Information Security Policy
Document Number: ISMS-POL-ISP-01
Classification: L1 — Policy (Master)
Version: 0.1.4
Effective Date: February 18, 2026
Author: Lucas Shin — Security Director
Approved By: Richard Williams — CISO
Next Review Date: February 2027
1. Purpose
This document is the top-level Information Security Policy for Cybercraft. It defines the overarching security principles, governance structure, and policy framework that guide all information security activities across the organisation.
All domain policies and L3 procedures derive their authority from this document.
2. Scope
2.1 Organisational Scope
This policy applies to:
- Cybercraft and all its business operations, services, and outputs
- All personnel — including employees, contractors, temporary staff, and any other individuals with access to Cybercraft information or systems — regardless of employment type
- All information assets — digital, physical, and intellectual property
2.2 Technical Scope
- All Microsoft 365 tenants operated by or on behalf of Cybercraft (including cross-tenant relationships with Techtype and HVT)
- All devices used to access Cybercraft data, whether corporate-owned or personally-owned (BYOD)
- All third-party SaaS tools and cloud services used for business operations
2.3 Regulatory & Standards Alignment
This ISMS is designed to align with:
- ISO/IEC 27001:2022 — Information Security Management System
- ACSC Essential Eight — as a consulting delivery framework for clients
- SOC 2 Type II — Trust Services Criteria (where applicable)
2.4 Security Standards Framework — Base Reference
This ISMS is derived from Cybercraft's Security Standards Framework (Security Standards Framework), which defines two security profiles:
- COM Profile (Commercial Compliance): Risk-adaptive controls aligned with ISO 27001, SOC 2, and APRA CPS 234 for commercial environments.
- DEF Profile (Defence & National Security): Prescriptive controls aligned with ACSC Essential Eight ML2 and NIST SP 800-171/CMMC for defence and national security environments.
Cybercraft operates under the COM Profile. All Level 2 policies and Level 3 procedures in this ISMS implement COM Profile requirements, tailored to Cybercraft's specific organisational context and technical environment.
3. Information Security Principles
All security decisions across Cybercraft shall be guided by the following principles:
3.1 Zero Trust
Never trust, always verify. Access to corporate data is granted based on verified identity, device compliance, and contextual conditions — not network location or device ownership.
3.2 Platform = Policy
The Microsoft 365 platform structure itself serves as the primary mechanism for access control, data classification, and data segregation. Teams structure, licensing tiers, and Entra ID configuration are the implementation of security policy — not separate from it.
3.3 Least Privilege
Users are granted the minimum level of access required to perform their role. Access is controlled through a combination of:
- Licence tier assignment (determines available services)
- Teams membership and role (determines data access within services)
- Conditional Access policies (determines access conditions)
3.4 Proportionality
Security controls are proportionate to the size, nature, and risk profile of Cybercraft as a 3–5 person SMB. Policies are designed to be practical and operationally sustainable without dedicated security operations staff.
3.5 Defence in Depth
No single control is relied upon. Security is enforced through layered controls — identity verification, device compliance, application-level protection, and data-level restrictions.
4. Governance Structure
4.1 Roles and Responsibilities
| Role | Person | Responsibilities |
|---|---|---|
| Group Chairman | Jeff Herbert | Group-level strategic oversight, cross-entity coordination between Cybercraft, Techtype, and HVT |
| CEO | Farah Herbert | Executive sponsor of ISMS, final authority on business risk acceptance, resource allocation for security initiatives |
| CISO | Richard Williams | Policy approval, risk acceptance, annual management review, strategic security direction |
| Security Director | Lucas Shin | Policy development and maintenance, security architecture design, technical implementation, compliance monitoring, incident coordination |
| All Personnel | All staff | Comply with all applicable policies and procedures, report security incidents, complete security awareness requirements |
4.2 Management Review
- Annual: Full ISMS review including policy effectiveness, risk assessment update, and improvement actions
- Quarterly: Exception register review, incident trend analysis, policy compliance check
- Ad-hoc: Triggered by significant security incidents, organisational changes, or regulatory updates
5. Policy Framework — Document Hierarchy
The Cybercraft ISMS follows a four-level document hierarchy (L1 Policy → L2 Standard → L3 Procedure → L4 Guideline), derived from the Security Standards Framework (Security Standards Framework):
Security Standards Framework — Base standard. Defines COM and DEF profiles, cross-profile guidelines (EXT-01, EXT-02, EXT-03), and consulting delivery models.
L1 Policy (Master) — This document. Applies the COM Profile to Cybercraft and defines principles, governance, and policy scope.
L1 Policy (Domain) — Domain-specific policies. Define requirements and controls for specific security domains.
L2 Standard — Measurable criteria and baseline definitions for specific domains.
L3 Procedure — Operational procedures. Define step-by-step implementation details under each domain policy.
L4 Guideline — User and administrator manuals and guidance documents.
5.1 Domain Policies
| ID | Policy | Scope | Status |
|---|---|---|---|
| P1 | M365 Workspace & Access Policy | Licence-tier-based access control, Teams structure design (L1/L2/L3), channel-based data segregation, CA/MAM per platform, admin rights | 📝 Draft — M365 Workspace & Access Policy (ISMS-POL-M365-01) Pending review |
| P2 | BYOD Security Policy | Personal device enrolment, compliance, app protection, non-managed app controls, patching, monitoring, incident response | ✅ Complete — BYOD Security Policy (ISMS-POL-BYOD-01) |
| P3 | Application & Data Governance Policy | Data context isolation, app account governance, ID governance (SSO/Federation/Sprawl), AI data sovereignty, technical roadmap | ✅ Complete — Application & Data Governance Policy (ISMS-POL-ADG-01) |
| P4 | Human Resource Security Policy | Hiring verification, security awareness, NDA, termination/offboarding | ✅ Complete — Human Resource Security Policy (ISMS-POL-HR-01) |
| P5 | Supplier & Third-Party Policy | SaaS tool security assessment, AI service evaluation, partner/subcontractor requirements, data sharing controls, cross-tenant security | ✅ Complete — Supplier & Third-Party Security Policy (ISMS-POL-STP-01) |
| P6 | Communications & Media Policy | YouTube/e-book content security review, public disclosure controls, brand protection | ✅ Complete — Communications & Media Security Policy (ISMS-POL-COM-01) |
| P7 | Business Continuity Policy | Key person risk, backup strategy, emergency contacts, disaster recovery | ✅ Complete — Business Continuity Policy (ISMS-POL-BCP-01) |
| P8 | Asset Management & Information Classification Policy | Information asset inventory, ownership, classification scheme, acceptable use, return of assets, media handling | ✅ Complete — Asset Management & Information Classification Policy (ISMS-POL-ASM-01) |
| P9 | Incident Management Policy | Incident classification, detection, triage, containment, evidence collection, post-incident review (lessons learned), external notification | ✅ Complete — Incident Management Policy (ISMS-POL-INC-01) |
| P10 | Document Management Policy | Document classification framework (4-purpose), Doc ID scheme, L-hierarchy definition, document governance (approval, review, retention) | 📝 Draft — Document Management Policy (ISMS-POL-DCM-01) Pending review |
5.2 L3 Procedures (under P2)
| ID | Procedure | Parent Policy |
|---|---|---|
| BYOD-PROC-01 | Device Lifecycle Procedure | P2 |
| BYOD-PROC-02 | Patch Management Procedure | P2 |
| BYOD-PROC-03 | Access Control & Data Protection Procedure | P2 |
| BYOD-PROC-04 | Monitoring & Incident Response Procedure | P2 |
6. Risk Management
6.1 Risk Assessment
Cybercraft shall conduct a formal risk assessment:
- Annually as part of the management review cycle
- Upon significant change (new client engagement, platform migration, personnel change)
- Using a methodology that considers likelihood × impact to prioritise treatment
6.2 Risk Treatment
Identified risks shall be treated through one of:
- Mitigate — implement controls (preferred)
- Accept — documented risk acceptance by CISO with rationale
- Transfer — insurance or contractual transfer
- Avoid — discontinue the activity
All risk treatment decisions shall be documented and reviewed quarterly.
7. Security Incident Management
All personnel are required to:
- Report suspected security incidents to the Security Director within 24 hours
- Preserve evidence and avoid actions that may compromise investigation
- Cooperate with incident investigation and remediation activities
Detailed incident response procedures are defined in the relevant L3 procedures under each domain policy.
8. Compliance & Enforcement
8.1 Compliance Monitoring
- Technical compliance is monitored through Intune compliance policies, Entra ID sign-in logs, and Conditional Access reports
- Policy compliance is reviewed through quarterly management reviews
8.2 Non-Compliance
- Non-compliance is escalated to the CISO
- Repeated or wilful non-compliance may result in disciplinary action, up to and including termination
- All non-compliance incidents are logged and reviewed as part of the quarterly exception register review
9. Document Control
| Version | Date | Author | Changes |
|---|---|---|---|
| 0.1.0 | 2026-02-18 | Lucas Shin | Initial release — established ISMS Level 1 policy and 6-policy Level 2 framework |
| 0.1.1 | 2026-02-19 | Lucas Shin | Added §2.4 Security Standards Framework Base Reference with COM/DEF Profile definitions. |
| 0.1.2 | 2026-02-20 | Lucas Shin | L2 policy reordering: Infrastructure (P1) → Access (P2) → App/Data (P3) → People (P4) → External (P5) → Communications (P6) → Emergency (P7). Added P3 Application & Data Governance Policy. Updated all document numbers and cross-references. |
| 0.1.3 | 2026-02-20 | Lucas Shin | Added P8 Asset Management & Information Classification Policy (ISMS-POL-ASM-01) and P9 Incident Management Policy (ISMS-POL-INC-01) to L2 policy framework. Total L2 policies: 9. |
| 0.1.4 | 2026-03-03 | Lucas Shin | Added P10 Document Management Policy (ISMS-POL-DCM-01). Total domain policies: 10. |
Review Schedule
- Annually: Full policy review aligned with ISMS management review
- Ad-hoc: Upon significant organisational, technical, or regulatory changes
[End of Policy Document]