PersonalBusinessAgency
Brand Logo
Privacy PolicyTerms & ConditionsIMS Policy

KongaPay Integrated Management System Policy

KongaPay Integrated Management System Policy

1. Introduction

KongaPay, is committed to adding value to its stakeholders through its service offerings including licensed Mobile Money Operations, Payment Services and Solutions.

Policy Statement

KongaPay is committed to ensure that its business operates smoothly and that its products and services satisfy requirements of the Integrated Management System (information security management system, business continuity management system and service management system) for the benefit of its customers, shareholders, and other stakeholders. Dedicated to upholding service level agreements (SLAs) and facilitating efficient and regulated cooperation with stakeholders and outside vendors to accomplish smooth IT service delivery in compliance with relevant legal mandates and industry norms.

Applicability of Policy

This policy applies to all staff of KongaPay and external parties (such as service providers) that are involved in the operations of the integrated management system.

Benefit of Policy

The operation of this IMS has many benefits for the business, including:

  • Significantly reduced risk of reputational damage, legal penalties, or business revenue due to loss of sensitive or Personally Identifiable Information (PII).
  • Peace of mind assurance to our customers, staff, board members, suppliers, and other interested parties that their data is secure.
  • An ability to bid for and respond to tenders for business where ISO/IEC 27001 certification is a requirement.
  • A public demonstration that KongaPay takes information security seriously.
  • Internal and external recognition of the quality of the information security controls in place.
  • Year-on-year improvement in the security of our (and our customers) information assets because of the continuous improvement aspects of the standard
  • A strong move away from reactive firefighting towards proactive security incident reduction.
  • Better alignment of information security controls with the needs of the business and our customers through regular review meetings with interested parties
  • Better perception and awareness of information security issues within the business, our customers, and the internal IT user population
  • An improved ability to manage information security breaches if they do occur, so reducing reputational damage and limiting business impact to us and our customers.
  • Reduce operational downtime: Operational downtime can lead to significant financial losses, as every moment of inactivity can equate to lost revenue.
  • Boost brand trust: KongaPay's ability to maintain operations and recover rapidly from disruptions can significantly bolster its image.
  • Protect business assets: In KongaPay, assets such as data, intellectual property, and physical infrastructure are invaluable. Business continuity plans emphasise the protection of these assets and ensure their security and integrity.
  • KongaPay's business operations depends on its supply chain. By securing the supply chain, KongaPay can prevent potential disruptions and maintain consistent service or product delivery.
  • Delivery of best-in-class IT Services tailored to meet business requirements and satisfy customer expectations while complying with industry-leading practices and regulatory standards.
  • Constantly improve the effectiveness and performance of the SMS and overall service quality to ensure consistent delivery of value to customers.
  • Establish and operationalize a systematic incident management process for prompt identification and resolution of issues in the event of any service disruptions or incidents to minimize the impact on customers.
  • Foster and maintain productive relationships with relevant stakeholders (network operators, payment gateways etc.) to ensure service excellence in line with defined industry and regulatory guidelines.

This integrated management system policy document defines KongaPaye's overall policy regarding integrated management that is appropriate for KongaPaye's strategic business aspirations and delivery model, and includes:

  • A framework for setting integrated management system objectives
  • A commitment to satisfying applicable requirements
  • A commitment to continual improvement of the IMS

This policy will be communicated within the organisation and to all relevant stakeholders and interested third parties.

2. Integrated Management System Policy

2.1 Setting Integrated Management System Objectives

The high-level objectives for Integrated Management System within KongaPay are defined within the document Integrated Management System Context and Requirements document.

These overall objectives will be used as guidance in the setting of lower level, more short-term objectives for IMS planning within an annual cycle timed to coincide with organisational budget planning. This will ensure that adequate funding is obtained for the improvement activities identified. These objectives will be based upon a clear understanding of the overall business requirements and how they may change during the year.

Integrated management objectives will be documented in theIntegrated Management System Plan for the relevant financial year, together with details of a plan for how they will be achieved. Once approved, this plan will be reviewed on a quarterly basis as part of the management review process, at which time the objectives will also be reviewed to ensure that they remain valid. If amendments are required, these will be managed through the organisational change management process.

2.2 Commitment to Satisfying Applicable Requirements

KongaPay's leadership ensures compliance with regulatory requirements and quality objectives.

Commitment to the delivery of information security, service management and business continuity extends to KongaPay’s top management which is demonstrated through this Integrated Management System Policy and the provision of appropriate resources to establish and develop the Integrated Management System.

Top management will also ensure that a systematic review of performance of the programme is conducted on a regular basis to ensure that quality objectives are being met and quality issues are identified through the audit programme and management processes. Management Review can take several forms including departmental and other management meetings. Within the field of the management system, there are a few key roles that need to be undertaken to ensure the success of the IMS and protect the business from risk.

The Information security manager, Service manager and business continuity manager, shall have overall authority and responsibility for the implementation and management of the Information security management system, Service management system and Business Continuity Management System, respectfully, specifically in:

  • The identification, documentation and fulfilment of applicable requirements
  • Assigning authorities and responsibilities for the implementation, management and improvement of ISMS, SMS and BCMS processes respectively.
  • Integration of business processes with the ISMS, SMS and BCMS respectively.
  • Compliance with statutory, regulatory and contractual requirements in the management of assets used to deliver products and services
  • Reporting to top management on performance and improvement of the ISMS, SMS and BCMS respectively.

It is also the responsibility of the ISMS, SMS and BCMS managers to ensure that employees understand the roles they are required to fulfil and that they have appropriate skills and competence to do so.

KongaPay will ensure that all employees involved in information security, service management and business continuity management are competent based on appropriate education, training, skills, and experience.

The skills required to ensure competency will be determined and reviewed on a regular basis together with an assessment of existing skill levels within KongaPay. Training needs will be identified, and a plan maintained to ensure that the necessary competencies are in place.

Training, education and other relevant records will be kept by the HR Department to document individual skill levels attained.

KongaPay makes use of various third parties, both internal and external, in the delivery of products and services to its customers. Where this involves the operation of a business process, or a part of the process on behalf of KongaPay, that falls within the defined scope of the IMS, this is identified in the IMS Plan.

In all cases, KongaPay will retain governance of the relevant IMS processes by demonstrating:

  • Accountability for the process
  • Control of the definition of and interface to the process
  • Performance and compliance monitoring
  • Control over process improvements

This will be evidenced by documents and records such as contracts, meeting minutes and performance reports.

2.3. Continual Improvement of the IMS

KongaPay's policy about Continual Improvement of the IMS is to:

  • Continually improve the effectiveness of the Integrated Management System across all areas within scope
  • Enhance current processes to bring them into line with good practice as defined within ISO 27001, ISO 20000 and ISO 22301
  • Achieve ISO 27001, ISO 20000 and ISO 22301 certification and maintain it on an on-going basis
  • Increase the level of proactivity (and the business perception of proactivity) with regard to the on-going management of business continuity
  • Achieve an enhanced understanding of, and relationship with, the business units to which the IMS applies
  • Review relevant metrics on an annual basis to assess whether it is appropriate to change them, based on collected historical data and feedback from relevant sources
  • Obtain ideas for improvement via regular review meetings with stakeholders and document them
  • Review ideas for continual improvement at regular management meetings to prioritise them and assess timescales and benefits

Ideas for improvements may be obtained from any source including customers, suppliers, employees, risk assessments and audits. Once identified they will be documented and evaluated by the staff member responsible for continual improvement.

2.4. Planning Changes to the IMS

A need for change to the IMS may arise from any number of sources, including the continual improvement process, events related to the internal and external context of the organization (such as internal re-organizations or mergers and acquisitions) or an increase or decrease in its scope.

Where changes arise, they must be carried out in a planned manner so that the required adjustments are approved and implemented in areas such as:

  • Adjustment of the scope of the IMS
  • Allocation of resources
  • Assignment of roles and their associated responsibilities and authorities
  • Required competence levels
  • Communication of the purpose and nature of changes
  • Documented information required to support the change

2.5. Approach to managing risk

Risk management will take place at several levels within the Integrated Management System, including:

  • Integrated management planning - risks to the achievement of objectives
  • Business continuity risk assessment & IMS risk assessment
  • Assessment of the risk of changes as part of the IMS change management process
  • At the project level as part of the management of significant business change

High level risk assessments will be reviewed on an annual basis, or upon significant change to the business environment. For more detail on the approach to risk assessment please review the document Risk Assessment and Treatment Process.

Once in place, it is vital that regular reviews take place of how well business continuity management processes and procedures are being adhered to. This will happen at three levels:

  1. Structured regular management review of conformity to policies and procedures within KongaPay
  2. Internal audit reviews against the ISO 27001, ISO 20000 and ISO 22301 standard by the Internal Audit Team
  3. External audit against the standard to gain and maintain certification to ISO 27001, ISO 20000 and ISO 22301.

Details of how internal audits will be carried out can be found in the Procedure for Internal Audits.

2.6. Control of Documents and Records

All integrated management system policies and plans that form part of the IMS must be documented. The way in which these documents are created and managed through their lifecycle is set out inProcedure for the Control of Documented Information.

All documents in the IMS are uniquely numbered and the current versions are tracked - see document Documentation Log.

The keeping of records is a fundamental part of the Integrated Management System. Records are key information resources and represent evidence that processes are being carried out effectively.

The controls in place to manage records are also defined in the document Procedure for the Control of Documented Information.