A.5 Information security policies

A.5.1. Information security management focus

Objective: To share with the management's direction and support for information security in accordance with the requirements of the business and relevant statutes.

Aspia works according to ISO 27001 and has an Information Security Policy that is established by the management. It is included in the mandatory information security training for all personnel.

Reference: Information Security Policy

A.6 Organization of information security

A.6.1. Internal organisation

Objective: To establish an organizational framework to initiate and control the introduction and operation of information security work within the organization.

Aspia works according to an internal process, Information Security Governance Risk and Compliance (IS GRC) where information security work is risk-based and structured, clear roles and responsibilities are distributed in the business, the process includes all information security work within Aspia.

The information security work is led by Aspia's CISO and reports to management at regular intervals.

Reference: Information Security Governance, Risk and Compliance routine
Information Security Role Definition policy

A.6.2 Mobile devices and teleworking

Objective: To ensure the safety of teleworking and mobile device use.

Teleworking is regulated in Aspia's IT Usage instruction, all Aspia devices are centrally managed and "Bring your own device" is generally not allowed. All communication outside Aspia's network is encrypted and all access to the network goes via VPN. 

Referens: IT Usage instruction, Communication Instruction

A.7 Human resource security

A.7.1 Pre-employment

Objectives: To ensure that employees and suppliers understand their responsibilities and are suitable for the roles for which they are intended.

Aspia conducts relevant background checks where appropriate

Reference: Information Security Policy, HR Instruction, Access Instruction

A.7.2 During employment

Objective: To ensure that employees and suppliers are aware of and fulfill their responsibility for information security.

Continuous information security training is carried out annually and simulated phishing attacks or equivalent are carried out. Aspia Security continuously informs about the current security situation through internal communication channels.

A.7.3 Termination or change of employment

Objective: To protect the interests of the organization as part of the process of changing or terminating an employment

Aspia has a central access control that is regulated via our personnel system, where changes in tasks automatically correct or update permissions or access to support systems. Where there is no automaticity, there are established processes that ensure that staff have authority in relation to their duties.

A.8 Asset management

A.8.1. Liability for assets

Objective: To identify the assets of the organization and determine appropriate responsibility for protecting them.

Aspia's information assets are identified in the IS GRC process and system owner responsibility and other relevant roles are defined. Electronic assets such as hardware, etc. are documented in Aspia's Asset Management Data Base, information assets regarding personal data according to GDPR are documented in register lists.

A.8.2. Information classification

Objective: To ensure that information receives an appropriate level of protection in accordance with its importance to the organisation.

All IT systems are classified according to Confidentiality, Integrity, Availability.

A.8.3. Storage Media Management

Objective: To prevent the unauthorized disclosure, modification, removal or destruction of information stored in media.

Computers on Aspia are blocked from writing to USB by default.
Computers are encrypted with Microsoft Bit Locker by default.
Storage media that has processed information assets are decommissioned according to a central routine and ensure safe life cycle management.

A.9 Access control

A.9.1. Business requirements for access governance

Objective: To restrict access to information and information processing resources.

All control of access and permissions is based on ordering models in central systems where access can be justified with work tasks and attested by the immediate manager or information owner. Aspia applies a central identity and access management and several predefined criteria that regulate how and where you are authorized to connect to.

Reference: Access Instruction

A.9.2 User Access Management

Objective: To ensure authorized user access and to prevent unauthorized access to systems and services

User access is granted according to the principles of "minimum privileges and access to be able to perform work tasks".
User access is traceable in order flows and control of permissions takes place annually, accounts with higher permissions are reviewed at least semi-annually.

A.9.3 User Liability

Objective: To make users responsible for protecting their authentication information

User responsibility is achieved through annual information security training and all user data should be processed in a secure manner.

A.9.4. Control of access to systems and applications

Objective: To prevent unauthorized access to systems and applications

Control and access to systems based on user access management and modern control mechanisms such as behaviors, geographical position, pattern analysis, etc.
System access has Single Sign On (SSO) as the default setting as well as multi-factor authentication enabled where possible.
There is a central password policy that defines the criteria to be met for user accounts and system accounts, respectively.
A central password management is available for users with high system access.
Permission to source code is severely restricted and is processed in supervised environments.

A.10 Encryption

A.10.1 Cryptographic security measures

Objective: To ensure the correct and effective use of encryption to protect the confidentiality and accuracy of information.

All information is encrypted in transit through at least HTTPS or TLS 1.2 or later and that we follow the providers' cryptographic recommendations.
Only approved cryptographic functions may be used.

Reference: Cryptography instruction

A.11 Physical and environmental safety

A.11.1. Safe areas

Objective: To prevent unauthorized physical access to, damage to, and interference with access to organizational information and information processing resources.

Aspia's offices and areas have basic physical access restrictions, protections and physical access controls. Data centers are certified according to established standards and have uninterruptible power and resource allocation as well as business continuity plans according to the supplier's certification. Central mail and delivery procedures are available at the head office.

Reference: Operation instruction

A.11.2. Equipment

Objective: To prevent loss, damage, theft, or impact of assets and disruption of organizational operations.

All employees are informed about the individual's own responsibility for information assets and that it is ensured that unauthorized persons cannot access information, this includes "clean desk policy", secure overwriting of storage media according to central routine, reporting of security incidents and police reporting in case of suspicion of crime.

Reference: IT Usage instruction

A.12 Operations security

A.12.1. Operating procedures and responsibilities

Objectives: To ensure the correct and safe operation of information processing resources.

All systems have user instructions and system operators.
Any IT system change or business change that may affect the IT environment is preferred weekly in a central Change Advisory Board (CAB) before approval of the change.
Separation between development, test and production systems is established as well as regular testing at the respective system level.

Reference: Operation Instruction, Log Audit Instruction

A.12.2 Malware protection

Objective: To ensure that information and information processing resources are protected against malware

Computers and servers have modern "End Point Detection and Response" with automatic antivirus protection that scans files and links for malware and automatically prevents potential threats.
Aspia conducts security monitoring through a SIEM (Security Information and Event Management) system by authorized personnel. This is also linked to Aspia's SOC (Security Operations Center) provider.

A.12.3 Backup

Goal: To protect against data loss

Data backup takes place in the respective system and/or process and based on business needs, there are different levels of backup and archiving.

A.12.4 Logging and monitoring

Goal: To log events and detect anomalies

Activities in IT systems are logged.
Aspia has a central log management tool (SIEM) where system, security and user logs are stored and reviewed regularly. The logs are forensically secured, and all auditing of logs is done by authorized personnel.

A.12.5. Control of operating systems

Objective: To ensure the accuracy of operating systems

Only approved software versions may be installed after approval in the CAB.

A.12.6. Addressing technical vulnerabilities

Objective: To prevent the exploitation of technical vulnerabilities

Aspia has continuous vulnerability scanning of our internal and external resources and vulnerabilities are remedied according to an established routine in relation to the severity of the vulnerability and the possible impact of the information assets. Application development follows the OWASP framework.

A.12.7. Considerations relating to the audit of information systems

Goal: To minimize the impact of audit activities on operating systems

Review of systems and processes is planned centrally to minimize the impact. Technical checks are carried out at times when customer impact is assessed as the least.

A.13 Communications security

A.13.1 Network Security Management

Objectives: To ensure the protection of information in networks and their supporting information processing resources

Aspia applies the Zero-Trust-network principle, and all devices are centrally managed.
All corporate networks have a basic separation of guest, office, and server networks.

Reference: Communication instruction Document Labeling instruction

A.13.2 Transfer of information

Objective: To maintain the security of information transferred within an organization or to an external entity

Instructions for internal and external information transfer are established. All internal communications are encrypted by default.
Functionality with secure data rooms exists (Konfident) for external sharing is available and that sharing of information is in agreements between Aspia and external parties.
Confidentiality relations are established between Aspia and interested parties.

Communication Instruction
Data Processing Agreement (DPA)

A.14 System acquisition, development and maintenance

A.14.1. Security requirements for information systems

Objective: To ensure that information security is an integral part of information systems throughout the life cycle. This includes requirements for information systems that provide services through public networks.

Aspia has a structured procurement process where information security is part of the requirements for systems and processes. System procurements are required in the IS GRC process.

A.14.2 Security in development and support processes

Objective: To ensure that information security is designed and implemented within the development cycle of information systems.

Aspia follows the OWASP application development framework. Automatic code review happens continuously and development takes place according to the DevOps framework. Development and production of code takes place according to a set flow and logs are available.

A.14.3. Test data

Objective: To ensure the protection of data used for tests.

Aspia works according to an established testing strategy where systems that need data for testing have the opportunity to obtain such.
Procedures for lifecycle management of test data are in place.

A.15 Supplier relationships

A.15.1 Information security in supplier relationships

Objective: To ensure the protection of the organization's assets that vendors have access to.

The requirements for suppliers and subcontractors are the same as for Aspia. This is regulated in supplier agreements and review of these takes place regularly.

Reference: Guidelines for information safety regarding Aspia suppliers

A.15.2 Supplier service delivery management

Objectives: To maintain an agreed level of information security and service delivery in line with supplier agreements

Service deliveries are followed up by system and service managers and requirements and follow-up on safety work are also included in agreements.

A.16 Information security incident management

A.16.1 Information security incident management and improvements

Objectives: To ensure a consistent and effective approach to information security incident management including communication around security events and vulnerabilities.

Information security incidents and communication take place according to the incident process. This includes both information and personal data breaches. Incidents and vulnerabilities are monitored and managed according to priority based on informational, business and risk impact.

Reference: Incident management instruction

A.17 Information security aspects of business continuity management

A.17.1 Continuity of information security

Objective: The continuity of information security shall be integrated into the organisation's business continuity management system

Aspia follows ISO22301 in business continuity work and has an established continuity policy (BCP), established business continuity plans for systems and processes and recovery plans (DR).
Crisis plans and crisis groups are established, and practice takes place regularly.

Reference: Business Continuity Policy, Business Continuity Plan

A.17.2 Redundancy

Objective: To ensure the availability of information processing resources.

Redundancy is achieved through clearly documented processes and routines as well as a high degree of automation and reduction of personal dependencies.
Critical processes or systems are identified, and alternative roles are assigned when needed

A.18 Compliance

A.18.1 Compliance with legal and contractual requirements

Objective: To avoid breaches of statutory or contractual obligations related to information security and any security requirements

Aspia complies with applicable laws in Sweden, and these are included in the IS GRC process. This also includes the protection of personal data under the GDPR.
Aspia regulates responsibility and compliance in supplier agreements, assignment agreements, personal data agreements and applies FAR general terms and conditions and Aspia's guidelines for information security.
Employees and consultants commit to confidentiality provisions under employment contracts or assignment agreements.

Reference: FAR Terms and Conditions, MyBusiness Terms and Conditions, Aspia's guidelines for information security for suppliers and subcontractors

A.18.2 Information security audits

Goal: To ensure that information security is introduced and operated in accordance with the organization's rules and procedures.

Aspia regularly conducts independent external information security checks. This also includes suppliers and subcontractors if the need arises.