Information Security Policy (Public Summary)

Our Commitment to Information Security

At Comparo AB, protecting the confidentiality, integrity, and availability of information is fundamental to our operations. We maintain a robust and adaptive Information Security Management System (ISMS) aligned with ISO/IEC 27001:2023 and guided by internationally recognized standards such as ISO/IEC 27002 and ISO 31000.

Purpose

The purpose of this policy is to ensure a risk-based, systematic, and continuous approach to securing information assets across our organization and services. It applies to all employees, consultants, suppliers, and partners.

Policy Objectives

  • Protect customer and internal information through organizational, technical, and physical safeguards
  • Manage risks proactively and respond effectively to security incidents
  • Ensure legal and regulatory compliance (e.g., GDPR)
  • Maintain strong access controls and information classification
  • Promote security awareness and a culture of continuous improvement

Risk Management

Comparo performs regular risk assessments to identify threats, vulnerabilities, and critical areas for improvement. Our methodology follows ISO 31000 and ISO/IEC 27005. We address risks via mitigation, acceptance, transfer, or avoidance strategies. Risks are evaluated using a quantitative model based on impact and likelihood, ensuring actionable prioritization.

Security Principles

  • Data Protection: Customer and internal data are encrypted in transit and at rest. Zero Trust and least privilege principles are enforced.
  • Incident Management: We operate an incident response framework with detection, escalation, containment, and lessons learned.
  • Compliance: Comparo adheres to GDPR, ISO 27001, and other applicable legal requirements. Regular audits and Data Protection Impact Assessments (DPIAs) are conducted.
  • Access & Classification: Access is role-based, enforced with MFA, and reviewed periodically. All information is classified and handled according to its sensitivity.

Compliance

  • Comparo’s ISMS governance is aligned with best practices outlined in ISO/IEC 27014 and COBIT 2019, ensuring structured oversight, performance measurement, and accountability.
  • All customer data is stored within the EU in compliance with GDPR and data residency requirements. Comparo does not transfer personal data outside the EEA without appropriate safeguards (e.g. SCCs).
  • A full mapping of this policy to ISO/IEC 27001:2022 Annex A controls is available upon request.

Contract Compliance & Assurance

Comparo implements structured controls to ensure all contractual obligations with clients — including security, confidentiality, and service-level requirements — are continuously met.

These controls include, but are not limited to:

  • Internal mapping of contractual requirements to operational processes, including technical, organizational, and reporting obligations
  • Dedicated client engagement leads responsible for contract adherence, supported by role-based access and separation of duties
  • Quarterly internal reviews against SLAs, data protection clauses, and security controls defined in contracts
  • Use of secure documentation systems to track deliverables, audits, and nonconformities
  • Escalation routines for deviations or contractual risks, tied to incident management and customer communication protocols
  • Independent internal reviews for high-sensitivity clients (e.g. defense, financial services, or critical infrastructure)

Supply Chain & Vendor Risk Management

  • Comparo maintains a documented supplier risk management process, including due diligence, contractual safeguards, and ongoing evaluation of third-party services and subprocessors.

Examples of Safeguards

  • Role-based access control (RBAC) integrated with Microsoft 365 and Azure AD
  • Endpoint protection and data loss prevention (DLP) across all devices
  • Immutable backups and air-gapped storage for critical data
  • Structured response playbooks for phishing, malware, and insider threats

Roles & Responsibilities

  • Leadership is responsible for strategic oversight, resourcing, and commitment
  • CISO oversees ISMS governance, controls, and continuous improvement
  • Comparo maintains CISM (Certified Information Security Manager) certification in-house, ensuring leadership-level expertise in information risk management, compliance, and IS governance
  • IT Manager is accountable for technical safeguards and system monitoring
  • All personnel are expected to follow policies, report incidents, and protect data

Ongoing Improvement

  • Annual risk assessments and internal audits
  • Regular policy and control reviews in alignment with ISO 27001 Annex A
  • Mandatory security awareness training for all staff
  • Continuous refinement of controls based on incidents and threat evolution

Compliance & Enforcement

Violations of this policy may result in disciplinary action and potential legal consequences. Information security is a shared responsibility and essential to maintaining trust with our clients and partners.

🤖 Ask Comparo AI