1. INTRODUCTION

This policy defines how the Management Systems will be set up, managed, measured, reported on, and developed within AfriOne. The Board and Management of AfriOne are committed to ensuring Information is secure and Business continues by pursuing full certification to ISO/IEC 27001 and ISO 22301 that the effective adoption of Information Security and Business Continuity best practices may be validated by an external third party

The purpose of this document is to define an overall policy about the integrated management systems that are appropriate to the purpose of AfriOne and includes:

• The IMS Objectives
• A commitment to satisfying applicable requirements
• A commitment to continual improvement of the management systems

This Policy is available in electronic form and will be communicated within the organisation and to all relevant stakeholders and interested third parties.

2. IMS POLICY SATEMEMENT

The Board and Management of AfriOne which operates in the Financial Technology sector is committed to preserving the confidentiality, integrity, and availability of all physical and electronic information assets throughout the organisation, to preserve its asset, legal, and regulatory as well as contractual, compliance and image. The Integrated Management Systems (ISO 27001 and ISO 22301) requirements will continue to be aligned with organisational goals and is also intended to be an enabling mechanism for information sharing, electronic operations, and reducing information & Technology related risks to acceptable levels.

AfriOne is committed to providing quality services to our customers, both internal and external by aligning Information Technology investments with organisational goals. AfriOne has aligned its processes and operations to the ISO27001 and ISO22301 standards to ensure business continuity, protection of its information asset and maximisation of benefit/returns on IT investments.

It is, therefore, AfriOne’s policy to ensure

• AfriOne’s current strategy and Integrated Management Systems (IMS) provides the context for identifying, assessing, evaluating, and controlling information/process risks through establishment and maintenance of the IMS. The risk assessment and risk treatment plan capture how identified risks are controlled in alignment with AfriOne’s risk management strategy.
• Business continuity and contingency plans, data backup procedures, access control to systems and information security incident reporting are fundamental to this policy. All employees of AfriOne shall have the responsibility of reporting incidents
• All employees of AfriOne and external parties identified in the Management Systems are expected to comply with this policy. All staff and certain external parties will receive or be required to provide evidence of receiving appropriate training.
• The IMS shall be subject to continuous and systematic review with improvements adopted, where necessary
• Management is committed to the continual improvement of the IMS in the Organizations.
• Breach of the policy or security mechanism may warrant disciplinary measures, up to and including termination of employment/contract as well as legal action in line with the Cybercrime Prohibition Act 2015

3. IMS OBJECTIVES

Based on the requirements, the following major objectives are set out for the integrated management system:

• Objective 1 – Ensure the Protection of all critical Information, business processes and other IT assets of AfriOne from unauthorized access in line with ISO 27001, ISO 22301, and all local regulations.
• Objective 2 – Promote Information Security awareness and culture among all staff throughout AfriOne in line with ISO 27001.
• Objective 3 – Ensure 99% of Cyber Security incident is detected and prevented OR Reduce incidents involving unauthorized data modification or deletion to zero.
• Objective 4 – Ensure Critical Business Processes are recovered after a disruptive event within 4 hours.
• Objective 5 – Ensure Cyber Security losses (monetary losses) do not exceed AfriOne’s financial loss threshold.
• Objective 6 – Ensure 95% uptime availability of critical systems and information.
• Objective 7 – Ensure 100% Compliance with Regulatory, Legal, and Contractual Obligations
• Objective 8 – Ensure 100% Safety and Welfare of AfriOne’s employees and visitors who are within the premises at the time of an incident.

4. SATISFYING APPLICABLE REQUIREMENTS

A clear definition of the requirements for the Management Systems will be agreed upon and maintained with the business and customers of the IT services so that all activities are focussed on the fulfilment of those requirements. Statutory, regulatory, and contractual requirements will also be documented and input into the planning process. Specific requirements about the security of new or changed systems or services will be captured as part of the design stage of each project. It is a fundamental principle of the AfriOne Integrated Management System that the controls implemented are driven by business needs and this will be regularly communicated to all staff through team meetings and briefing documents.

5. CONTINUAL IMPROVEMENT

AfriOne policy about Continual Improvement is to:

• Continually improve the effectiveness of the IMS across all areas within scope.
• Enhance current processes to bring them into line with good practice as defined within ISO/IEC 27001:2022 and ISO 22301:2019
• Achieve certification to the management systems and maintain them on an on-going basis
• Review relevant metrics on an annual basis to assess whether it is appropriate to change them, based on collected historical data
• Obtain ideas for improvement via regular meetings with stakeholders and document them in a Continual Improvement Log Review the Continual Improvement Log at regular management meetings to prioritise and assess timescales and benefits

Ideas for improvements may be obtained from any source including employees, customers, suppliers, IT staff, risk assessments and service reports. Once identified they will be added to the AfriOne IMS1003 Continual Improvement Log and evaluated by the IMS Manager.