
INFORMATION SECURITY MANAGEMENT
SYSTEM INFORMATION SECURITY POLICY
Purpose, Scope, and Users
The purpose of this Information Security Policy is to define the direction, principles, and rules for the management of information security with Fire Forensics.
This policy applies to the entire Information Security Management System (ISMS), as defined in the ISMS Scope Document, and ensures the confidentiality, integrity, and availability of all organisational information assets, particularly those related to forensic investigations, client data, and operational services.
Users of this policy include all Fire Forensics employees, contractors, and relevant third parties who access, process, or manage organisational information.
​
Reference Documents
-
ISO/IEC 27001:2022 – Clauses 4.3, 5.2, 5.3, 6.3
-
Annex A Controls – A.5.1, A.5.2, A.5.3, A.5.4, A.5.36, A.6.3
-
Statement of Applicability
-
ISMS Scope Document
-
Risk Assessment and Rist Treatment Methodology
-
Legal and Regulatory Requirements Register
-
Business Continuity Plan
-
Access Control Policy
-
Change Management Policy
​
Basic Information Security Terminology
-
Confidentiality: Ensuring information is accessible only to those authorised to have access.
-
Integrity: Safeguarding the accuracy and completeness of information and processing methods.
-
Availability: Ensuring that authorised users have access to information and assets when required.
-
Information Security: The preservation of confidentiality, integrity, and availability of information.
-
ISMS: A systematic approach to managing sensitive company information, including people, processes, and systems.
Managing information Security
Objectives and Measurement
Fire Forensics aims to achieve the following ISMS objectives:
-
Maintain the confidentiality and integrity of forensics evidence and reports.
-
Achieve full compliance with ISO/IEC 27001:2022 requirements.
-
Prevent data breaches and reduce information security incidents to zero reportable cases annually.
-
Ensure secure and reliable service delivery for clients.
-
Strengthen business reputation and trust with external stakeholders.
-
Provide mandatory information security training to 100% of staff each year.
-
Improve operational efficiency through secure processes and reduced rework.
Information Security Requirements
The ISMS shall meet all applicable:
-
Legal and regulatory requirements
-
Privacy and evidentiary obligations under Australian Law
-
Contractual and service obligations with clients and partners
Fire Forensics maintains a Legal and Regulatory Requirements Register to track these obligations.
​
Information Security Controls
Controls are selected and justified using the Risk Assessment and Risk Treatment Methodology. These are documented in the Statement of Applicability and address both technical and organisational measures.
Segregation of Duties
Although Fire Forensics is a small business with a flat structure, duties are segregated where practical. Key responsibilities (e.g., change approval, evidence handling, and access management) are allocated to separate individuals or reviewed by the Disaster Recovery Team (DRT) or Managing Director to reduce risk.
The Access Control Policy governs role-based access and ensures appropriate separation of duties across forensics and administrative roles. Any access or role changes are subject to review and documented approval.
Responsibilities
Role - Responsibility:
Top Management - Provides leadership, strategic direction, and ensures resources are available for the ISMS, Reviews system performance during management reviews.
General Manager (ISMS Practice Manager) - Owns the ISMS. Responsible for the implementation, coordination, continual improvement, and effectiveness of the ISMS. Maintains ISMS documentation and ensures compliance with ISO/IEC 27001:2022.
Managing Director - Provides executive oversight. Approves key ISMS policies, supports incident response decisions, and participates in reviews and planning where required.
E-Nerds (MSP) - Manages Fire Forensics’ IT Infrastructure and services. Implements changes approved by the General Manager and reports on issues that could affect information security.
All Employees - Must follow all security policies and procedures. Report any security incidents, breaches, or weaknesses immediately to management.
Asset Owners - Responsible for the classification, protection, and appropriate use of the information assets assigned to them.
External Parties - Must comply with Fire Forensics’ information security policies and any relevant contractual agreements (e.g., NDAs, data handling clauses).
Policy Communication
The ISMS Policy will be communicated to:
-
All employees during onboarding and annually via awareness programs
-
All external parties via contractual requirements and operational onboarding
-
Stakeholders and auditors as part of compliance evidence
The Managing Director is responsible for ensuring all individuals understand their information security obligations.
Support for ISMS Implementation
Fire Forensics’ Top Management commits to providing the necessary resources for the implementation, operation, monitoring, review, and contractual improvement of the ISMS. This includes budget, personnel, time, and support from third-party providers.
Information security is integral to the company’s operational model, particularly given its responsibility for managing sensitive client data and evidence.
​
Validity and Document Management
This policy is valid as of 3 July 2025.
The owner of this document is the ISMS Practice Manager, who must check and, if necessary, update the document at least once a year. Changes in document ownership must be declared in the changelog.
When evaluating the effectiveness and adequacy of this document, the following criteria need to be considered:
-
Number of employees and external parties who have a role in the ISMS but are not familiar with this document.
-
Non-compliance of the ISMS with the laws and regulations, contractual obligations, and other internal documents of the organisation.
-
Ineffectiveness of ISMS implementation and maintenance.
-
Unclear responsibilities for ISMS implementation.