Crowdin Information Security Policy (hereinafter the Policy) defines the objectives and basic principles of information security. Informationssikkerhed betyder gennemførelse og opretholdelse af det passende egenskabsniveau.
The Policies requirements apply to the entire Crowdin organization and all business processes, and are available mandatory for all employees as well as those involved in these business processes. Compliance with the requirements of the Policy is an important aspect for achieving Crowdin’s strategic goals and objectives.
Crowdin information security policy meets the requirements of ISO / IEC 27001: 2022 and DSTU ISO / IEC 27001: 2015.
This policy sets up:
Information security processes are described, formally defined and approved, Crowdin’s guidance in the form of standards, policies, regulations and other internal regulatory documents.
According to ISO, defining the context of an Organization is a “business environment”, “a combination of internal and external factors and conditions that may influence the organization’s approach to its products, services and investments and interested parties”.
Crowdin is a product company with more than 2 million user accounts.
Crowdin’s software solution empowers companies of any shape and size to accelerate their growth by reaching people who speak different languages.
Crowdin team works passionately toward a shared goal: to expand the potential of agile localization. From day one till now, Crowdin’s mission has always been to keep it simple and wow Crowdin’s customers with an outstanding user experience and the latest technology solutions.
Crowdin’s main industrial sector is Software as a service.
The purpose of the ISMS is to ensure that Crowdin is still able to meet its defined business objectives and comply with its policies in the face of potential and actual security incidents.
Policies have been set by the organization in a variety of areas and these must be taken account of during the information security planning process to ensure that they are met.
The main relevant policies are:
Der er en række interne og eksterne problematikker, som er relevante for Crowdins formål, og som påvirker ISMS-systemets evne til at opnå de tilsigtede resultater.
Interne problemstillinger:
Eksterne problemstillinger:
Disse generelle interne og eksterne problemstillinger behandles mere detaljeret som led i risikovurderingsprocessen og bliver regelmæssigt revideret og monitoreret.
En interessepart defineres som en person eller organisation, der kan påvirke, påvirkes af eller opfatter sig selv som påvirket af en beslutning eller aktivitet.
Flg. defineres som interesseparter med relevans for ISMS:
| Interessepart | Forventninger | Krav |
|---|---|---|
| Virksomhedsejere | Effective information security influences the organization’s financial success | Kapitalafkast |
| Ledelse | Organisatorisk omdømme skal beskyttes | Dokumentarisk og praktisk bekræftelse af gennemførelsen af ISMS |
| Kunder, kundegrupper | Dataenes fortrolighed, integritet og tilgængelighed er til enhver tid sikret | ISMS ISO 27001-certifikat |
| Leverandører og partnere | Overholdelse af aftaler og betalingsbetingelser | Evidens for overholdelse af aftaler og betalingsbetingelser |
| Tilsynsorganer | Organisationsaktiviteterne er i overensstemmelse med gældende lovgivning | Officiel bekræftelse af lovkrav (rapporter, certifikater mv.) |
| Organisationsansatte | Persondatasikkerhed, sociale ydelser, passende vederlag, uddannelse og support, sikkert arbejdsmiljø mv. | Lovgivningsmæssige dokumenter og bestemmelser, NDA-vilkår og -betingelser, klare instrukser ift. håndtering af sensitive data mv. |
| Kontrahenter, som leverer tjenesteydelser til organisationen | Overholdelse af aftaler og betalingsbetingelser; Persondatasikkerhed, sociale ydelser og passende vederlag | Evidens for overholdelse af aftaler og betalingsbetingelser; Lovgivningsdokumenter og -bestemmelser, NDA, klare instrukser ift. håndtering af sensitive data mv. |
| Konkurrenter | Organisationens reageren på konkurrerende markedsføringskampagner med egne initiativer og konkurrencedygtige prisfastsættelse | Resultater af markedsovervågning |
| Investorer | Rentabilitet, forventet investeringsafkast | Investeringsafkast, årsregnskaber |
| Medierne | Gennemsigtighed ift. sikkerhedshændelser | Dækning af datasikkerhedsbrud og en bredere offentlig interesse i den måde, hvorpå organisationer beskytter personlige oplysninger |
| Revisorer | Forvent, at der til enhver tid er en proportional grad af sikkerhedskontroller på plads mhp. beskyttelse af aktiver | Dokumentarisk og praktisk bekræftelse af gennemførelsen af ISMS |
| Nødtjenester | Sikkert arbejdsmiljø mv. | Brandsikkerhed, førstehjælpsforanstaltninger mv. |
This strategic objectives are supported by annual KPIs, described in more detail in the ISMS-PL-Monitoring and evaluating the effectiveness of ISMS Policy policy:
Current policies, processes, and security measures will be continuously reviewed. Any gaps in alignment with ISO/IEC 27001:2022 standards will be identified and addressed.
A proactive risk management strategy will be maintained. This strategy includes conducting regular risk assessments, vulnerability scans, and security audits. Identified risks will be analyzed, and continuous mitigation measures will be implemented.
The ISMS Committee has the final responsibility for Information Security Risks across Crowdin.
Detailed information about the functions, regulation, duties and responsibilities of the ISMS Committee is in the Regulation on ISMS Committee.
Managers/Head of Departments are responsible for information security within their departments/teams. They must ensure that the department/team has communicated their own informational security needs to the CISO.
CISO is clearly accountable for the provision of appropriate, timely advice to the management to ensure that an effective information risk management framework is implemented, operated and maintained in alignment with the business strategy, the business and the legal requirements.
All personnel, regardless of function, level and role, shall have explicit personal responsibilities for Information Security Management.
Responsibilities are described in detail in the ISMS-FR-Information Security Management Framework, and in other corresponding policies.
Continuous monitoring and improvement of ISMS will be an ongoing task to maintain compliance.
Regular risk assessments and mitigation activities will be scheduled periodically. Vulnerability assessments will be conducted regularly as part of the organization’s ongoing security practices. Proactive measures will be implemented immediately upon identification of vulnerabilities to ensure continuous protection.
The Incident Response Plan is annually reviewed, updated and tested to ensure its effectiveness in minimizing potential damage in the event of a security incident.
Systems, processes and activities that can be monitored in the ISMS include, but are not limited to:
The organization’s compliance with ISO/IEC 27001:2022 is evaluated through internal audit, management review, ISMS committee meetings. Annual external audits conducted by certification bodies will further validate our compliance status.
Key performance indicators defined will be closely monitored. Any security breaches or incidents will trigger immediate investigation and corrective action to ensure the security of customer and employee data, as well as our internal business processes.
Monitoring and evaluating the effectiveness of ISMS processes is described in the ISMS-PL-Monitoring and evaluating the effectiveness of ISMS Policy