Information Security Policy

Effective Date: 25th June 2025

Audience

• All employees, contractors and third parties (normal users and privileged users)

Purpose

The Information Security Policy aims to protect the organisation's assets, including information and systems, from threats while boosting stakeholder confidence and the marketability of DFP’s services. Breaches may lead to privacy loss, individual harm, or business damage.

Scope

• Stakeholders: All employees, contractors and third parties (normal users and privileged users)
• Products & Services: DFP Advisory, Enterprise AI and Cybersecurity Delivery
• Data: All corporate and customer data
• Technology: All management systems, customer-facing systems and underlying infrastructure
• Location: All business locations and technology locations (e.g., data centre, cloud)

ISMS Objectives

1. Build and Sustain Stakeholder Trust and Confidence.
2. Provide Information Security, Cybersecurity and Privacy Assurance,
3. Gain Independent Assurance
4. Accelerate Secure Service Delivery
5. Enhance Market Position and Competitive Advantage
6. Maintain Compliance
7. Increase Cyber Resilience

Policy Statements

1. All stakeholders must follow this policy and related policies to contribute to achieving Information Security Objectives of the DFP Information Security Management Plan and protecting assets of value to the business and its stakeholders.
2. All stakeholders must take timely and appropriate action to ensure they meet their responsibilities related to Information Security and the requirements of the current ISO 27001 standard as described in the DFP Information Security Management Plan.
3. All stakeholders must adopt a risk-based approach to Information Security management to ensure that all business-related risks (including information and information systems) are managed consistently and effectively. Risks must be reduced as far as is reasonably practicable.
4. All stakeholders must protect and continuously improve the confidentiality, integrity, and availability of DFP’s business information, its customer information and its information system to:
   1. prevent disclosure to and access by unauthorised individuals, and
   2. to enable the business to maximise the use of the assets and add value.
5. All stakeholders must comply with relevant legal and regulatory requirements.
6. All stakeholders are to use or apply approved security solutions and services, where possible, to avoid creating disparate Information Security controls.
7. There are no exemptions from this policy.
8. This policy will be enforced by the CISO.

Supporting, Related Documents

• Information Security Management System Manual (ISMS Manual)
• DFP Information Security Management Plan
• Information Security-related Enterprise Policies and other related Topic-Specific Policies

Guidance and Standards

• ISO/IEC 27001:2022 - Information security, cybersecurity, and privacy protection — Information security management systems — Requirements
• ISO/IEC 27002:2022 - Information security, cybersecurity, and privacy protection — Information security controls

Metrics

• Achieve Information Security Objectives (refer to Section 6.3 of the Information Security Management Plan)

Policy Authorised By

CEO