Complyfirst | Information Security Policy

Information Security Management System (“ISMS”) Policy

Company Name: FDJ Ecommerce LTD
Policy Owner: CEO
Effective Date: 12 September 2023

Purpose

This policy provides a framework to be applied when establishing, implementing, maintaining, and continually improving the information security management system (“ISMS”), as defined in 01-ISMS Scope of the ISMS, in accordance with the requirements of the ISO/IEC 27001 (“ISO 27001”) standard.

Information Security Objectives

Information security objectives are set and monitored annually by FDJ Ecommerce LTD's ISMS Governance Council based upon a clear understanding of business requirements. The current information security objectives are as follows:

Protect the confidentiality, availability, and integrity of company, customer, and employee data
Comply with applicable laws, regulations, and customer contractual obligations
Achieve and maintain ISO 27001 certification

Action plans to achieve these objectives are maintained and reviewed annually by the ISMS Governance Council. Refer to 10-ISMS Information Security Objectives Plan for further details.

Leadership and Commitment

FDJ Ecommerce LTD is dedicated to establishing, implementing, maintaining, and continually improving the ISMS. Leadership commitment is demonstrated by the ISMS Governance Council when carrying out their responsibilities as defined in the 03-ISMS Roles, Responsibilities, and Authorities document.

Roles, Responsibilities and Authorities

FDJ Ecommerce LTD has defined the roles, responsibilities, and authorities involved in establishing, implementing, maintaining, and continually improving the ISMS. FDJ Ecommerce LTD has also defined how performance and competence will be measured and how competency gaps will be addressed. For further details, please refer to the 03-ISMS Roles, Responsibilities, and Authorities document.

Approach to Assessing and Treating Risk

FDJ Ecommerce LTD has defined a Risk Assessment and Risk Treatment Process for identifying, analyzing, treating, and monitoring risks over time. For further details, please refer to the 04-ISMS Risk Assessment and Risk Treatment Process document.

Control of Documented Information

FDJ Ecommerce LTD has defined a procedure for the control and protection of documented information. For further details, please refer to the 05-ISMS Procedure for the Control of Documented Information document.

Communication

This and other relevant information security policies will be communicated to all in-scope personnel at least annually after review and approval, or after any significant changes occur to the policy. The policy will be made available in Vanta and are accessible by all FDJ Ecommerce LTD personnel. For further details, please refer to the 06-ISMS Information Security Communication Plan document.

Internal Audit

FDJ Ecommerce LTD performs internal audits of its ISMS annually and has defined an ISMS Internal Audit Procedure. For further details, please refer to the 07-ISMS Procedure for Internal Audits document.

Management Review

FDJ Ecommerce LTD has defined an ISMS Management Review Procedure consisting of the necessary inputs and outputs to ensure that the company's ISMS is operating effectively, as intended, and is continually improving. For further details, please refer to the 08-ISMS Procedure for Management Review for further details.

Corrective Action and Continual Improvement

FDJ Ecommerce LTD has defined an ISMS Corrective Action and Continual Improvement Procedure when non-conformities are identified. Non-conformities may be identified during internal audits, external audits, management reviews, or ongoing monitoring of the ISMS. For further details, please refer to the 09-ISMS Procedure for Corrective Action and Continual Improvement document.

Policy Violation

All FDJ Ecommerce LTD personnel (including employees, contractors, and applicable third parties) must maintain the security, confidentiality, availability, integrity, and privacy of FDJ Ecommerce LTD assets. Violations of ISMS policies and procedures may be considered serious breaches of trust, which can result in disciplinary action up to and including termination of employment or contract and prosecution in accordance with applicable laws.

ISO 27001 Coverage

ISO 27001 4.1; 4.2; 4.3; 5.1

Version History

Version	Date	Description	Author	Approved by
1.0	1 August 2023	Initial policy	COO	CEO