Information Security Policy

Company

GermanAI Defense GmbH

Version

1.0

As of

01.03.2026

Approved By

General Manager

Document Owner

Information Security Officer

Classification

Public

1. Purpose

The purpose of this Information Security Policy is to establish the principles, objectives, and management direction for information security within GermanAI Defense GmbH in accordance with ISO/IEC 27001:2022 Clause 5.2. This policy aims to protect the confidentiality, integrity, and availability of information assets and ensure compliance with applicable legal, regulatory, contractual, and business requirements.

2. Scope

This policy applies to all information assets, technologies, systems, processes, personnel, facilities, and third parties involved in cybersecurity services, SOC operations, penetration testing services, GRC consulting, ISO 27001 consulting, GDPR consulting, NIS2 consulting, and EU AI Act consulting services. The ISMS scope includes all supporting information assets, business processes, personnel, technologies, and physical environments used to deliver these services.

3. Information Security Objectives

GermanAI Defense GmbH is committed to protecting information assets against unauthorized access, disclosure, alteration, destruction, or loss; maintaining confidentiality, integrity, and availability of information; ensuring compliance with legal and regulatory obligations; managing information security risks; continually improving the ISMS; and promoting security awareness. Measurable information security objectives for GermanAI Defense in accordance with ISO/IEC 27001:2022 Clause 6.2 are defined in the Information Security Objectives Procedure.

4. Management Commitment

Top management demonstrates commitment to information security by establishing and maintaining this policy, ensuring integration of security into business processes, providing necessary resources, assigning responsibilities, and supporting continual improvement activities.

5. Roles and Responsibilities

5.1 General Manager

The General Manager is responsible for:

• Approving this policy
• Providing strategic direction and resources
• Ensuring organizational compliance with information security requirements
• Supporting risk management and continual improvement activities

5.2 Information Security Officer

The Information Security Officer is responsible for:

• Maintaining and monitoring the ISMS
• Managing information security risks
• Coordinating security controls and compliance activities
• Reporting information security performance to management
• Conducting awareness and monitoring activities
• Supporting incident management and corrective actions

All personnel shall comply with this policy and associated procedures.

6. Internal and External Issues

Internal issues: Vision, culture, strategic direction, organisational roles, operating procedures, resources.

External issues: Needs and expectations of interested parties, contractual obligations, political factors, competition, technology, legal and regulatory requirements.

6.1 Interested Parties of the ISMS

Interested parties are shown in the table below:

Interested Party	Needs and Expectations
Top Management	Alignment of information security objectives with overall business objectives. Timely and accurate reporting of security performance and incidents. Availability of necessary resources for implementing and maintaining information security. Demonstration of continuous improvement in information security. Regular risk assessments and management. Monitoring and review of the effectiveness of security controls. Establishment of a robust security governance framework. Expectation that industry best-practice certifications are maintained to provide assurance to the board.
Business Partners (External)	Assurance of secure collaboration and information sharing. Compliance with mutually agreed security requirements. Transparent communication regarding any security incidents or breaches.
Employees (Internal)	A safe and secure working environment. Clear policies and procedures regarding information security. Training and awareness programs to enhance their understanding of security risks. Involvement in decision-making processes related to information security.
Customers (External)	Secure handling and protection of their sensitive information. Assurance that their data is kept confidential and not shared with unauthorized parties. Expectation that the confidentiality, integrity and availability of their data is secured at all times. Reliable and uninterrupted service availability. Clear communication about the security measures in place, prompt response to security incidents, protection of their data from unauthorized access or disclosure.
Suppliers (External)	Clearly defined information security requirements for their products and services. Protection of any sensitive information shared with them. Timely and accurate communication regarding any changes in security requirements or expectations. Clear guidelines on handling sensitive information, secure storage and transmission of data, adherence to agreed-upon security practices. Timely payment for services rendered. Fair and ethical business practices.
Competitors (External)	Fair competition practices. Protection of intellectual property rights. Compliance with industry standards and regulations.
Regulatory Bodies / Authorities (External)	Compliance with applicable laws, regulations, and standards. Timely and accurate reporting of security incidents and breaches. Cooperation and transparency during audits and assessments.
Auditors (External)	Cooperation during audits. Access to necessary information and resources. Compliance with audit requirements and protocols. Timely resolution and implementation of corrective actions based on audit findings. Assurance of independence and objectivity in the audit process. Assurance of the integrity and reliability of audit findings.
General Public (External)	Compliance with privacy regulations, transparent data-handling practices, clear communication about data breaches or incidents affecting the public.

7. Scope of ISMS

Cybersecurity services, SOC operations, penetration testing, the development and provision of AI-supported penetration testing and security analysis solutions, GRC consulting, ISO 27001, GDPR, NIS2, and EU AI Act consulting services, together with all supporting information assets, technologies, processes, personnel, and facilities, are within the scope of the Information Security Management System (ISMS) certification.

8. Statement of Applicability (SoA)

The Statement of Applicability (SoA) defines the information security control objectives and controls as defined by Management based on GermanAI Defense business needs and requirements considering all relevant legal and regulatory requirements and contractual obligations.

The SoA will be reviewed and approved by management of GermanAI Defense as per the management review procedure.

9. Risk Management

Information security risks shall be identified, assessed, and treated using a defined risk-management methodology consistent with ISO/IEC 27001:2022 requirements. For this purpose, top management has approved a Risk Management Procedure.

10. Compliance Obligations

The organisation commits to complying with GDPR, NIS2, EU AI Act requirements, contractual obligations, and applicable German and European Union regulations.

11. Incident Management

Information security incidents and weaknesses shall be reported, investigated, managed, and resolved in a timely manner. Corrective actions shall be implemented to prevent recurrence. Top management has approved an Incident Management Policy.

12. Continual Improvement

GermanAI Defense GmbH is committed to the continual improvement of the ISMS through reviews, audits, risk assessments, corrective actions, and management review activities.

13. Policy Review

This policy shall be reviewed at least annually and whenever significant organisational, legal, or technological changes occur.

14. Approval

Title	Signature	Date
General Manager		01.03.2026
Information Security Officer		01.03.2026