eBaoTech-ISMS-01-001 eBaoTech Corporation

<Confidential> eBaoTech Corporation

<Confidential>

eBao ISO/IEC 27001:2013

Information Security Management Manual eBaoTech-ISMS-01-001

eBaoTech Corporation

Information Security Management Manual ISO/IEC 27001:2013

<Confidential> eBaoTech Corporation i

Copyright and Confidentiality Notice

© Copyright eBaoTech Corporation

All rights reserved. Reproduction in whole or in parts is prohibited without the

prior written consent of the copyright owner.

The information contained in this document is strictly confidential and must not

be disclosed to any other person by the client or by any of its employees without

the prior written consent of the copyright owner.

Client is permitted to disclose the information only to those of its employees

and/or professional advisors who need to have access to it and client shall notify

such employees and/or professional advisors of the terms of this notice.

For any questions or remarks on this document, please contact eBaoTech

Corporation +86 (21) -61407777.


<Confidential> eBaoTech Corporation 1

Contents 1. General .......................................................................................................................................................... 1

1.1. Manual Promulgation Decree .................................................................................................................... 1 1.2. Letter of Authorization ................................................................................................................................. 1 1.3. Purpose ................................................................................................................................................................ 2 1.4. Statement of Applicability ........................................................................................................................... 2

2. Normative References ............................................................................................................................. 2

3. Terms and Definitions ............................................................................................................................. 3

4. Organization Environment .................................................................................................................... 3

4.1. Organization Status Quo and Background ........................................................................................... 3 4.1.1 External Context ............................................................................................................................. 3 4.1.2 Internal Context .............................................................................................................................. 3

4.2. Needs and Eexpectations of Relevant Parties ................................................................................... 4 4.3. Scope of Information Security Management System ....................................................................... 4 4.4. Information Security Management System ......................................................................................... 5

5. Leadership ................................................................................................................................................... 6

5.1. Leadership and Commitments .................................................................................................................. 6 5.2. Information Security Policy ........................................................................................................................ 7 5.3. Organizational Roles, Responsibilities and Authorities ................................................................. 7

6. Planning ........................................................................................................................................................ 7

6.1. Measures of Addressing Risks and Opportunities ............................................................................ 7 6.1.1 General ............................................................................................................................................... 7 6.1.2 Information Security Risk Evaluation .................................................................................. 8 6.1.3 Information Security Risk Treatment ................................................................................... 8

6.2. Information Security Goal and Implementation Plan ..................................................................... 9

7. Support .......................................................................................................................................................... 9

7.1. Resources ............................................................................................................................................................ 9 7.2. Competence ..................................................................................................................................................... 10 7.3. Awareness ........................................................................................................................................................ 10 7.4. Communication .............................................................................................................................................. 10 7.5. Documented Information .......................................................................................................................... 11

7.5.1 General ............................................................................................................................................. 11 7.5.2 Setting up and Update .............................................................................................................. 12 7.5.3 Control of Documented Information .................................................................................. 12

8. Operation .................................................................................................................................................... 13

8.1. Operation Planning and Control ............................................................................................................. 13 8.2. Information Security Risk Assessment and Treatment ................................................................ 13

9. Performance evaluation ....................................................................................................................... 13

9.1. Monitoring, Measurement, Analysis and Evaluation ..................................................................... 13 9.2. Internal Audit .................................................................................................................................................. 14

9.2.1 Management Review .................................................................................................................. 14

10. Improvement ............................................................................................................................................ 15

10.1. Non-conformance Terms and Corrective Measures ...................................................................... 15 10.2. Continual Improvement ............................................................................................................................. 15

Appendix I. Information Security Management Committee Organizational Framework

Chart ..................................................................................................................................................................... 16

Appendix II. Company Organizational Structure Chart ..................................................................... 17



1. General

1.1. Manual Promulgation Decree

eBaoTech Corporation (hereinafter referred to as “the Company”) carried out the

operation of implementing the standards issued in GB/T22080-2016/ISO/IEC

27001:2013 Information Technology-Security Techniques-Information Security

Management System, establishing documented information security management

system and developing “Information Security Management Manual” (hereinafter

referred to as “the Manual”) to improve the management of the Company information

security, to ensure the regular proceeding of production, operation, service and normal

managerial activities, and to avoid the interruption or loss of business due to

information system failure, data loss or the sensitive information leakage.

The Manual is the guiding document for the management of information security of the

Company, which guides the Company in setting up and implementing the guidelines and

codes of conduct in the system to realize the effective running and continual

improvement of the system.

All employees shall strictly follow the guidelines in the Manual and carry out operations

as required in the Manual to realize the goal of the information security management of

the Company.

All the terms in the Manual shall come into force and be executed upon promulgation.

1.2. Letter of Authorization

The Company hereby appointed Li Yuanhang as the representative of the managers of

the Information Security Management System of the Company to supervise the thorough

execution of the term in the system and the conformity to requirements in the

GB/T22080-2016/ISO/IEC 27001:2013 Information Technology-Security Techniques-

Information Security Management System and to enhance the leading force in the

building and continual operation of the information security management system.

The responsibility and authority of the representative of the managers of the

Information Security Management System of the Company are as follows:

a) Approve the release of information security management system documents and

set the constructive goal for the information security management system;

b) Ensure the full obtainment and effective allocation of the resources needed for the

establishment and improvement of information security management system;

c) Manage the risk assessment and internal audit of the Company. Examine and

approve the Company risk assessment report, resolution plan, and internal audit

report;



d) Assist the top management in hosting the management review meeting on

information security management system. Ensure the applicability, sufficiency and

effectiveness of the system;

e) Report to the top management on the execution of the system and the need of

improvement.

This letter of authorization shall come into force and be executed as of the date of

appointment.

Manager:

______ (Year) _____ (Month) _____ (Day)

1.3. Purpose

The Manual provides guidance for building and executing the information security

management system of the Company and ensures its conformity to the requirements in

the GB/T22080-2016/ISO/IEC 27001:2013 Information Technology-Security Techniques-

Information Security Management System, the ultimate objective of which is to protect

the information asset of the Company and guarantee the continuality of various

businesses and ensure the achievement of the goal set for the system.

1.4. Statement of Applicability

For details on the applied relation of the terms of GB/T22080-2016/ISO/IEC 27001: 2013

Information Technology-Security Techniques-Information Security Management System to

the Company information security management system, please see the “Statement of

Applicability (SOA)”.

2. Normative References

The provisions in the Manual are based on the following documents. For details see the

“Management on the Compliance with Legal and Legislative Requirements”. For dated

references, all the revised versions are not applicable to the Manual, but system

management group shall study on the applicability of the latest versions of such

references. For the references with no dates, their latest versions apply to the Manual.

a) Laws and Regulations: refers to the relevant laws and regulations issued by the

state for constraint and guidance.

b) International Practices: refers to the international common practices for

constraint and guidance that the Company must conform to in the operation of

businesses and the establishment of information security.



c) Standards:

GB/T22080-2016/ISO/IEC 27001:2013 Information Technology-Security

Techniques-Information Security Management System-Requirements;

GB/T22081-2016/ISO/IEC 27002:2013 Information Technology & Security

Technology& Information Security Management –Implementation Guidance.

3. Terms and Definitions

All the definitions and terms in GB/T22080-2016/ISO/IEC 27001:2013 Information

Technology-Security Techniques-Information Security Management System-Requirements

and GB/T22081-2016/ISO/IEC 27002:2013 Information Technology& Security

Technology& Information Security Management–Implementation Guidance shall apply to

the Manual.

4. Organization Environment

4.1. Organization Status Quo and Background

4.1.1 External Context

The Company has fully understood the external context before setting up information

security management system. The following aspects of the external context can have a

great impact on the Company business:

a) Politics, laws and regulations, finance, information technology and competition

environment;

b) Laws and regulations in different countries; The restriction on data transmission;

c) The security needs of external stakeholders.

4.1.2 Internal Context

[Note: The introduction to the Company in the original manual]

The Company has also fully understood the internal context before setting up information

security management system, which mainly includes:

a) Company Profile

eBaoTech was founded in the year 2000 with nearly thousands of employees

dedicated to the development of core software system for the insurance

products and providing implementation and maintenance service of such system

for clients;

eBaoTech is committed to promoting the innovation and improvement of its

products through continual research investment.

eBaoTech has set up localized groups in its branches in over 10 countries.



With over 100 online projects in nearly 30 countries globally, eBaoTech

provides its services distributed in Asia-Pacific, Europe, Middle East, Africa and

America.

b) Resource Provision

The Company has set up an Information Security Management Committee to

formulate, release and implement the information security management system. It

has professional advisors providing training and consultation on information

security to improve the management of its information security. The top

management attaches great importance to the information security of the Company

and provides efficient resources to meet the information security needs.

c) Our Vision and Mission

eBaoTech aims to make insurance easy by making it faster, better and more

economical, therefore benefiting every aspect of the insurance ecosphere

including the consumers, brokers, insurance companies, service providers and

regulatory authorities, etc. Digital revolution is the main theme of the insurance

industry in the coming years. Committed to leading the insurance technology field,

eBaoTech is committed to promoting the smooth development of global insurance

industry in a digitalized ecological environment. eBaoTech’s belief is to realize

rapid customer success (RCS) and to focus on delivering the commercial value of

products to customers quickly. Thanks to our extraordinary creativity, quality and

excellent employees, we are now the leading insurance technology company with

over 150 online projects in more than 35 countries.

4.2. Needs and Expectations of Relevant Parties

When deciding the terms of the information security management system, the

Information Security Management Committee shall take the needs and expectations of

relevant parties into consideration. The relevant parties include but are not limited to

Company leaders, internal staffs, clients, superior supervision units and service providers,

etc.

The relevant parties mentioned above and related laws and regulations shall be taken

into consideration when implementing the causes in the system. For details please see

the “Management on the Compliance with Legal and Legislative Requirements”.

4.3. Scope of Information Security Management System

For the research, development, implementation of application software and other

relevant information security management activities, the terms of the system in this

Manual shall apply.



The Company information security management system covers the research,

development and implementation of application software, and the management of

service-providing information technology processing facility, the development,

acquisition and operational maintenance of information technology system, the

personnel information security, the data security and other information security

management activities.

4.4. Information Security Management System

According to the requirements of GB/T22080-2016/ISO/IEC 27001:2013 Information

Technology-Security Techniques-Information Security Management System and

concerning on the characteristics of the industry, the Company, based on the demand of

its business, follows the philosophy of risk management, pays attention to process

management, establishes and carries out the terms of the information security

management system, makes sure that the resources, technology, management and other

elements related to information security are in control, formulates documents,

implementing, keeping and continually improving them accordingly as well as takes

effective measures against various security accidents and other intentional destructive

incidents to ensure the confidentiality, integrity and usability of Company information

and the continuality of its businesses.

The Company adopts the process method by taking the resources and activities related

to information security as a process for management, which is called the PDCA process

method for continual improvement of the system, in its efforts to set up and implement

the information security management system. The PDCA process method includes:

a) Identify and make sure the strategy, goal, process and application related to

Company information security management system, and improve information

security to reach expected results;

b) Confirm the sequence and relations of the processes mentioned above based on

the “process model”;

c) Fully develop the process, define the information security control points, and form

Information security management system documents ;

d) Allocate appropriate resources, provide necessary support and information to

ensure the effective process operation; continually measure, monitor and analyze

the processes and make necessary improvements.



5. Leadership

5.1. Leadership and Commitments

The Company makes commitments on the establishment, implementation, monitoring,

maintenance and continual improvement of its information security management

system. The details are as follows:

a) Set up information security management goals to ensure the aims and the

direction of the development of its information security management;

b) Keep communicating with clients and relevant parties to reach agreements on the

Company information security management goals. Develop scheme to realize the

goals and keep improving the scheme;

c) Establish information security management framework, ensure the correct and

clear understanding of client needs to effectively meet their expectations and

improve their satisfaction level;

d) Set up Information Security Management Committee; specify the responsibilities

for each member. Carry out the task for the system building and establish related

system for its operation supervision and quality monitoring.

e) Establish and safeguard the related administrative methods, management system,

and enforcement regulations for information security management according to



the Company specific conditions. Specify the roles and responsibilities for each

department and employee.

f) Ensure the full obtainment and effective allocation of the resources needed for the

establishment and improvement of information security management system;

g) Carry out management audit to ensure the adaptability, comprehensiveness,

completeness and effectiveness of the information security management system.

For details see the “Management Review Control Process”.

5.2. Information Security Policy

The information security policy: put precaution first, classified protection,

decentralization of responsibility and continual improvement.

a) Put precaution first: To put precaution first is the main theme guiding the

information security protection work. The Company shall take active precautions,

establish information security and operational risk prevention systems, enhance

staff awareness of security, improve emergency mechanism, strengthen internal

security inspection to realize effective precaution against potential risks;

b) Classified protection: Rank the information assets based on their importance

degree and take relevant protective measures according to the ranking of

information asset to ensure appropriate protection of eBaoTech information

assets;

c) Decentralization of responsibility: set up hierarchical information security

organization to ensure the decentralization and implementation of responsibility;

d) Continual improvement: Conduct continual improvement of information security

management based on PDCA model to ensure the comprehensive protection of

Company information asset in the dynamic change process.

5.3. Organizational Roles, Responsibilities and Authorities

The general manager of eBaoTech is the top manager for information security

management, who appoints the manager representatives. For the roles and

responsibilities of the manager representatives, see “1.2 Authorization“. The top

manager also determines other roles and responsibilities for information security

management, see “3 Roles and Responsibility” in the “Information Security Policy”.

6. Planning

6.1. Measures of Addressing Risks and Opportunities

6.1.1 General

To ensure that the management system can reach its expected achievements, to prevent

or reduce undesired effects and to realize continual improvement, the Company has



arranged lots of activities for dealing with risks and opportunities and incorporated these

activities into the information management system during the plan phase.

The Company has taken the internal and external conditions into consideration during

plan phase and evaluated the effectiveness of these activities on a regular basis when

running the system.

6.1.2 Information Security Risk Evaluation

The Information Security Management Committee is responsible for formulating the

“Risk Assessment Management Policy”, establishing risk assessment methods for the

information security of the management system and the identified businesses, for the

identification, analysis and evaluation of risks as required by the laws and regulations,

and establishing the criteria for accepting the risks and identifying the acceptable level of

risks.

6.1.3 Information Security Risk Treatment

The Information Security Management Committee is responsible for organizing relevant

departments to compile the risk treatment plans based on the risk assessment results.

The plan specifies the department responsible for risk treatment, the persons in charge,

the treatment methods and the starting and ending time.

The balance between control methods and costs shall be taken into consideration when

dealing with information security risks. Appropriate methods that may be adopted are

as follows:

a) Control the risks by taking appropriate internal control methods;

b) Accept risks (zero-risk is impossible);

c) Avoid risks ( such as physical isolation);

d) Transfer risks (transfer the risks to insurer, supplier, subcontractor, etc.).

The Information Security Management Committee shall organize relevant departments to

set the goals for management and allocate the goals to each department based on the

management policy, business development requirements and risk assessment results:

a) The goal for controlling has gained the approval from the top manager of the

information security.

b) The selection principles for setting the control goal and methods originated from

the main body and appendix of ISO/IEC 27001: 2013 Information Technology-

Security techniques-Information Security Management System-Requirements.

Other control methods can be adopted if needed for the management of the Company.

The residual risks from the risk treatment shall get the approval from the risk owner.



6.2. Information Security Goal and Implementation Plan

The general goal for the Company information security management includes:

a) No more than 1 information security accident per year;

b) No more than 1 complaint from the clients on information security;

c) All employees must sign confidentiality agreement;

d) The percentage of pass for Company staff training on information security shall be

no less than 95% ;

e) The percentage of employees who violate information security policy shall be

lower than 1% of the whole staff number;

f) Realize the security assurance as the confidentiality, integrity and usability of

Company information asset;

g) The establishment and operation of Company information security management

system shall comply with the relevant laws and regulations of the country, the

mandatory provisions, rules, conventions, principles and agreements of relevant

regulatory bodies and competent departments.

To achieve the above goals, the Company shall scheme for realizing the goals at the

beginning of every year as required in the system.

7. Support

7.1. Resources

The management representative shall ensure the supply and reasonable allocation of

needed resources and the competency and skills of relevant personnel to guarantee the

establishment, implementation, operation, monitoring, auditing and maintenance of the

information security management system. The requirement details are as follows:

a) Organization

The Company shall establish hierarchical Information Security Management

Committee and the policy for managing relevant documents, specify the personnel

working at the management of Company information security to ensure the

effective operation of the information security management system. For Company

Information Security Management Committee organizational framework, see

“Appendix1: Information Security Management System Framework Chart”.

b) Roles and Responsibilities

The Company shall ensure the effective definition and classification of information

roles, responsibilities and privileges to see to the effective operation of Company

information security management system.

c) Training, Awareness and Competence



The Company shall ensure the capability of personnel working for the

management of information security, provide the necessary education and

training, comment on the effectiveness of measures adopted, and ensure the

employees are aware of the importance of the activities engaged and the measures

they need to take to realize the information security management goals.

To ensure the capability of relevant personnel, the Company needs to:

a) Ensure the necessary capability of personnel working for the information security

management system through internal audit;

b) Provide necessary vocational education and skill training and other services to

meet these requirements;

c) Evaluate the effectiveness of measures adopted;

d) Keep the records of staff education, training, skills, experiences, and qualifications.

7.2. Competence

The human resources management department shall set and implement the “Human

Resources Control Process” and ensure the competence of all personnel assigned with

the information security management tasks. To achieve this, the following measures may

be adopted:

a) Ensure the personnel are suitable for the job they are assigned to in the

information security management system;

b) Provide vocational education and skill training and other services to meet these

requirements;

c) Evaluate the effectiveness of measures adopted;

d) Keep the records of staff education, training, skills, experiences, and qualifications.

7.3. Awareness

The Company shall ensure the staff understand the information security policy and are

aware of the relevance and importance of the information security activities they engaged

in, the impact of violation on the system requirements and the measures they need to

take to make contributions to realizing the system goals.

7.4. Communication

Each department shall set the plan for communication related to the information

security management system, which includes but is not limited to:

a) Contents for communication;

b) When to communicate;

c) Who participates in the communication;

d) Who to communicate;

e) Effective communication methods;



The records of the communication shall be kept for later check.

7.5. Documented Information

7.5.1 General

The Company information security management system documents include:

a) The management manual as required in GB/T22080-2016/ISO/IEC 27001:2013

Requirements for Information Technology& Security Technology& Information

Security Management System;

b) The program documents and operation instructions as required in GB/T22080-

2016/ISO/IEC 27001:2013 Information technology-Security techniques-Information

security management system-Requirements, i.e. management methods for various

processes, management provisions, implementation rules, etc.

c) The various records and logs as required in GB/T22080-2016/ISO/IEC 27001:2013

Information technology-Security techniques-Information security management

system;

d) Other documents as required by the information security management system.

The Company information security management system documents include four levels

of documents, i.e. information security management manuals, management

methods/programmatic documents, management provisions/implementation

rules/operation guidelines, records/logs. As shown below:

(Diagram 1 information security system document framework)

The focuses of the documents on each level are as follows:

First Level Documents

Second Level Documents

Third Level Documents

Fourth Level Document

Management Methods

Management Provisions

Implementation Rules

Operation Guidelines

Records and Logs

Management

Manual



a) First level documents: refer to the strategy document of the system, i.e. the system

management manuals;

b) Second level documents: refer to the standard documents in each control domain

as required by the standards in GB/T22080-2016/ISO/IEC 27001:2013 Information

Technology-Security Techniques-Information Security Management System;

c) Third level documents: refer to the provisions on specific information security

problems, which manifest the control of specific information security risk points

and the security management requirements of specific businesses;

d) Fourth level documents: refer to the various records and reports on information

security system operation, which demonstrate the effective proceeding of each

business in a specific manner as required by the documents.

7.5.2 Setting up and Update

When setting up and updating documented information, the Company shall identify and

describe the Position, date, and author of the documents based on Document Control

Processes” and “Records Control Process”. The documents shall be unified in form and be

reviewed and approved.

7.5.3 Control of Documented Information

The Company shall take full control of the documents relevant to the information

security management system to meet the requirements in GB/T22080-2016/ISO/IEC

27001:2013 Information Technology-Security Techniques-Information Security

Management System and such requirements include:

a) Ensure the effective control of the editing, review, approval, delegation,

implementation, revise, and disposal of documents;

b) Ensure the documents are clear and distinguishable and the edition labels are

clear for recognition and retrieval;

c) Ensure access to suitable documents of the latest and effective edition;

d) Ensure the external documents are identified and the delegation of documents is

under control;

e) Take corresponding control on different media and different types of documents;

f) Prevent unauthorized usage of invalid documents. Specific labels are needed when

keeping invalid documents.

The Company shall make stipulations on the editing, revise, review, delegation and

storage of information security management system documents, demand that the latest

system documents shall be obtained from specified departments. For related control

requirements see “Document Control Process” and “Records Control Process”.



To provide evidence complying with the information security management system

requirements and show the effective proceeding of the system to guarantee the

traceability of the management process, the Company shall set and implemented

relevant provisions to ensure the completeness, easy-identifiability and retrieval of

relevant records by stipulating the recognition, collection, archiving, storage, borrowing,

disposal and check of the information security management records.

Set up corresponding information records control list and specify the department in

charge, the storage life and archiving requirements. For relevant control requirements

see “Records Control Process”.

8. Operation

8.1. Operation Planning and Control

Information Security Management Committee is responsible for writing all documents

meeting the GB/T22080-2016/ISO/IEC 27001:2013 Information Technology -Security

Technology-Information Security Management System –Requirements standards and the

system goals and implementing them within the organization. To realize the measures

specified in 6.1, the Information Security Management Committee shall make the plan

and implement the measures according to the plan within the organization.

8.2. Information Security Risk Assessment and Treatment

The Information Security Management Committee is the centralized management

department for risk assessment and treatment which carries out risk assessment and

treatment based on “Risk Assessment Control Process” in combination with Company

feature.

The Company shall form documented information of the risk assessment and treatment

for keeping the results of risk assessment.

9. Performance evaluation

9.1. Monitoring, Measurement, Analysis and Evaluation

The Information Security Management Committee is responsible for the centralized

management of the monitoring and measurement of the Company information security,

detecting the problem in the system in a timely manner and adopting effective solutions

by establishing effective mechanisms for improvement based on the ISO27001:2013

requirements. The Company monitors, measures, analyzes and evaluates the information

security with 3 control programs and 2 management regulations.

a) “Risk Assessment Control Process” stipulates the planned time interval for risk



assessment;

b) “Internal Audit Control Process” stipulates the internal audit of the information

security within the planned time interval;

c) “Management Review Control Process” stipulates the management audit of the

information security within the planned time interval;

d) “Information Security Incident Management Policy” stipulates the treatment

procedure for dealing with the Company information security incidents.

e) “System Effectiveness Measurement Management Policy” stipulates the contents

and basis, check methods, periods, and procedures of the information security

check.

9.2. Internal Audit

The Company stipulates the principles, frequency, implementation procedures for the

internal audit of the information security management system with the aim to discover

the problems which might arise in the aspect of the conformity or validity of the system,

to adopt remedial actions in a timely manner, and to keep the applicability,

comprehensiveness, completeness and effectiveness of the Company information

security management system.

Internal audit applies to all activities related to information security within the

Company. For details see “Internal Audit Control Process”.

9.2.1 Management Review

The Company general manager shall host the management review meeting every year

(with the interval not over 12 months) to evaluate the applicability, sufficiency and

effectiveness of the information security management system. The organization and

implementation of specific activities are based on the terms in “Management Review

Control Process”.

The documents needed for the management review include but are not limited to

internal audit report, corrective the preventive measures demands and implementation

report, business analysis report, the implementation of last management review

agreements, information security management policy, and the revise need of the goal

shall be prepared and provided by each department.

The participants of the management review meeting include the Company top

management and the principal person in charge of each department.

The results of the meeting, which shall be delegated as resolutions, minutes of meeting

or other appropriate forms shall be learned and implemented by each department in a

timely manner.



The relevant records of the management review activities shall be kept by the principal

persons in charge.

10. Improvement

10.1. Non-conformance Terms and Corrective Measures

Correction and prevention apply to non-conformance terms and potential non-

conformance terms in the Company information security management activities. Set up

and implement the corrective and preventive measures to prevent the reoccurrence of

potential non-conformance terms and existing non-conformance terms for continual

improvement of information security management system in an effective manner. For

details see “Corrective and Preventive Control Process.”

10.2. Continual Improvement

Provide input for the continual improvement of the system by analyzing the results of

internal audit and other monitoring activities and collecting internal and external

information related to information security management.

Identify the improvement needs of the management system and the reason for deviating

from the information security goal or the inadequate capability of the existing system in

fitting into the environment, set up specific measures for improvement, search for

opportunities form improvement and specify the improvement plan in details by means

of management review.

Implement the improvement measures and verify the results. Keep the records of the

implementation process and results.



Appendix I. Information Security Management

Committee Organizational Framework Chart

Information Security Management Commttee

Information Security Management Group

Each Department

Information Security Officer

Decision

Monitoring

Implementation

All Staff



Appendix II. Company Organizational Structure Chart

