms in line with EN ISO/IEC 27001:2017, Annex A.
The regulatory requirements regarding the Information Security Management System are determined in line with the following legislation: the Personal Data Protection Act, the Insurance Act, the Anti-Money Laundering Act, the Cybersecurity Act, the Electronic Document and Electronic Signature Act, the Accountancy Act, the Classified Information Protection Act, the Copyright and Related Rights Act, the Electronic Commerce Act, the Electronic Communications Act, the Competition Protection Act and the Disaster Protection Act, the European Union regulations and directives, as well as the international standard EN ISO/IEC 27001:2017.
In order to implement this Information Security Policy and ensure functioning of the Information Security Management System, AVVI Ltd. has appointed an Information Security (ISMS) Manager and has set up an Information Security Board.
The employees of AVVI Ltd. are obliged to comply with all rules related to information security and personal data protection, described in procedures, policies, instructions and other documents of the Information Security Management System.
The Information Security Policy regulates that disciplinary actions shall be taken against violators of its regulations and provisions.
This Information Security Policy shall be reviewed periodically to ensure its relevance, adequacy and effectiveness, but not less than once a year, and also in cases of significant changes in the organizational environment, the business circumstances, the applicable legislation and the technical environment.
The Information Security Policy is disclosed to all employees of AVVI Ltd., as well as to all interested third parties.
Manager of AVVI Ltd.
Michael Antonov
Sofia
May 30th, 2019