Information Security Policy
Vip District LTD., a company that is part of Epassi Group OY (hereinafter “Epassi”), has adopted Epassi’s security commitments as its own and fully endorses the following Policy:
Information security is an important aspect of the security system due to information being a core element in Epassi daily operations. Epassi has established and developed its Information Security Management System based on relevant standards and best practices. Epassi holds a certificate against ISO/IEC 27001:2022 Standard, which covers the companies within the group.
This policy describes the minimum requirements set for information security at Epassi. All planning and implementation regarding information security must align with this policy. Further policies and procedures can be created to support the implementation of this policy.
The purpose of this policy is to describe and establish the guidelines for ensuring safe and compliant information processing as well as ensuring the protection of vital Epassi resources and assets.
This policy applies and shall be communicated to all Epassi employees. Misconducts against this policy are up to disciplinary actions.
Scope
This policy is applicable for the whole Epassi organization and its group companies.
Objectives
The primary objectives for this policy are:
- To ensure the confidentiality, integrity and availability of all information processed and owned by Epassi.
- To mitigate the information security risks and ensure the business continuity.
- To ensure that all employees are aware of their role related to information security at Epassi.
- To ensure the compliance with relevant laws, regulations and standards impacting information security at Epassi.
- To continue to deliver its services within a secure environment.
Roles and Responsibilities
CEO is ultimately responsible of Epassi’s information security. CEO together with Leadership Team reviews and approves this policy.
Extended Group Leadership Team supports the information security work at Epassi and ensures that Epassi has functioning information security. Leadership Team provides the needed resources to meet the objectives set for information security. Leadership Team communicates the importance of this document to all employees. Leadership Team approves this policy together with CEO.
Reporting Managers ensure that security practices are being utilized on daily basis by the employees on their respective responsibility areas.
Compliance Officer is responsible of privacy related matters such as personal data processing in compliance with relevant laws and regulations.
Security Organization creates the requirements, principles, and standards for information security. The security organization is assisted by security experts when necessary. IT Manager is in charge of information security. Security Manager is in charge of establishing and maintaining the security standards and practices as described in this policy. Both IT Manager and Security Manager are responsible of carrying out continuous improvement of information security.
All employees are committed to this policy as well as other policies and procedures supporting it. Every employee has the obligation to inform relevant responsible if any deficiencies, risks and/or abuses related to Epassi’s information security are identified as well as to participate in annual information security trainings.
Information Security Operations
Risk Management
Information security risks are assessed regularly at Epassi in accordance with a documented Risk Management Policy and instructions supporting the process. Besides the risk management on a regular basis, risks are also assessed on a need basis. Risk Management Policy is reviewed annually and changed done based on the results of the review.
Information Classification and Processing
Epassi classifies all information processed and owned by the organization based on legislation and regulation requirements as well as information’s criticality and value to Epassi’s operations. More specific security controls for the processing of information are designed based on the classification.
Access Rights Management
Access rights management follows a documented process. The key principle for access rights management at Epassi is that every created and existing access should be based on evaluated and verified need. Access rights are reviewed regularly.
Training and Awareness
By training employee’s Epassi ensures that employees understand and commit to the Epassi’s information security policies and are aware of the agreed processes. Security training is arranged annually, by minimum. All employees are obliged participate in training. The completion rate of trainings is followed.
Besides annual training, Epassi arranges task-specific training to selected groups where relevant.
Continuous Development
Information security is reviewed regularly internally and externally. Internal reviewing is based on following planned processes, such as Year Clock and Metrics. For external reviewing, Epassi is subject to annual audits against ISO/IEC 27001:2022. In addition to annual audits, additional security audits and testing are utilised to cover the whole Epassi’s ISMS.
All employees have the obligation to inform relevant responsibilities if any deficiencies and/or abuses related to information security at Epassi are identified.
Business Continuity Planning and Incident Response
Epassi has documented plans in place to ensure its continuity and swift response in case of incidents. Business Continuity Plan guides the process for measures to be taken to ensure the recovery or restoration of Epassi’s functions after a disruptive event occurs. Incident Response Plan guides the swift process to be utilised in case of disruptive event, from identifying to managing.
Approval and Review
This Information Security Policy is approved by Leadership Team in 11.2.2025.
This Information Security Policy shall be reviewed annually as well as during relevant changes impacting the guidelines set in this policy. Reviewed and updated policy shall be approved by Leadership Team.
Version History
| Version | Date | Description |
| 1.0 | 9.4.2021 | First approved version. |
| 1.01 | 24.2.2022 | Content updated to match current status. Updates reviewed and approved by Leadership Team. |
| 1.02 | 13.2.2023 | Content reviewed, updated language. |
| 1.03 | 21.5.2024 | Content reviewed. |
| 1.04 | 17.9.2024 | Content updates according to ISO 27001:2022 version. |
| 1.1 | 15.1.2025 | Certification status update. |
| 2.0 | 11.2.2025 | Approved by Extended Leadership Team. |
