Approved by the resolution of the Board of Directors
of “Ateshgah” Insurance Company JSC
dated September 22, 2025
INFORMATION SECURITY POLICY
Revision No: 2
TABLE OF CONTENTS
-
INTRODUCTION
-
SCOPE
-
OBJECTIVES
-
PRINCIPLES
-
DISTRIBUTION OF RESPONSIBILITY
-
EXPECTED OUTCOMES
-
RELATED DOCUMENTS
-
SPECIAL REQUIREMENTS
-
FINAL PROVISIONS
1. INTRODUCTION
1.1. Mission.“Ateshgah” Insurance Company (hereinafter referred to as the “Company”) strives to remain a leader in the financial sector through innovation, by preserving the cultural heritage of the Republic of Azerbaijan and promoting a prosperous and ecologically clean future for the country. The Company prioritizes its commitment to high-quality standards that ensure reliability and information security in the provision of insurance services.
1.2. Purpose of the Policy. The Information Security Policy (hereinafter referred to as the “Policy”) is aimed at protecting the confidential and critical information of the Company, its clients, and partners. It has been developed in accordance with the legislation of the Republic of Azerbaijan and the requirements of the Central Bank of the Republic of Azerbaijan concerning the provision of information security.
2. SCOPE
2.1. The Policy applies to all Company employees, contractors, and third parties who have access to the Company's information assets.
2.2. The Policy covers all aspects of the information security management system, including data protection, access control, risk management, and response to information security incidents.
3. OBJECTIVES
3.1. Data Protection: To ensure the confidentiality, integrity, and availability of data within the Company;
3.2. Regulatory Compliance: To comply with the requirements of the legislation of the Republic of Azerbaijan and the requirements of the Central Bank of the Republic of Azerbaijan concerning the provision of information security;
3.3. Ensuring Stakeholder Interests: To meet the expectations of clients, partners, employees, and shareholders by ensuring information security and reliability in the provision of insurance services;
3.4. Development and Innovation: To improve the information security management system and implement innovations to increase efficiency in protecting the Company's assets and business processes.
4. PRINCIPLES
4.1. Customer Focus: To create additional opportunities to understand and respond to customer needs;
4.2. Teamwork: To foster collaboration and joint efforts in the field of information security to achieve Company goals;
4.3. Investment in Human Capital: To provide education, training, and development for employees to ensure a high level of information security;
4.4. Social Responsibility: To ensure the safety of staff and clients, and to protect the economy and the environment;
4.5. Innovation: To implement advanced technologies and methodologies to improve information security processes.
5. DISTRIBUTION OF RESPONSIBILITY
5.1. Company Management: Bears the final responsibility for creating, approving, periodically reviewing, and improving the information security management framework, as well as for allocating the necessary resources (financial, human, and technological) for the implementation of the information security policy, and for ensuring full compliance with legal-regulatory requirements and contractual obligations. Management also oversees the formation and support of an information security culture within the organization;
5.2. Personnel: Is obligated to unconditionally comply with the requirements of the Company’s approved information security policy, standards, and procedures, to actively participate in established information security training and awareness programs, and to immediately report any potential or actual information security incidents, vulnerabilities, or non-compliance to the Information Security Department in the prescribed manner;
5.3. Information Security Department: Is responsible for implementing processes for the regular identification, assessment, analysis, and management of cyber risks related to information assets, for developing and implementing an effective response plan for cybersecurity incidents and ensuring coordination during such incidents, and for carrying out continuous monitoring, auditing, and reporting activities to verify the effectiveness and compliance of information security controls;
5.4. Information and Communication Technologies Department: Is responsible for ensuring the implementation, configuration, and ongoing management of necessary technological security measures in accordance with the Company’s approved information security policy and standards, and for organizing the uninterrupted and secure operation of the technical infrastructure to protect the resilience, availability, integrity, and confidentiality of the Company's information systems and resources.
6. EXPECTED OUTCOMES
6.1. Increased Security Level: Ensuring the protection of data and information assets from unauthorized access, breaches, and losses;
6.2. Regulatory Compliance: Ensuring compliance with the requirements of the legislation of the Republic of Azerbaijan and the requirements of the Central Bank of the Republic of Azerbaijan in the field of information security;
6.3. Meeting Client Needs: Ensuring a high level of information security in the provision of insurance services and realizing the expectations of clients, employees, shareholders, and partners;
6.4. Incident Management: Prompt identification and management of information security incidents.
7. RELATED DOCUMENTS
7.1. Legislation of the Republic of Azerbaijan in the field of information security;
7.2. Requirements for ensuring the information security of entities regulated by the Central Bank of the Republic of Azerbaijan;
7.3. The ISO/IEC 27001:2022 standard;
7.4. The Company’s internal regulatory documents.
8. SPECIAL REQUIREMENTS
8.1. The Policy must be accessible to all interested parties on the Company's website, www.ateshgah.com.
9. FINAL PROVISIONS
9.1. Additions and amendments to the Policy may be made by a decision of the Board of Directors.
9.2. Control over compliance with the requirements of the Policy is exercised by the Company's Management Board.
9.3. The Policy comes into force from the moment of its approval.
Write to Whatsapp