Last updated by: RamGcia, Last updated on: 16/05/2026
Information Security Policy
Redback Operations – ISO27001:2022 ISMS
| Document Code | RO – POL - 001 |
|---|---|
| Version | 1.0 |
| Document Owner | Ethics / GRC Team |
| Review Cycle | At the start of each trimester |
| ISO27001:2022 Reference | Clauses 5.1, 5.2 |
Organisational Context
Redback Operations is a student-led company originating from Deakin University. It focuses on the development of technology for health, fitness and sport. Redback Operations will uphold confidentiality, integrity and availability of all assets, whether it be information, physical or digital.
Redback Operations currently operates with 54 active members across 8 different teams. Numbers vary per trimester. Students however rotate every trimester with a maximum length of two trimesters as per Capstone Part (A) and Capstone Part (B). This ISMS is designed specifically to address issues caused by Redback Operations' rotational nature.
Policy Statement
This policy highlights the framework for our Information Security Management System (ISMS), adhering to ISO/IEC 27001:2022 standards. It is applicable to all active members, assets, programs and processes that are within Redback Operations for Trimester 1, 2026 and must be adhered to by every active student.
Information security is defined as the protection of confidentiality, integrity and availability of Redback Operations' information assets. Confidentiality is defined as ensuring that information is only accessible to those who are authorised. Integrity is defined as guaranteeing that the information is accurate and authentic. Availability allows information to be accessible to authorised individuals when it is needed.
Our Commitments
Information security objectives are established at the start of each trimester by the Ethics / GRC team, educated and guided from the Risk Register from the previous trimester and the Statement of Applicability. Progress is checked at the end of each trimester.
Redback Operations strives to:
- Protect all information assets from unauthorised access, malicious modification and destruction.
- That access to Redback Operations' information and programs are on a least-privilege and need-to-know basis.
- Educating members on security awareness before being allowed to access Redback Operations and its systems.
- Revoke access to Redback Operations' systems when offboarding procedures commence.
- That logging, containing and treating security risks is performed each trimester.
- Be proactive in security incidents, ensure proper procedure is followed.
- That maintenance and iterations on the ISO27001:2022 ISMS are performed per trimester.
- Adhere to Victorian legal, regulatory and Deakin university rules.
Principles Definition
These principles define the information security activities at Redback Operations. These principles are present in the ISMS suite.
| Principle | Definition |
|---|---|
| Least Privilege | Access is granted at the minimal level for a student's role. |
| Need to Know | Information is accessible only to those who need it for their role. |
| Defence in Depth | Layers of defence are implemented. |
| Security by Design | Security is implemented throughout development rather than an afterthought. |
| Continual Improvement | ISMS is reviewed and iterated per trimester. |
Supporting Policies and Documents
This policy is supported by the other various ISMS documents.
| Document Code | Title |
|---|---|
| RO – ISMS – 001 | ISMS Scope |
| RO – REG – 001 | Asset Register |
| RO – REG – 002 | Risk Register |
| RO – POL - 002 | Access Control Policy |
| RO – POL – 003 | Acceptable Use Policy |
| RO – POL – 004 | Incident Response Policy |
| RO – POL - 005 | Secure Development Policy |
| RO – POL – 006 | Data Handling Policy |
| RO – CL - 001 | Onboarding & Offboarding Procedure |
| RO – AUDIT-GIT-001 | GitHub Audit Report |
| RO – SOA – 001 | Statement of Applicability |
| RO –AUD - 001 | Internal Audit Checklist |
| RO – GA - 001 | Gap Analysis |
Non-Compliance
Any member who does not comply with this policy or other policies as a part of this ISMS will have their access suspended and the issue escalated to the relevant tutor. Redback Operations does not tolerate breaches of its information security. Consequences are defined as per the Incident Response Policy.
Policy Review
This policy must be reviewed at the start of every trimester by the incoming Ethics / GRC Team. Any changes must be version-controlled, dated and approved.