Every Gofore employee and contractor is obligated to read and comply with this Information Security Policy.


1. Our information security commitment

This information security policy underlines Gofore’s commitment to information security when dealing with employees, contractors, customers and suppliers.

Gofore’s business and reputation depends upon the trust of clients, partners and other stakeholders. Information security is central to the preservation and assurance of this trust.

Every effort is made to ensure information security is effective and aligned with business objectives and complies with applicable law and regulation.

It is essential for information security to be an integrated characteristic of Gofore. We maintain and continuously improve our information security management system by setting information security objectives derived from business objectives and information security strategy synchronisation. Gofore cultivates a security culture whereby security awareness is part of business-as-usual. Employees and contractors take responsibility for security in their own conduct and responsibilities.

In our best interests and in yours, everyone at Gofore takes security seriously.

2. Our information security principles

  1. Gofore Executive Management team is committed to its overarching accountability for the information security management system.
  2. Information security risks are identified, documented, and managed to minimise harm and ensure business continuity.
  3. Security policies and compliance expectations are communicated to employees and contractors in security on-boarding and employment contracts, and to customers and suppliers in framework agreements and contracts.
  4. Access to systems and information is based on the security principle of information confidentiality and the need to know.
  5. Information is classified and handled according to appropriate security levels and personal data is processed according to the General Data Protection Regulation (GDPR).
  6. Security is built into the design, development and acquisition of digital services, supported by secure development guidelines.
  7. Information networks are segregated, protected, monitored and managed in accordance with network security recommended practices.
  8. Incidents and risks are reported and managed in a timely manner according to the incident and risk reporting procedure.
  9. Security training and a culture of security awareness are fostered in employees and contractors.
  10. Every employee and contractor understands their responsibility to be security aware and to behave accordingly.

3. Our information security approach

As stated in our commitment, everyone takes responsibility for security in their role and conduct.

The Chief Executive Officer (CEO) is ultimately accountable for ensuring Gofore incorporates information security into corporate governance and business continuity.

The Executive Management Team is responsible for ensuring information security implementation is aligned with company strategy.

The Chief Information Security Officer (CISO) is responsible for information security awareness and for employee compliance with information security policies, procedures and guidelines. The Security Team and business function stakeholders support the CISO.

The Security Team is responsible for supporting the CISO in disseminating security awareness, ensuring the information policy, procedures and guidelines are complied with, and responding to security events. To ensure continual improvement, the information security management system is reviewed and updated annually to maintain compliance with ISO 27001 requirements and ISO 27002 code of practice where applicable. Information security and data protection expectations are proactively communicated to customers and suppliers as part of framework agreements, contracts, and projects.

Business Unit Leads are responsible for ensuring that people in their unit

  • are sufficiently information security aware in order to work in a secure way
  • have the required skill to produce secure results

Project managers are responsible for ensuring project members are information security aware and develop solutions that are secure and data protection compliant by design. Information security and data protection expectations are also determined by client requirements.

In Gofore, data protection is also an integrated business-as-usual aspect of digital consulting. Gofore processes personal data in accordance with applicable legislation, including the General Data Protection Regulation (Regulation (EU) 2016/679, GDPR).

Gofore considers the requirements set forth in the data protection legislation in all its business activities and expects and requires the same from subcontractors and other business partners. Gofore provides orientation for employees regarding guidelines for privacy and data protection.

Takaisin ylös