PosIND Information Security Policy

Management of Pos Indonesia (Persero) reaffirms its strong commitment to protecting information assets and maintaining an effective Information Security Management System in accordance with ISO/IEC 27001:2022 and global security best practices :

Confidentiality, Integrity, and Availability (CIA) of information shall be preserved by protecting against unauthorized access, intentional or accidental modification, loss, or disclosure throughout the entire information lifecycle.
Security controls must address people, processes, and technology, applying proportionate and risk-based measures, including zero trust architecture and cyber resilience strategies, to protect information during creation, processing, storage, and transmission.
All information security practices must comply with the POSIND Information Security Framework, including policies, procedures, and controls, which are made available to all personnel via POSIND websites and other available options. Updates to the framework will be clearly communicated to all staff.
Every employee is responsible and accountable for information security. All staff shall comply with this policy, participate in ongoing awareness and competency programs, and report security incidents or suspected threats promptly to the Information Security Manager.
Line Managers and Function Heads must promote this policy within their areas, establish measurable information security objectives, allocate resources, and monitor performance against these objectives.
Information security risks and opportunities must be systematically identified, assessed, and treated using a risk-based approach. All risk decisions must be documented and aligned with the organization’s risk appetite and business context.
POSIND enforces the integration of compliance, legal, regulatory, and contractual requirements (including personal data protection, cybersecurity regulations, and customer SLAs) into the ISMS.
POSIND’s Top Management mandates the implementation and continual improvement of an enterprise-wide ISMS, applicable to all business units and functions, in full compliance with ISO/IEC 27001:2022 and integrated with other relevant management systems where applicable.
The Information Security Committee is delegated the authority to govern and enforce the ISMS, monitor security performance and trends, and recommend improvements based on internal audits, security incidents, and changes in the threat landscape.

This policy will be reviewed annually, or upon significant changes in the business or regulatory environment, to ensure it remains appropriate and effective.

Confidentiality, Integrity, and Availability (CIA) of information shall be preserved by protecting against unauthorized access, intentional or accidental modification, loss, or disclosure throughout the entire information lifecycle.
Security controls must address people, processes, and technology, applying proportionate and risk-based measures, including zero trust architecture and cyber resilience strategies, to protect information during creation, processing, storage, and transmission.
All information security practices must comply with the POSIND Information Security Framework, including policies, procedures, and controls, which are made available to all personnel via POSIND websites and other available options. Updates to the framework will be clearly communicated to all staff.
Every employee is responsible and accountable for information security. All staff shall comply with this policy, participate in ongoing awareness and competency programs, and report security incidents or suspected threats promptly to the Information Security Manager.
Line Managers and Function Heads must promote this policy within their areas, establish measurable information security objectives, allocate resources, and monitor performance against these objectives.
Information security risks and opportunities must be systematically identified, assessed, and treated using a risk-based approach. All risk decisions must be documented and aligned with the organization’s risk appetite and business context.
POSIND enforces the integration of compliance, legal, regulatory, and contractual requirements (including personal data protection, cybersecurity regulations, and customer SLAs) into the ISMS.
POSIND’s Top Management mandates the implementation and continual improvement of an enterprise-wide ISMS, applicable to all business units and functions, in full compliance with ISO/IEC 27001:2022 and integrated with other relevant management systems where applicable.
The Information Security Committee is delegated the authority to govern and enforce the ISMS, monitor security performance and trends, and recommend improvements based on internal audits, security incidents, and changes in the threat landscape.

This policy will be reviewed annually, or upon significant changes in the business or regulatory environment, to ensure it remains appropriate and effective.