Information Security Policy

1. Introduction to the ISMS

As CEO of Recurity Labs, I am committed to ensuring that our team effectively manages and secures our information assets. Our Information Security Management System (ISMS) aligns with ISO/IEC 27001:2022, providing a structured framework to protect data and uphold the trust of our customers and partners.

Safeguarding information—both our own and that of our clients—is fundamental to our business. We allocate the necessary resources to continuously strengthen our security posture and maintain compliance with industry best practices.

For informal reporting of data protection or IT security incidents, please refer to our security.txt file. This file contains the necessary contact details for incident reporting and security-related inquiries.

Nico Lindner
CEO, Recurity Labs

2. Purpose

This policy aims to:

  • Protect information assets from all threats, whether internal or external, intentional or accidental.
  • Ensure the Confidentiality, Integrity, and Availability (CIA) of information.
  • Maintain compliance with applicable laws, regulations, and contractual obligations.
  • Support the achievement of organizational objectives through effective information security risk management.

3. Scope

The ISMS at Recurity Labs is designed to establish a structured approach to managing information security risks, ensuring compliance with applicable regulations, and protecting critical assets in IT security consulting.

IT Security Audits, Workshops, and Architecture Reviews

The ISMS scope covers IT security audits, workshops, and architecture reviews related to software and hardware consulting.

Refinements to the Scope

In detail, the scope is refined as follows:

Scope Coverage

The ISMS scope includes:

  • The office location in Berlin (Germany) and remote work environments.
  • The entire consulting process, including preparation, implementation, reporting and communication.
  • Supporting infrastructure, including internal software and hardware.
  • All employees, including internal consultants, operations, internal software teams, infrastructure personnel, and external contract personnel.

Excluded from the ISMS scope:

  • Non-consulting activities, such as marketing.
  • Non-security-related assets, including kitchen appliances and general facility equipment.

These exclusions do not impact the effectiveness of the ISMS, as they do not involve processing or managing sensitive customer information or security-critical operations.

The ISMS scope is documented and regularly reviewed to ensure its continued relevance to Recurity Labs’ security requirements and objectives, considering internal process changes, external factors, and emerging risks.

4. Leadership and Commitment

Recurity Labs is committed to establishing, implementing, maintaining, and continuously improving its Information Security Management System (ISMS) and environmental sustainability practices. This commitment is demonstrated by:

  • Aligning ISMS with Business Strategy: Defining an information security policy and objectives that support Recurity Labs’ strategic direction.
  • Integrating Security into Operations: Embedding ISMS requirements into all relevant business processes.
  • Providing Adequate Resources: Ensuring the ISMS is well-supported with the necessary personnel, technology, and financial resources.
  • Fostering a Security Culture: Communicating the importance of effective information security management and compliance with ISMS requirements.
  • Ensuring Measurable Outcomes: Monitoring and verifying that the ISMS achieves its intended results.
  • Empowering the Team: Encouraging all employees to actively contribute to ISMS effectiveness.
  • Driving Continuous Improvement: Promoting an adaptive and evolving approach to security and environmental management.
  • Encouraging Leadership at All Levels: Supporting relevant management roles in demonstrating leadership in information security.
  • Commitment to Environmental Sustainability: Minimizing our environmental impact by reducing our carbon footprint, optimizing resource consumption, and adopting sustainable business practices.

5. Information Security Objectives

Recurity Labs has set the following information security objectives:

Information Security Objectives

  • Objective 1: Protection of Customer Data
    Ensure the Confidentiality, Integrity and Availability (CIA) of customer data to protect it from unauthorized access, disclosure and modification.
  • Objective 2: Business Continuity
    Maintain business continuity through effective risk management and minimizing business disruptions. This includes measurable aspects within the risk management process.
  • Objective 3: Internal Operational Security
    Ensure that internal processes are carried out in a secure and reliable manner to protect against operational risks and maintain the integrity of business operations.
  • Objective 4: Compliance and Transparency
    Comply with applicable standards, regulations and contractual obligations, as well as provide transparency towards customers regarding information security practices.

6. Roles and Responsibilities

Recurity Labs is committed to establishing, implementing, maintaining, and improving its Information Security Management System (ISMS). To ensure effective security management, roles and responsibilities are clearly defined:

Key Roles and Responsibilities

  • CEO: Oversees ISMS implementation and effectiveness, approves security policies and objectives, and ensures alignment with business strategy and resource allocation for continuous improvement.
  • CISO: Manages and monitors ISMS performance, ensures compliance, conducts security risk assessments, and reports to the CEO.
  • DPO: Ensures compliance with applicable data protection regulations and advises on data privacy risks.
  • Employees & Contractors: Follow ISMS policies, report security incidents, and contribute to continuous improvement.

The ISMS team is represented by the roles of CEO, CISO, DPO and Admin and comes with their roles and responsibilities.

7. Risk Management

Recurity Labs identifies and addresses risks and opportunities to ensure that the ISMS achieves its intended outcomes. This process involves:

  • Identifying risks and opportunities that may impact the achievement of ISMS objectives.
  • Assessing the potential impact of those risks and opportunities on information security.
  • Defining actions to address these risks and integrating them into the ISMS framework.

The actions to address risks and opportunities follow the Plan-Do-Check-Act (PDCA) cycle:

  • Plan: Define scope and requirements.
  • Do: Create or update documents.
  • Check: Validate content for accuracy.
  • Act: Apply necessary revisions.

The use of PDCA ensures that risk management is a continuous, cyclical process, providing systematic reviews, updates, and adjustments to keep the ISMS aligned with organizational goals and evolving threats.

Risk Management Process

The risk management process includes the following activities:

  • Risk identification: Recognizing potential threats to information assets.
  • Risk assessment: Evaluating the likelihood and impact of identified risks.
  • Risk treatment: Implementing measures to mitigate or manage risks.
  • Risk monitoring and review: Conducted annually, with additional assessments triggered by operational, regulatory, or security changes.
  • Risk reporting: Risks and mitigation measures are documented and reviewed by the ISMS team, including the CEO, to ensure alignment with business objectives.

8. Continual Improvement

Recurity Labs must continuously improve the suitability, adequacy, and effectiveness of the ISMS.

To achieve this, Recurity Labs made continual improvement of the ISMS a core focus, integrating it into the organization’s operational and strategic activities. This commitment includes:

  • Regularly monitoring, measuring, analyzing, and evaluating the ISMS.
  • Conducting internal audits to assess compliance and performance.
  • Taking corrective actions to address nonconformities.
  • Reviewing and updating policies and procedures at least annually or whenever significant changes occur.

9. Compliance

Recurity Labs is committed to complying with all applicable information security laws, regulations, and contractual obligations. Regular audits and reviews will be conducted to ensure adherence and identify areas for continuous improvement.

Compliance with this policy is mandatory for all employees, contractors, and relevant partners. Violations may result in disciplinary action or corrective measures.

10. ISMS Review and Feedback

During annual team days, the ISMS team presents key updates to the Information Security Management System (ISMS) to all staff. This session promotes a shared understanding through open dialogue and collaboration.

Additionally, this forum serves as an opportunity to gather and document suggestions for continuous improvement of our security framework.

11. Commitment to Environmental Sustainability

At Recurity Labs, we recognize the importance of environmental sustainability and our responsibility in addressing climate change. As a small IT security firm, we are committed to minimizing our environmental impact while maintaining service excellence.

To achieve this, we pledge to:

  • Reduce Carbon Footprint and Resource Consumption: Prioritize remote work, digital-first operations, and energy-efficient technologies to minimize travel, energy use, and emissions. Actively reduce energy, water, and material consumption without compromising efficiency or quality.
  • Conserve and Responsibly Manage Resources: Optimize reuse, recycling, and waste reduction to minimize environmental impact. This includes responsible disposal of electronic waste and choosing eco-friendly, energy-efficient IT equipment.
  • Adopt Green Office and Sustainable Procurement Practices: Maintain paperless workflows, reduce single-use plastics, and promote sustainable habits within our workplace.
  • Protect the Climate and Continuously Improve: Regularly assess our environmental footprint, implement practices to reduce emissions, support renewable energy, and stay informed about technical advancements and sustainability best practices.
  • Promote Awareness and Advocacy: Encourage employees to integrate sustainability into daily operations and engage in responsible environmental behaviors.

Sustainability is an ongoing commitment, and we will continue embedding environmental responsibility into our business operations and decision-making processes.

12. Topic-specific Policies

In addition to the overarching Information Security Policy, the following topic-specific policies provide detailed guidance for specific operational areas:

  • Policy - Core Process IT Security Consulting, including:
    • Anti-Bribery and Corruption Policy
    • Security Incident Management Policy
    • Human Rights & Labour Policy
  • Policy - External Contractors
  • Policy - Internal Software Development
  • Policy - Working with Hardware and Software for Consulting Tasks
  • Policy - Working with Hardware and Software for General Operation (“Infrastructure”)

These topic-specific policies support the implementation of ISO/IEC 27001 requirements in their respective domains. While not all are published in full, extracts or additional information may be made available upon request.

13. Policy Review and Updates

This policy is subject to scheduled review cycles to ensure its continued relevance and effectiveness in managing information security risks. Updates will be made as necessary to reflect changes in security requirements and best practices.

Approval

The CEO of Recurity Labs has formally approved this Information Security Policy, reinforcing our commitment to protecting information assets, managing security risks, and maintaining compliance with industry standards.

Effective from 11th of March 2025, this policy follows scheduled review cycles to ensure its ongoing relevance and effectiveness.

Recurity Labs
Nico Lindner, CEO

This document is based on ISMS version 2025.2