1. Management system policy

Purpose

The organization promotes production/service delivery policies that reconcile the needs for economic development and value creation inherent to business activities with the requirements for environmental protection, social responsibility and information and data security. It also undertakes to comply with applicable laws while encouraging the dissemination of a culture of respect for legal principles.

Field of Application

This document outlines the management system policy for 1MED SA. It affirms the commitment to the Information Security Management System (ISMS) and its continual improvement. This policy applies to all personnel, processes, and information assets within the organization. It provides the framework for establishing and reviewing information security objectives, ensuring they align with the company’s strategic direction as a contract research organization (CRO) serving the medical device and pharmaceutical industries.

Management System Commitment and Objectives

Top Management at 1MED SA establishes and endorses this policy to affirm its commitment to the Information Security Management System (ISMS). This policy is appropriate for 1MED SA’s purpose as a contract research organization (CRO) providing regulatory, clinical, and quality assurance services to the medical device and pharmaceutical industries. It reflects the strategic importance of protecting the confidentiality, integrity, and availability of all information assets, particularly sensitive client data related to clinical trials and regulatory submissions. 

Top Management is committed to: 

• Fulfilling all applicable legal, statutory, regulatory, and contractual requirements related to information security. 
• The continual improvement of the ISMS to enhance information security performance. 
  
  

This policy provides the framework for establishing and reviewing information security objectives. Information security objectives shall be: 

• Consistent with the strategic direction and context of the organization. 
• Aligned with the core goals of preserving the confidentiality, integrity, and availability of information. 
• Derived from the outcomes of the information security risk assessment and treatment processes detailed in the “PRO Risk management procedure”. 
• Measurable, where practicable, and monitored for performance. 
• Reviewed for continued suitability during management reviews.

2. Information security policy

Purpose

The purpose of this policy is to declare and communicate Top Management’s commitment to protecting the organization’s information assets. This document defines the framework for establishing, implementing, maintaining, and continually improving the Information Security Management System (ISMS), with the aim of protecting the confidentiality, integrity, and availability of information and supporting the company’s strategic objectives.

Field of Application

This document defines the information security policy for 1MED SA. It establishes the overarching principles and objectives for protecting the company’s information assets. This policy applies to all employees, contractors, third-party service providers, and other interested parties who access, process, or manage 1MED SA’s information and systems. The framework is established in alignment with the requirements of the ISO/IEC 27001 standard to ensure the confidentiality, integrity, and availability of information.

Objectives

1MED SA is committed to protecting the confidentiality, integrity, and availability of its information assets to maintain stakeholder trust and ensure operational excellence. Top Management shall establish, maintain, and review information security objectives that are aligned with the company’s strategic direction. 

The primary objectives for information security at 1MED SA are: 

• Confidentiality: To protect sensitive information, including client data, clinical trial results, and intellectual property, from unauthorized access, use, or disclosure. 
• Integrity: To ensure the accuracy, completeness, and reliability of all information and processing systems throughout the entire data lifecycle, particularly for regulatory, preclinical, and clinical services. 
• Availability: To ensure that information systems and services are accessible to authorized users when needed, supporting uninterrupted business operations and client services. 
• Compliance: To meet all applicable legal, statutory, regulatory (e.g., GDPR), and contractual requirements related to information security. 
• Continuous Improvement: To continually enhance the Information Security Management System (ISMS) by monitoring performance, assessing risks, and adapting to new threats and opportunities.