Plusoft has been ISO27001 certified since 2017, and in 2023 we recertified under the new ISO27001/2022 standard. We adhere to the 93 controls set forth in the standard, which ensures the maturity of our entire Security process.

As we work with technology-based solutions, we recognize the risks associated with possible information leaks or losses. For this reason, we dedicate special attention to all aspects involving data information security. In addition to operating in compliance with current legislation, including the General Data Protection Law (LGPD, Law 13.709/2018), we implement a series of formal procedures to identify and mitigate potential threats. As such, we have created strict processes in our activities through the adoption of a variety of internal policies, which are constantly reviewed and updated. These include:

Information Security Policy (PSI): this policy applies to the entire organization and aims to prevent misuse and unauthorized destruction or disclosure of information owned by Plusoft. Its purpose is to ensure business continuity and maximize return on investments and opportunities;

Cloud Information Security Policy: created to establish additional and specific guidelines for the OMNI Plusoft customer relationship solution – or any other solution under the management of the Infrastructure area, which is a customer of the cloud service. The document guides employees to seek continuous improvement in activities related to planning, execution, analysis of their processes/products, protection of the security of generated information, and the correct functioning of the Information Security Management System;

Corporate Privacy Policy: the purpose of this content is to clarify what information is collected from users of our website, how this data is used, and with whom it is shared, aiming for greater transparency in the relationship between Plusoft and the user;

SOA-Statement of Applicability: clarify which ISO27001/2022 controls we adopt in our business model;

Incident Communication Plan: definition of processes to be followed for Communication between Plusoft and its clients about incidents;

Business Continuity Plan: Plusoft Informática S.A. is committed to ensuring business continuity in the event of anomalous events that may compromise the normal functioning of its activity, safeguarding the interests of its clients, employees, and other interested parties. This policy applies to the entire organization;

Corporate Data Protection Policy: data protection in the processing of information from our clients and consumers today represents one of the major assets to be protected in our structure. For this reason, in compliance with data protection legislation, the Plusoft Group has prepared this Corporate Data Protection Policy;

Clean Desk and Screen Policy: this policy aims to raise awareness of good practices in both face-to-face work and remote work, related to ensuring that sensitive information, both in digital and physical format, is protected. Ensuring that assets (notebooks, cell phones, tablets, etc.) are not left unprotected in personal or public workspaces when not in use. Or when someone leaves their work area, either for a short period of time or at the end of the day.

Information Security E-book – Learn how Plusoft protects the data of customers, employees, and partners.

And we have other internal documents that ensure the maturity of our entire process.

Change Management Standard: the objective of this standard is to provide guidelines for Plusoft’s Change Management process, addressing technical, organizational, and Information Security aspects. With this policy, we want to obtain transparency and security in work routines, mitigating risks and impacts in the process of updating artifacts or components of the infrastructure assets of the customer relationship solution – or any other solution under the management of the Infrastructure area;

Awareness Plan: this Plan aims to define the Information Security awareness program for all Plusoft employees;

Internal Disciplinary Sanction Policy: the objective of this policy is to inform and guide on penalties, in case of non-compliance, with Information Security guidelines and the Code of Ethics and Conduct. Thus, ensuring that all involved share responsibility for security processes and ensure the integrity, availability, and confidentiality of information assets. Seeking continuous improvement in activities related to planning, execution, analysis of processes/products, and protection of the security of generated information;

Continuous Improvement Methodology: definition of guidelines for periodic execution of a continuous improvement process, which seeks to improve existing controls or the viability of new controls, mitigating identified threats and risks;

Risk Analysis Methodology: provide guidelines for the Information Security risk management process, meeting the requirements of an information security management system (ISMS) in accordance with ABNT NBR ISO/IEC 27001. The methodology defines the criteria for risk identification and assessment, as well as documenting the results, valid and consistent, of risk acceptance criteria and identifying those responsible;

Human Experience Management Standard: this standard defines the guidelines for the process of selection, hiring, movement, and termination of employees regarding management of Plusoft’s infrastructure area or corporate environment;

Secure Development Standard: aims to ensure efficient management of the software development and approval process, considering the requirements for acquisition, development, and maintenance of information systems addressed in the ISO 27001 standard;

Updates Management Standard: this standard aims to define guidelines for managing updates, corrections, and vulnerabilities of assets, in order to prevent the exploitation of technical vulnerabilities;

Operations Management Standard: this standard aims to define rules and procedures for monitoring, operational capacity, and administration of information technology environments and systems;

Physical and Environmental Security Standard: this document provides guidelines for access management of the customer relationship solution. The standard also establishes rules for physical access to environments and areas containing information and other associated assets, meeting the requirements of an information security management system (ISMS). In this way, we ensure that only authorized people have access to data when necessary, preventing unauthorized access, damage, or interference to information systems or information processing areas;

Documentary Information Management Standard: the objective of this standard is to provide guidelines for Plusoft’s document management, addressing technical, organizational, and information security aspects;

Endpoint Device Standard: this standard complements the Information Security Policy for the specific scope of regulating the use of endpoint devices;

Acceptable Use of Assets Standard: this standard defines the rules and procedures for identifying, handling, and classifying organizational assets that are under Plusoft’s ownership or custody;

Communications Security Standard: definition of security rules and procedures in communications involving the organization’s assets, with the main objective of mitigating risks to the scope in which the assets are involved;

Information Management and Classification Standard: definition of rules and procedures for information classification, documentation, and records. Thus, ensuring that information owned by Plusoft, or under its custody, receives an adequate level of protection and is, according to the degree of confidentiality, guaranteed by confidentiality, integrity, and availability;

Relationship with Suppliers and Service Providers Standard: maintenance of the agreed level of information security in relationships with suppliers and service providers;

Information Security Event Management Standard: provision of guidelines for the Incident Management process, meeting the requirements of the Information Security Management System (ISMS) in accordance with ABNT NBR ISO/IEC 27001;

Access Control Standard: this document provides the necessary guidelines for access management to the customer relationship solution, meeting the requirements of an information security management system (ISMS). Thus ensuring that authorized users obtain access when necessary, preventing unauthorized access to information systems;

Remote Work Standard: protection of information accessed, processed, or stored outside the facilities;

Audit Plan: establishment of the internal audit program at planned intervals, providing information on how to maintain an audit program, including frequency, methods, responsibilities, planning requirements, and reports. This audit program takes into account the importance of relevant processes and the results of previous audits;

Information Security Management System Manual: this manual aims to establish the guidelines and functioning of the Information Security Management System, guiding its employees to seek continuous improvement in activities related to planning, execution, analysis of their processes/products, and protection of the security of generated information;

Impact Analysis: identify the most relevant activities in the Production Infrastructure and assess the impacts in adverse cases of contingency or disaster;

SOA-Statement of Applicability: clarify which ISO27001/2022 controls we adopt in our business model and which documents justify the adoption or non-adoption of each control.