ISO/IEC 27001:2013 Information Security Policy

Greece Lean Six Sigma
(In alignment with ISO/IEC 27001:2013 – Information Security Management Systems)

1. Purpose

At Greece Lean Six Sigma (GLSS), we recognize that information—whether related to learners, clients, partners, trainers, or internal operations—is a critical organisational asset.

This policy establishes the principles, responsibilities, and controls through which GLSS protects the confidentiality, integrity, and availability of information, in alignment with the requirements of ISO/IEC 27001:2013 and applicable legal and regulatory obligations.

Information security is fundamental to trust, certification integrity, learning governance, and ethical professional conduct.

2. Policy Objectives

2.1 Confidentiality

Ensure that information is accessible only to authorized individuals and protected against unauthorized disclosure.

This includes, but is not limited to:

  • learner and client personal data
  • assessment results and certification records
  • intellectual property and training materials
  • commercial, contractual, and strategic information

2.2 Integrity

Protect the accuracy, completeness, and reliability of information throughout its lifecycle.

Controls are implemented to prevent:

  • unauthorized modification
  • data corruption
  • accidental or malicious alteration
  • loss of assessment or certification evidence

2.3 Availability

Ensure that information and systems are available when required by authorized users.

GLSS maintains appropriate technical and organisational measures to support:

  • business continuity
  • uninterrupted training delivery
  • secure access to learning platforms and records

3. Scope of Application

This policy applies to:

  • All GLSS personnel, including:
    • employees
    • trainers
    • assessors
    • contractors and associates
  • All information assets, regardless of format:
    • digital (cloud systems, LMS, email, databases)
    • physical (documents, printed materials)
    • verbal (meetings, training sessions)
  • All information systems and tools, including:
    • learning management systems (LMS)
    • collaboration platforms
    • certification and assessment portals
    • data storage and communication channels

4. Information Security Commitments & Controls

4.1 Risk Management

GLSS applies a structured, risk-based approach to information security.

  • Information security risks are identified, assessed, and treated on a regular basis
  • Risk assessments consider threats, vulnerabilities, impact, and likelihood
  • Risk treatment plans are documented and reviewed

4.2 Access Control

Access to information systems is governed by the principle of least privilege.

Controls include:

  • role-based access rights
  • strong authentication mechanisms
  • secure password management
  • regular access reviews and revocation upon role change or termination

4.3 Information Classification & Handling

All information is classified according to sensitivity, such as:

  • Public
  • Internal
  • Confidential

Handling, storage, transmission, and disposal controls are applied based on classification level.

4.4 Incident Management

GLSS maintains defined procedures for managing information security incidents.

  • Incidents are reported promptly
  • Investigations are documented
  • Corrective and preventive actions are implemented
  • Lessons learned are integrated into system improvements

4.5 Business Continuity & Backup

To ensure resilience and availability, GLSS maintains:

  • encrypted cloud-based backups
  • off-site data recovery capabilities
  • contingency arrangements for training and certification continuity

Business continuity measures are tested and reviewed periodically.

4.6 Training & Awareness

Information security awareness is a mandatory component of GLSS governance.

  • Staff, trainers, and partners receive periodic guidance on:
    • information security responsibilities
    • GDPR and data protection
    • phishing and cyber risks
    • secure digital behaviour

5. Legal, Regulatory & Contractual Compliance

GLSS ensures compliance with all applicable obligations, including:

  • EU General Data Protection Regulation (GDPR)
  • ISO/IEC 27701:2019 – Privacy Information Management
  • Contractual requirements from certification bodies and partners
  • National and international regulatory requirements

6. Governance, Review & Enforcement

  • This policy forms part of the GLSS Information Security Management System (ISMS)
  • It is reviewed at least annually, or upon:
    • significant system changes
    • emerging risks
    • regulatory updates
  • Responsibility for oversight and continual improvement lies with the ISMS Governance Function

Non-compliance with this policy may result in:

  • corrective actions
  • suspension of access
  • disciplinary measures or termination of collaboration

7. Approval & Document Control

Approved by:
Victoria Tsolidou
Founder & Managing Director
Greece Lean Six Sigma

Version: 1.0
Effective Date: 02.05.2024
Review Cycle: Annual or as required
Version: 1.0 | Date: 02.05.2024