Integrated Management System Policy
1. ISMS Policy
GenoGra’s Top Management commits to establish, maintain, and continually improve an Information Security Management System (ISMS) compliant with ISO/IEC 27001:2022, integrated with privacy (GDPR) and the ISO/IEC 27701 extension, and with the intent to develop a Quality Management System compliant with ISO 9001:2015, in order to:
Protect the confidentiality, integrity, and availability of information (CIA).
Apply a risk-based approach to identify, assess, and treat security risks.
Comply with applicable laws and contractual obligations (GDPR, contracts, SLAs).
Define roles and responsibilities, train personnel, and promote a security culture.
Establish measurable objectives and review them periodically.
Ensure the necessary resources are available (people, technologies, budget).
Continually improve the ISMS through audits, indicators, corrective actions, and Management Review.
1.1 Scope of application of the policy
This policy applies to all GenoGra personnel and covers the information security controls and processes related to: the GenoGra platform services, the supporting IT infrastructure, and the hosting environment. It also includes the key operational processes. Physical data-center infrastructure managed by providers and customer on-prem systems are excluded, except where responsibilities are explicitly shared by contract.
For privacy (GDPR) matters, GenoGra follows its internal Overall Privacy Policy and Privacy by Design and by Default documents, together with all related internal policies, procedures, and records derived from that framework.
1.2 Communication, awareness, and training
This policy is distributed to all personnel; onboarding and an annual refresher are mandatory. Privileged roles receive additional training. Training KPIs are monitored.
1.3 Compliance and exceptions
Deviations/exemptions must be formally requested, assessed in terms of risk, and approved by the ISMS Manager and, where necessary, by Top Management.
1.4 Document management and lifecycle
This policy is subject to document control (versioning, publication). It is reviewed at least annually or whenever significant changes occur.
2. ISMS Objectives
The pillars of our Integrated Management System (Quality, Information Security, and Personal Data Protection) provide a stable guide for the evolution of the organization and the GenoGra platform. In particular, we steer our work towards developing and delivering services according to principles of quality, security, and privacy; protecting and governing data with appropriate traceability and access control; ensuring operational continuity and service reliability; and managing suppliers and external dependencies in a structured manner. Alongside these, we emphasize readiness in handling events and incidents, attention to customer-perceived quality, and the continuous growth of internal skills and awareness. These elements define the system’s direction and serve as the reference for organizational and technical decisions, regardless of the specific evolution of projects and annual results.
3. Risk acceptance criteria
“Critical” risks are not acceptable without an approved treatment plan; “Relevant” risks are acceptable with deadlines and mitigation plans; “Minimal” risks are acceptable with monitoring. Exceptions must be formalized and time-limited.
4. Monitoring, reporting, improvement
KPIs are monitored quarterly and reviewed during the annual Management Review.
Risk-based internal audits; nonconformities and CAPA are tracked.
The Statement of Applicability (SoA) is updated whenever relevant changes occur (new controls, suppliers, risks).
5. Roles and responsibilities
Top Management: defines direction, approves the policy/objectives, allocates resources, chairs the Management Review.
ISMS Manager: coordinates risk/SoA, monitors KPIs, manages audits/CAPA, proposes improvements.
IT/SecOps: implements technical controls (IAM, endpoint, logging, BC/DR).
Product/Dev: secure SDLC, CI/CD, secrets management, change management.
Business/Privacy Lead/GDPR: contracts/SLAs, suppliers, training, communications, DPA.
Version: v1.0 — 09/01/2026
Integrated Management System Policy
1. ISMS Policy
GenoGra’s Top Management commits to establish, maintain, and continually improve an Information Security Management System (ISMS) compliant with ISO/IEC 27001:2022, integrated with privacy (GDPR) and the ISO/IEC 27701 extension, and with the intent to develop a Quality Management System compliant with ISO 9001:2015, in order to:
Protect the confidentiality, integrity, and availability of information (CIA).
Apply a risk-based approach to identify, assess, and treat security risks.
Comply with applicable laws and contractual obligations (GDPR, contracts, SLAs).
Define roles and responsibilities, train personnel, and promote a security culture.
Establish measurable objectives and review them periodically.
Ensure the necessary resources are available (people, technologies, budget).
Continually improve the ISMS through audits, indicators, corrective actions, and Management Review.
1.1 Scope of application of the policy
This policy applies to all GenoGra personnel and covers the information security controls and processes related to: the GenoGra platform services, the supporting IT infrastructure, and the hosting environment. It also includes the key operational processes. Physical data-center infrastructure managed by providers and customer on-prem systems are excluded, except where responsibilities are explicitly shared by contract.
For privacy (GDPR) matters, GenoGra follows its internal Overall Privacy Policy and Privacy by Design and by Default documents, together with all related internal policies, procedures, and records derived from that framework.
1.2 Communication, awareness, and training
This policy is distributed to all personnel; onboarding and an annual refresher are mandatory. Privileged roles receive additional training. Training KPIs are monitored.
1.3 Compliance and exceptions
Deviations/exemptions must be formally requested, assessed in terms of risk, and approved by the ISMS Manager and, where necessary, by Top Management.
1.4 Document management and lifecycle
This policy is subject to document control (versioning, publication). It is reviewed at least annually or whenever significant changes occur.
2. ISMS Objectives
The pillars of our Integrated Management System (Quality, Information Security, and Personal Data Protection) provide a stable guide for the evolution of the organization and the GenoGra platform. In particular, we steer our work towards developing and delivering services according to principles of quality, security, and privacy; protecting and governing data with appropriate traceability and access control; ensuring operational continuity and service reliability; and managing suppliers and external dependencies in a structured manner. Alongside these, we emphasize readiness in handling events and incidents, attention to customer-perceived quality, and the continuous growth of internal skills and awareness. These elements define the system’s direction and serve as the reference for organizational and technical decisions, regardless of the specific evolution of projects and annual results.
3. Risk acceptance criteria
“Critical” risks are not acceptable without an approved treatment plan; “Relevant” risks are acceptable with deadlines and mitigation plans; “Minimal” risks are acceptable with monitoring. Exceptions must be formalized and time-limited.
4. Monitoring, reporting, improvement
KPIs are monitored quarterly and reviewed during the annual Management Review.
Risk-based internal audits; nonconformities and CAPA are tracked.
The Statement of Applicability (SoA) is updated whenever relevant changes occur (new controls, suppliers, risks).
5. Roles and responsibilities
Top Management: defines direction, approves the policy/objectives, allocates resources, chairs the Management Review.
ISMS Manager: coordinates risk/SoA, monitors KPIs, manages audits/CAPA, proposes improvements.
IT/SecOps: implements technical controls (IAM, endpoint, logging, BC/DR).
Product/Dev: secure SDLC, CI/CD, secrets management, change management.
Business/Privacy Lead/GDPR: contracts/SLAs, suppliers, training, communications, DPA.
Version: v1.0 — 09/01/2026