This information security policy covers all services and technical infrastructure that Digital Iceland (Ísland.is) develops and operates, as well as the requirements made to staff and service providers.

The Chief Executive Officer of Digital Iceland is responsible for information security and that appropriate requirements are met regarding information security. The CEO ensures that sufficient resources are available and assigns responsibility for tasks related to information security to the appropriate parties. The CEO also appoints the Information Security Committee of Digital Iceland, which is responsible for administrative review and implementation of the security policy. All parties involved in providing services to Stafrænt Ísland are committed to protecting information, data and systems against unauthorized access, modification, use, disclosure, destruction, loss or transfer.

The main goal of Digital Iceland's information security policy is to promote trust, security and reliability in the use of digital services towards all stakeholders, including users and service providers. Furthermore, to ensure compliance with laws and regulations regarding the handling of information and contracts of Stafræn Íslands.

The security of data and information security systems is a critical component of Digital Iceland's operations. This security is achieved through ongoing risk assessments and resource management, ensuring a balanced approach between risk mitigation and opportunities for improvement across all projects and services. Digital Iceland's security posture is informed by international standards and measures, including Information Security Management System (ISMS) policies and procedures. ISO 27001:2017 serves as a key reference for information security control, aligning with government directives for various bodies and adhering to relevant legislation and procedures as applicable.

Services and operations should consistently limit the extent and duration of personal identifiable information usage, ensuring that such data is employed for the shortest feasible time.

Digital Iceland is committed to perpetually enhancing and evolving its information security framework, integrating these improvements into internal operations, service agreements, and contracts. Information security is an integral aspect of project design and development, from inception to completion.

Security breaches concerning the confidentiality, correctness or availability of information and services operated by Digital Iceland must be reported without delay. Security breaches may need to be reported to external parties in accordance with laws and regulations based on the nature of the relevant breach/incident. As a processor, Digital Iceland informs the controller of personal data of all suggestions and incidents regarding the security of personal data.

Digital Iceland makes all the same requirements for the competence and capacity of internal and external parties for information security and personal protection. This shall be reflected in employment contracts, tender documents, contract clauses and project specifications as appropriate based on service requirements. There are confidentiality clauses in the contract regarding the handling of confidential information and access to systems that process such information. In addition, there are requirements for secure design and privacy in requirements for service providers.

This policy shall be reviewed by the Information Security Committee at least once a year or more often if internal or external changes warrant it.

The policy is approved by the CEO of Digital Iceland and enters into force on 10.10.2024

The Security Manager of Digital Iceland is responsible for developing, implementing and supervising all aspects of the security policy of Digital Iceland to protect infrastructure, services and data against potential cyber threats. This role includes:

• Security policy and compliance: Developing and updating security policies and priorities, ensuring that they meet national and international standards and standards, and that they are followed within Digital Iceland and with partners.

• Risk management: Identifying, evaluating and reducing safety risks through regular audits and analyses.

• Incident management: Leading the framework for responses to security failures, including review of failures and incidents, countermeasures and restoration of systems and data.

• Security awareness and training: To increase security awareness and training in security to ensure that all staff of Digital Iceland and partners are informed about best practices and possible threats.

• Technical solutions: Evaluate and implement security solutions to protect the infrastructure and services of Digital Iceland.

• Coordination and collaboration: To work with other ministries, institutions and external parties to enhance the overall security of Digital Iceland.

• Feedback: To report on safety status, incidents and developments to senior management and relevant stakeholders on a regular basis.

The objective of the security manager is that the infrastructure and software solutions of Digital Iceland meet the requirements of security, resilience and are capable of providing users with uninterrupted service.