Information Security Policy

Purpose of the Information Security Policy

The primary purpose of information security is to ensure the continuity of Emergy’s operations under all circumstances. Appropriate and effective information security ensures the accessibility of IT solutions, the integrity of the information used in processes and services, as well as confidentiality, with regard to Emergy’s operations under all circumstances in all operating countries. This policy lays the foundation for ensuring the security of Emergy’s information systems and data processing.

At Emergy, protecting customer data, as well as the data generated and processed by other digital functions, is an essential part of responsible operations, which both our customers and partners expect from Emergy. Each Emergy employee must comply with the information security policy and its supplementary principles and instructions, as well as applicable laws.

Implementation of Information Security

Risk Assessment

Information security risks are assessed and analyzed regularly based on their business impacts. Risks must also be assessed in the specification phase of new systems and in connection with significant changes affecting the criticality of operations.

Data Classification and Processing

Emergy has an information classification method in place governing how information shall be classified, as well as determining information security controls for processing information in various classes.

Processing of Personal Data

The data protection policy and instructions determine how personal data is processed at Emergy.

Emergy’s system and application development processes include work phases to analyze the data protection requirements applicable to the purposes of use of personal data. The applicable data protection requirements vary depending on the purpose of use of the personal data and information collected. The technical implementation is designed so that it corresponds to the risk level of the processing. Based on the risk level, management methods and information security practices suitable for the situation are selected to manage risk levels and achieve compliance.

Information Security Requirements

Emergy’s information security requirements determine the minimum level of information security required from contractual partners. The required level of information security can be verified through audits, when necessary.

Information Security Training

Emergy has several regularly implemented measures in place to improve employees’ awareness of information security. These include training, phishing message simulations, and intranet news, for example. In addition, selected groups are provided with targeted information security training.

Control and Monitoring

Improving and maintaining the level of information security require systematic and continuous automatic monitoring of information systems. The persons responsible for control are legally bound by confidentiality in terms of the information they process at work.

The status of information security is reported in connection with normal internal control, as well as internal and possible external audits. Technical information security is assessed continuously.

Processing of Information Security Incidents

Emergy has procedures and services in place for detecting information security incidents. There are determined operating models for processing and reporting any information security incidents.

Information Security Breaches

Non-compliance with the information security policy and instructions is regarded as an information security breach. Emergy has determined procedures for situations involving breaches.