Information Security Policy
1. Purpose, Scope, and Users
This document defines the organization's information security policy and thus the overarching goal of the Information Security Management System (ISMS). It outlines the purpose, orientation, foundations, and general regulations for the ISMS.
The policy applies to the entire ISMS within the defined scope.
Users of this document include all employees of the organization and relevant third parties.
2. Information Security Terms
Here are some relevant terms and their meaning:
- Confidentiality: The property that information is not made accessible or disclosed to unauthorized persons, entities, or processes.
- Integrity: The property of accuracy and completeness of information.
- Availability: The property that information is accessible and usable by an authorized entity when needed.
- Information Security: Preservation of confidentiality, integrity, and availability of information.
- Information Security Management System (ISMS): A management process dealing with planning, implementation, maintenance, review, and improvement of information security.
3. Importance of Information Security
3.1 Business Objectives
Theobald Software GmbH aims to support companies in the secure, efficient, and reliable integration of SAP data into various target systems and environments.
Key priorities include ensuring high data availability for business-critical processes and protecting the confidentiality of sensitive corporate data throughout the data flow.
A central concern is ensuring data integrity to provide error-free, consistent, and traceable information for informed decision-making.
Solutions should be robust against security threats and adaptable to changing business requirements.
To achieve these goals, the ISMS is continuously aligned with the company’s strategic direction, including setting and pursuing specific information security objectives according to ISO 27001, particularly:
- Minimizing security risks during data integration
- Maintaining system operability (availability)
- Ensuring confidentiality of customer and business data
- Preventing data loss and manipulation (integrity)
3.2 Relevant Requirements and Interested Parties
Key requirements to be met include:
- Customer requirements
- Contractual requirements
- Legal requirements
The ISMS primarily aims to meet the needs and expectations of:
- Customers
- Legislators
3.3 Information Security
Information security is of high importance in line with the business objectives of Theobald Software GmbH.
ISMS goals are derived from the business strategy described in Chapter 3.1 Business Objectives as well as from the relevant requirements and interested parties identified in Chapter 3.2 Relevant Requirements and Interested Parties.
Information security is crucial for Theobald Software GmbH to ensure the integrity, availability, and confidentiality of SAP data and enable secure integration into various target environments.
Additional ISMS goals include:
- Ensure compliance with applicable laws, regulations, and contractual obligations, in particular with respect to data protection (e.g., GDPR), the IT Security Act, industry-specific standards, and international norms such as ISO 27001, in order to mitigate legal risks and avoid potential penalties.
- Mitigate the impact of information security incidents, such as data loss, unauthorized access, or system outages, by implementing preventive and responsive measures that minimize risks and enable rapid recovery of affected systems.
- Maintain and continually enhance the organization’s reputation and customer trust, by promoting sustainable business relationships with customers and partners through a demonstrably secure and reliable product environment.
3.4 ISMS Objectives
Key ISMS objectives include:
Fulfillment of all requirements of ISO/IEC 27001, in particular successful (re)certification, the implementation and regular delivery of ISMS training and awareness programs to enhance information security competence across all employees, and the requirement that the organization’s overall information security risk shall not exceed the level “medium.”
ISMS objectives shall be documented and their achievement monitored in accordance with Chapter 3.5 Planning and Reviewing ISMS Objectives.
3.5 Planning and Reviewing ISMS Objectives
Planning how ISMS objectives will be achieved must include measures, resources, responsibilities, timelines, and evaluation methods. These aspects must be documented. ISMS objectives and their fulfillment are reviewed annually. The Information Security Officer is responsible for conducting the review, analyzing results, and preparing a report for management.
3.6 Information Security Measures
The organization commits to meeting applicable information security requirements as defined in ISMS-specific policies and ISO/IEC 27001. Appropriate security measures (controls) are identified, defined, and reviewed within the risk management framework.
Applicable measures, their implementation status, and any exceptions are documented in the Statement of Applicability (SOA).
The Information Security Officer is responsible for the SOA, which must be stored according to Chapter 8. Record Management for This Document.
4. Responsibilities
Within the framework of the ISMS, the following responsibilities apply:
Management
- Correct implementation and maintenance of the ISMS in accordance with the Information Security Policy, as well as ensuring that sufficient resources are available for this purpose.
- Defining the information to be communicated to interested parties in the context of information security.
Information Security Officer
- Coordination of ISMS operations and reporting on its performance.
- Ensuring that annual reviews of the ISMS, or reviews following significant changes, are carried out and documented.
- Promoting information security awareness among all employees, as well as their education and training in information security.
Asset Owners
- Ensuring the integrity, confidentiality, and availability of the assets and information for which the person is responsible.
All Employees
- Reporting information security incidents or vulnerabilities.
All essential responsibilities and recurring ISMS tasks are managed and documented via the Task Manager in the Digital Compliance Office (DCO).
5. Corporate Policy
Information security is anchored at the highest management level. Management is committed to the ISMS per ISO/IEC 27001 and risk management requirements, ensuring adaptability to changing business conditions and provision of necessary resources. This enables all ISMS stakeholders to achieve security objectives and continuously improve the ISMS. Management is also responsible for implementing corporate policy.
6. Commitments and Responsibilities in Information Security
All employees and relevant third parties must be familiar with the organization’s information security policy and ISMS. Employees must act in accordance with the policy, specific ISMS guidelines, and management directives. Violations may result in disciplinary action.
Management is responsible for communicating the policy and emphasizing the importance of ISMS and organizational commitment to information security.
7. Reference Documents
The following documents are referenced:
- ISMS scope
- Procedure for identifying requirements
- Procedure for security objectives & KPIs
- Procedure for corrective actions
8. Record Management for This Document
The following records are maintained for this document:
- Overview of ISMS objectives & KPIs
- ISMS & KPI achievement report
- Management review
- Appointment of Information Security Officer
- Resource planning
- Overview of legal, regulatory, contractual, and other requirements
- Statement of Applicability (SOA) / VDA ISA catalogue
- [Communication matrix]
Records must be stored according to the document and record control procedure.
9. Validity and Document Handling
This document is valid from September 1, 2025.
The owner is the Information Security Officer, who must review and update it at least annually.
Evaluation criteria for effectiveness and appropriateness include:
- Results of internal and external audits
- KPI evaluation results
- Management review outcomes
- Adjustments from risk management or corrective actions