IMS Policy Statements

ISO 27001 Information Security Management System (ISMS) Policy


This policy defines how Information Security will be set up, managed, measured, reported and developed within the bank.

Scope of the ISMS

The boundaries of the Information Security Management System are defined as follows:

The Information Security Management System (ISMS) covers all applicable elements of the ISO/IEC 27001:2013 standard. It applies to the entire operations, products and services, business functions and their related information, people and technology as documented.

Information Security Requirements

A clear definition of the requirements for information security has been agreed and this is maintained. This ensures that all ISMS activities are focused on the fulfilment of those requirements. Statutory, regulatory, and contractual requirements have been documented and serve as input into planning processes. Specific requirements regarding the security of new or changed systems or services are factored in as part of the design stage of each project.

ISMS controls implemented are driven by business needs.

Top Management Leadership and Commitment

Commitment to information security extends to senior levels of the organization and is demonstrated through this ISMS Policy and the provision of appropriate resources to provide and develop the ISMS and associated controls.

Top management ensures that a systematic review of performance of the programme is conducted on a regular basis to ensure that quality objectives are being met and quality issues are identified through an appropriate audit programme and management processes.

Information Security Management System (ISMS) Objectives

ISMS objectives are based on a clear understanding of business requirements, informed by management review with stakeholders.

These objectives are as follows:

  • To maintain client security within the upper quartile amongst peers;
  • To meet Information and Cyber Security risk reduction and risk appetite targets;
  • To achieve compliance with all relevant Information and Cyber Security regulations; and
  • To maintain organisational and operational resilience to counter or absorb evolving cyber threats.

ISO 22301 Business Continuity Management System (BCMS) Policy

Business Continuity Management (“BCM”) system ensures that the Bank’s services remain operationally resilient through the preparation of plans, processes, controls and infrastructure to maintain  continuity of Important Business Services (IBS) during interruptions and the capability to manage any crisis impact during interruptions. Examples of interruptions include physical/climatic disasters (e.g. earthquake, tsunami, hurricane, typhoon, flooding), civil unrest, technology incidents (e.g. cyber breach, major system outage), utility outage, loss of license or  license restrictions, terrorism, and pandemics etc.

Scope of the BCMS

The requirements detailed in this Policy apply to all SCB Nigeria Departments and Branches.

Important Business Services (IBS)-The Bank has identified a list of prioritized services for which are built high levels of operational resilience/continuity through the life cycle of the service in anticipation of operational disruption.

Impact tolerance Statements (ITS)- The bank has articulated its tolerance for impact to an IBS to specify the maximum tolerable duration of disruption to an IBS beyond which it could pose intolerable harm to clients, stability of financial markets or firm’s safety and soundness. All processes supporting the delivery of IBSs have identified resilience risks and controls relevant to their remit including risks and controls associated with the underpinning operational assets (i.e. technology, third parties, facilities, people, and information) supporting IBS.

Top Management Leadership and Commitment

The Chief Executive Officer (CEO) has overall responsibility for ensuring the development and implementation of the Business Continuity Management System and Framework, and defining specific second line control requirements, processes and standards against the framework Management commitment to business continuity is demonstrated through this BCMS Policy and the provision of appropriate resources to enable the BCMS framework implementation. Top management ensures periodic review of BCMS program performance through the Crisis Management Group (CrMG) to ensure that objectives are being met and issues are identified through an appropriate audit program and management processes.

Business Continuity Management System (BCMS) Objectives

  • To comply with ISO 22301 BCM Standard
  • To ensure the health, safety, security and welfare of staff and where appropriate customers.
  • To control the immediate and developing situation whilst continuing operations with minimum disruption.
  • To ensure restoration and continuity of Important Business Services within determined recovery time objectives
  • To minimise loss or damage and maintain business confidence / reputation.
  • To maintain effective communications internally, with interested parties (customers, the media, shareholders regulatory bodies etc.
  • To comply with relevant regulatory requirements during disruptive incidents