Skip to content. | Skip to navigation

Personal tools
This is Lite Plone Theme
You are here: Home / Documentation / ISO27002 / 5. Security Policy Management

5. Security Policy Management

5.1 Provide management direction and support

5.1.1 Develop your information security policies



Information Security Policy



The Scandiatransplant IT-system is considered a most critical resource, which is why there is an emphasis on reliability, quality and confidentiality. The Scandiatransplant office recognizes the need for its users and employees to have access to the information they require in order to carry out their work and recognizes the role of information security in enabling this.

This information security policy defines the framework within which information security will be managed in the Scandiatransplant office. This policy is the primary information security policy under which all other security related polices reside.



It is important to ensure that the security level is high and that information is treated with due confidentiality to give the best possible service to the recipients waiting for an organ, support the activity in general in the Nordic transplantation community and to maintain Scandiatransplant’s credibility.

This policy is applicable to and will be communicated to all employees at the Scandiatransplant office.



  • Accessibility and recovery – to have high uptime percentage, rely on good backup recovery procedures for recovering data and build contingency plans for critical hardware failure. In a great extent to use open source software to be independent from supplier(s).
  • Integrity - minimized risk of manipulation and function errors in both data and system.
  • Confidentiality – data processing, transmission and storage must be treated with confidentiality.
  • Access requirements – approval of new user before granting access, password allowing only authorized users to gain access to required applications, regular check of user activity.
  • System development – to have a process development plan describing how to develop, document, test, implement and monitor all new parts of the IT systems.


Organization & responsibility

All employees must be familiar with, relate to and comply with the information security policy in their daily work.

All persons are considered as possible causes of security breaches, i.e.  no group of people should be beyond safety regulations.

Scandiatransplant office wishes to maintain and continuously enhance information security based on the requirements outlined in ISO 27000, 27001, 27002 and 27799. Furthermore to be in compliance with regulations outlined in GDPR, which became effective in every EU member state May 2018.

The Medical director is ultimately responsible for the maintenance of this policy and for compliance within the Scandiatransplant office. This policy has been approved by the Scandiatransplant board.

The Medical Director must together with the board work with the security policy at a strategic level and make sure that it supports the vision and the objectives of the IT strategy. Furthermore this policy should conform to all existing rules, regulations and appropriate laws.


Assets and Risk analyze

It is important to be aware of Scandiatransplant’s information assets to protect corporate assets from internal and external risks, including items such as valuable and sensitive data that needs to be kept secure and confidential.

Scandiatransplant does not wish to eliminate every risk at any cost, however, it is necessary to be aware of risks, relate satisfactorily to these and establish an adequate level of security.
All employees must perferably be involved in the risk assessment and are responsible for assessing threats, consequences and risks of the IT system and other relevant areas.


No Updated Update by Approved Approved by Public
Scandiatransplant board
1.1 2018-07-06 IDW 2018-07-09 KAJ 2018-07-09

5.1.2 Review your information security policy document

Do “we do what we say and say what we do”?


This policy is applicable to and will be communicated to all employees at the Scandiatransplant office.

- All new employes will be asked to read and comment the policy

- The policy must be review and discussed once a year either by management and/or by the entire Scandiatransplant office.

- New members of the Scandiatransplant board will be introduced to policy


Review date

Review done by
2018-07-06 IDW