Information Security Policy
As of: 01.03.2026 · ISO/IEC 27001:2022, Clause 5.2 · Version 1.0
1. Purpose
The purpose of this Information Security Policy is to establish the principles, objectives, and management direction for information security within GermanAI Defense GmbH in accordance with ISO/IEC 27001:2022 Clause 5.2. This policy aims to protect the confidentiality, integrity, and availability of information assets and ensure compliance with applicable legal, regulatory, contractual, and business requirements.
2. Scope
This policy applies to all information assets, technologies, systems, processes, personnel, facilities, and third parties involved in cybersecurity services, SOC operations, penetration testing services, GRC consulting, ISO 27001 consulting, GDPR consulting, NIS2 consulting, and EU AI Act consulting services. The ISMS scope includes all supporting information assets, business processes, personnel, technologies, and physical environments used to deliver these services.
3. Information Security Objectives
GermanAI Defense GmbH is committed to protecting information assets against unauthorized access, disclosure, alteration, destruction, or loss; maintaining confidentiality, integrity, and availability of information; ensuring compliance with legal and regulatory obligations; managing information security risks; continually improving the ISMS; and promoting security awareness. Measurable information security objectives for GermanAI Defense in accordance with ISO/IEC 27001:2022 Clause 6.2 are defined in the Information Security Objectives Procedure.
4. Management Commitment
Top management demonstrates commitment to information security by establishing and maintaining this policy, ensuring integration of security into business processes, providing necessary resources, assigning responsibilities, and supporting continual improvement activities.
5. Roles and Responsibilities
5.1 General Manager
The General Manager is responsible for:
- Approving this policy
- Providing strategic direction and resources
- Ensuring organizational compliance with information security requirements
- Supporting risk management and continual improvement activities
5.2 Information Security Officer
The Information Security Officer is responsible for:
- Maintaining and monitoring the ISMS
- Managing information security risks
- Coordinating security controls and compliance activities
- Reporting information security performance to management
- Conducting awareness and monitoring activities
- Supporting incident management and corrective actions
All personnel shall comply with this policy and associated procedures.
6. Internal and External Issues
Internal issues: Vision, culture, strategic direction, organisational roles, operating procedures, resources.
External issues: Needs and expectations of interested parties, contractual obligations, political factors, competition, technology, legal and regulatory requirements.
6.1 Interested Parties of the ISMS
Interested parties are shown in the table below:
| Interested Party | Needs and Expectations |
|---|---|
| Top Management |
|
| Business Partners (External) |
|
| Employees (Internal) |
|
| Customers (External) |
|
| Suppliers (External) |
|
| Competitors (External) |
|
| Regulatory Bodies / Authorities (External) |
|
| Auditors (External) |
|
| General Public (External) |
|
7. Scope of ISMS
Cybersecurity services, SOC operations, penetration testing, the development and provision of AI-supported penetration testing and security analysis solutions, GRC consulting, ISO 27001, GDPR, NIS2, and EU AI Act consulting services, together with all supporting information assets, technologies, processes, personnel, and facilities, are within the scope of the Information Security Management System (ISMS) certification.
8. Statement of Applicability (SoA)
The Statement of Applicability (SoA) defines the information security control objectives and controls as defined by Management based on GermanAI Defense business needs and requirements considering all relevant legal and regulatory requirements and contractual obligations.
The SoA will be reviewed and approved by management of GermanAI Defense as per the management review procedure.
9. Risk Management
Information security risks shall be identified, assessed, and treated using a defined risk-management methodology consistent with ISO/IEC 27001:2022 requirements. For this purpose, top management has approved a Risk Management Procedure.
10. Compliance Obligations
The organisation commits to complying with GDPR, NIS2, EU AI Act requirements, contractual obligations, and applicable German and European Union regulations.
11. Incident Management
Information security incidents and weaknesses shall be reported, investigated, managed, and resolved in a timely manner. Corrective actions shall be implemented to prevent recurrence. Top management has approved an Incident Management Policy.
12. Continual Improvement
GermanAI Defense GmbH is committed to the continual improvement of the ISMS through reviews, audits, risk assessments, corrective actions, and management review activities.
13. Policy Review
This policy shall be reviewed at least annually and whenever significant organisational, legal, or technological changes occur.
14. Approval
| Title | Signature | Date |
|---|---|---|
| General Manager | 01.03.2026 | |
| Information Security Officer | 01.03.2026 |