Crowdin 信息安全政策(下称政策)确定了信息安全的目标和基本原则。 信息安全是指实施和维护其适当水平。 The Policies requirements apply to the entire Crowdin organization and all business processes, and are available mandatory for all employees as well as those involved in these business processes. 遵守该政策的要求是实现 Crowdin 的战略目标的一个重要方面。

Crowdin 信息安全政策符合 ISO /IEC 27001:2013和DSTU ISO /IEC 27001:2015 的要求。


  • 本组织的背景
  • 与 Crowdin 宗旨有关的内部和外部问题
  • 与信息安全管理系统(以下简称“ISMS”)相关的利益方
  • 这些有关方面与 ISMS 有关的要求
  • 信息安全目标
  • 信息安全政策承诺
  • 信息安全责任
  • Measurement

以标准、政策、条例和其他内部管理文件的形式描述、正式界定和批准了 Crowdin 的信息安全程序。


According to ISO, defining the context of an Organization is a “business environment”, “a combination of internal and external factors and conditions that may influence the organization’s approach to its products, services and investments and interested parties”.

Crowdin is a product company with more than 1.5 million user accounts.

Crowdin’s software solution empowers companies of any shape and size to accelerate their growth by reaching people who speak different languages. Crowdin team works passionately toward a shared goal: to expand the potential of agile localization. From day one till now, Crowdin’s mission has always been to keep it simple and wow Crowdin’s customers with an outstanding user experience and the latest technology solutions.

Crowdin 的主要部门是以软件作为一种服务。

The purpose of the ISMS is to ensure that Crowdin is still able to meet its defined business objectives and comply with its policies in the face of potential and actual security incidents. Policies have been set by the organization in a variety of areas and these must be taken account of during the information security planning process to ensure that they are met.


  • 业务连续计划
  • 信息安全管理框架
  • 风险评估方法
  • 风险处理准则
  • 事故反应计划
  • 可接受的使用政策
  • 访问控制政策
  • Clear Desk and Clear Screen Policy
  • 防止恶意软件控制政策
  • 密码政策
  • Human Resources Security Policy
  • 信息备份政策
  • Information Classification and Labeling Policy
  • IS 风险管理政策
  • 日志记录和监测政策
  • 监测和评价 ISMS 政策的效力
  • 网络安全政策
  • 密码政策
  • 人身安全政策
  • 开发和维护过程中的安全政策
  • Segregation of Duties Policy
  • Supplier Relationship Security Policy
  • 工作站安全政策
  • Сhange Management Policy
  • 联系程序
  • Corrective and Preventive Actions Procedure
  • 纪律程序
  • Document control procedure
  • 内部审计程序
  • 信息资产盘点和评估程序
  • 风险管理程序
  • 保持工作保密
  • 管理审查程序
  • 用户访问管理程序


有一些内部和外部问题与 Crowdin 的宗旨相关,影响到 ISMS 实现预期成果的能力。


  • 采用的标准、准则和模式
  • 重大的组织变化
  • 治理和组织结构
  • 合约关系
  • 资源和知识(如资本、人员、工艺和技术)
  • 与工作人员和利益攸关方的关系,包括与合作伙伴和供应商的关系
  • 其它


  • 技术的变化
  • 政府条例和法律改革
  • 竞争
  • 市场的经济变化
  • 供应链
  • 社会和文化
  • 利息和通货膨胀率
  • 数据保护
  • 技术支持和基础设施
  • 自动化和人为情报
  • 军事和政治
  • 其它

These general internal and external issues will be considered in more detail as part of the risk assessment process and will be regularly reviewed and monitored.

The interested parties that are relevant to the ISMS of Crowdin have been determined below with their individual expectations.

利害关系方的定义是能够影响到的人或组织。 委员会还建议缔约国采取一切适当的措施,确保所有儿童都能得到保护,免受某项决定或活动的影响,或使他们感到自己受到某项决定或活动的影响。 以下被定义为与 ISMS 相关的关系方:

  • 企业所有者
  • 管理者
  • 客户
  • 供应商和合作伙伴
  • 监管机构
  • 客户用户组
  • 应急服务
  • 本组织的工作人员
  • 向本组织提供服务的承包商
  • 竞争对手
  • 投资者
  • 媒体
  • 审核员
关系方 期望 需求
企业所有者 有效的信息安全影响本组织的财务成功 资本收益
管理者 必须维护组织的声誉 文件和实际确认实施 ISMS
客户用户组 数据的保密性、完整性和可获得性在任何时候都是安全的 ISMS ISO 27001 证书
供应商和合作伙伴 遵守协议和付款条件 遵守协定和付款条件的证据
监管机构 本组织的活动符合现行立法 正式确认法律要求(报告、证书等)
本组织的工作人员 Personal data security, social welfare benefits, appropriate remuneration, training & support, safe working environment etc. Legislative documents and regulations, NDA terms & conditions, clear instructions on how to handle sensitive data etc.
向本组织提供服务的承包商 遵守协议和付款条件; 个人数据安全、社会福利福利、适当报酬 Evidence of adhering to agreements and payment terms; Legislative documents and regulations, NDA, clear instructions on how to handle sensitive data etc.
竞争对手 The Organization responding to rival marketing campaigns with its own initiatives and set prices competitively 市场监测结果
投资者 Profitability, expected return on investment 投资回报,财务报表
媒体 Transparency regarding security incidents 数据违规行为的覆盖面和组织保护个人信息的更广泛的公众利益
Auditors Expect that a proportionate level of security controls are in place at all times to protect assets 文件和实际确认实施 ISMS
应急服务 安全的工作环境等 消防安全、急救的提供等


  • Ensure the effective functioning of the ISMS in accordance with the requirements of ISO / IEC 27001: 2013, which will allow Crowdin to be a certified company and trusted supplier for its customers (View Certificate).
  • Ensure uninterrupted operation of the company and provision of services, regardless of external and internal issues.
  • Ensure the availability, integrity and confidentiality of both customer and employee data, confidentiality of internal business processes. Minimize the number and consequences of information security incidents and their impact.
  • The goals of information security correspond to the interests of the company.

Planning to achieve information security objectives

ISMS Committee, which is a collegial permanent body, CISO, should keep company policies in the actual state, ensure their integration into organizational processes.

For this purpose, ISMS committee members can make suggestions regarding the updating of documents, and approve them at the meetings of the committee. ISMS team considers security incidents, if they have occurred, creates a plan for ISMS improvements and do an analysis of what was done at the previous period.

Annual training is held on the content of information security policies, general principles of information security. In addition to annual training, people who start cooperation undergo training before they receive access to confidential data. Compliance with onboarding training requirements is monitored by the HR manager.

The system administrator provides control over the fulfillment of requirements for the use of information systems and equipment. It is described in more detail in the ISMS-PL Workstation security policy.

The CISO organizes regular activities such as BCP plan testing, backups, and staff training, reassessment of risks, formation of a risk treatment plan, records all information security incidents, and is responsible for investigating suspected incidents.

The results of ISMS work are evaluated annually at the management review meeting, at internal and certification audits.

The company allocates the necessary resources to ensure business continuity in accordance with the BCP plan, the ISMS committee helps in ensuring its operability.

For ISMS establishment Crowdin is obliged to:

  • Comply with both the law and ISO / IEC 27001: 2013 requirements
  • Develop and adhere to all ISMS policies and procedures and ensure their integration into organizational processes
  • Satisfy applicable requirements related to information security
  • Review and continual improvement of the information security management system
  • Be open and honest with individuals whose data is held
  • Provide training and support for staff who handle ISMS, so that they can act confidently and consistently
  • Ensure the compatibility of information security policies and objectives with Crowdin’s strategic objectives


Crowdin governance clearly understands that information security is the foundation life of Crowdin. Crowdin management contributes to the creation, implementation, control and support of the Policy information security.

Information Security Policy documents are developed by the ISMS Committee and other departments according to the relevant areas of activity.

The ISMS Committee is responsible for defining information security requirements and overseeing their implementation in Crowdin.

Statutory, regulatory, and contractual requirements

Crowdin information security measures meet the business needs and the requirements legislation of Estonia, Ukraine, ISO / IEC 27001: 2013, internal regulations Crowdin.

The organization of any process or making changes to existing process is carried out taking into account information security. Evaluation of the effectiveness of the ISMS is carried out on a regular basis.

Crowdin’s internal independent information security audit will be conducted annually during the ISMS functional cycle.