KL ENGINEER LLC
INFORMATION SECURITY POLICY v1.1
INFORMATION SECURITY POLICY v1.1
Last Updated: March 02, 2026
Purpose
This document, the Information Security Policy of KL Engineer LLC (hereinafter, the Policy), is a key instrument determining the position, goals, tasks and principles of KL Engineer LLC (hereinafter, the Company) in the field of information security.
This document, the Information Security Policy of KL Engineer LLC (hereinafter, the Policy), is a key instrument determining the position, goals, tasks and principles of KL Engineer LLC (hereinafter, the Company) in the field of information security.
General Provisions
Information security shall mean the totality of employees, policies, processes and technologies, used by the Company for the purpose to protect information assets. Security of the Company information assets is characterized by neutralization of actual information security threats by technical, organizational, and legal means.
For the purposes of this Policy, information assets shall mean employees, information, business reputation, real assets, and business processes.
The Company activity in the field of information security is based on the requirements of the Armenian laws and TISAX (Trusted Information Assessment Exchange) requirements, and the tasks being solved contribute to the efficient and safe development of the Company business in the modern world of digitalization and digital transformation.
Information security shall mean the totality of employees, policies, processes and technologies, used by the Company for the purpose to protect information assets. Security of the Company information assets is characterized by neutralization of actual information security threats by technical, organizational, and legal means.
For the purposes of this Policy, information assets shall mean employees, information, business reputation, real assets, and business processes.
The Company activity in the field of information security is based on the requirements of the Armenian laws and TISAX (Trusted Information Assessment Exchange) requirements, and the tasks being solved contribute to the efficient and safe development of the Company business in the modern world of digitalization and digital transformation.
Validity period and amendment
This Policy is a local regulatory act of continuous action. This Policy shall be approved, modified and deemed invalid by the Company Director. The Policy shall be reviewed on a regular basis at least once a year, or more frequently if significant changes occur.
This Policy is a local regulatory act of continuous action. This Policy shall be approved, modified and deemed invalid by the Company Director. The Policy shall be reviewed on a regular basis at least once a year, or more frequently if significant changes occur.
Information security declaration
By accepting the Policy, the Company declares and undertakes to take the proper measures of information assets protection from damage and loss risk that emerge as the result of information security threats realization.
The Company management realizes the importance and need to improve measures and means of information security provision in the context of developing the information security laws, and increased complexity of information technologies used.
The Company management shall initiate and control works in the field of information security.
Following the information security principles, rules, and requirements shall be an element of the Company corporate structure.
The Company information security leaders and specialists should perform their duties responsible and realize that their work quality directly affects the level of the Company information assets protection.
The Company employees should be guided by this Policy in professional activities, at in-house interaction, personal development, and increase of the information security culture.
Each Company employee shall be liable for meeting the information security requirements when working with information assets.
Reaching the information security goals with meeting the principles will additionally contribute to strengthen competitive positions, provide conformity with legal, regulatory and contractual requirements, and minimize business reputation risks.
By accepting the Policy, the Company declares and undertakes to take the proper measures of information assets protection from damage and loss risk that emerge as the result of information security threats realization.
The Company management realizes the importance and need to improve measures and means of information security provision in the context of developing the information security laws, and increased complexity of information technologies used.
The Company management shall initiate and control works in the field of information security.
Following the information security principles, rules, and requirements shall be an element of the Company corporate structure.
The Company information security leaders and specialists should perform their duties responsible and realize that their work quality directly affects the level of the Company information assets protection.
The Company employees should be guided by this Policy in professional activities, at in-house interaction, personal development, and increase of the information security culture.
Each Company employee shall be liable for meeting the information security requirements when working with information assets.
Reaching the information security goals with meeting the principles will additionally contribute to strengthen competitive positions, provide conformity with legal, regulatory and contractual requirements, and minimize business reputation risks.
Goals in the field of information security
This Policy supports the strategic goals of Company by ensuring the confidentiality, integrity, and availability of information critical to our operations, thus enabling business continuity and protecting our reputation in the market.
The Company information security management and provision shall be aimed at reaching the following goals:
• Providing safe information environment for business functioning and development.
• Increase of competitive ability, business reputation and business validity by decreasing the risk level in the filed of information security.
• Meeting legal requirements in the field of information security and personal data, and fulfillment of the respective contractual obligations.
• Increasing the corporate culture of information processing and protection, incl. personal data.
• Efficient information security process management and continuous improvement of the information security management system.
This Policy supports the strategic goals of Company by ensuring the confidentiality, integrity, and availability of information critical to our operations, thus enabling business continuity and protecting our reputation in the market.
The Company information security management and provision shall be aimed at reaching the following goals:
• Providing safe information environment for business functioning and development.
• Increase of competitive ability, business reputation and business validity by decreasing the risk level in the filed of information security.
• Meeting legal requirements in the field of information security and personal data, and fulfillment of the respective contractual obligations.
• Increasing the corporate culture of information processing and protection, incl. personal data.
• Efficient information security process management and continuous improvement of the information security management system.
Tasks in the field of information security
The following tasks in the field of information security were accepted in the Company for reaching the set goals:
• Design, implementation, and continuous improvement of the information security management system (hereinafter, the ISMS).
• Involvement of the Company top management into the ISMS functioning process.
Information security shall be regularly reviewed by the Company responsible persons.
• Efficient use of resources allocated for purposes of information security provision. Cost efficiency assessment.
• Providing security of the Company information assets.
• Meeting legislation, requirements of regulatory organizations in the field of information security and personal data protection.
• Improvement of technical, organizational and legal protection measures.
• Formation, accumulation, and development of competences in the field of information security and personal data protection.
• Use of the risk-oriented approach. The Company regularly checks information security risks and takes measures on increase the level of information assets protection.
• Information security incident management. The Company is constantly improving the incident response mechanisms.
• Raising awareness of the Company employees in the field of information security.
• Formalization of information security requirements. The requirements shall be recorded in regulatory acts and made known to the employees.
• Incorporation of information security requirements in design activities. Development and documentation of requirements to information security provision shall be performed at the initial stages of project implementation.
• Employees' background checks (or screening) in accordance with the established procedures. All candidates for vacant positions shall be checked in accordance with the established procedures.
• Monitoring and continuous improvement of the ISMS following the results of periodic audits (checks).
Principles of information security provision
The following information security provision principles were determined in the Company:
Systemativity principle
The assets shall be considered as interrelated components of one system. Mutual interaction of components shall be taken into account in the analysis of information security risks and threats.
Completeness (complexity) principle
With the purposes to provide information security, the wide tange of measures, methods and means of protection is used, the complex use of which provides neutralization of actual threats and absence of vulnerabilities in integration points.
Echelon principle
Relying on the protective border only is inadmissible. The information security provision system should be built in a way to place the most protected security zone inside the other protected zones.
Strength uniformity principle
The efficiency of protection mechanisms should be brought to ought by a weak link that appeared as the result of underestimation of threats or use of inadequate protection measures.
Continuance principle
Information security provision is a continuous task-oriented process, provising for taking protection measures at all stages of assets life cycle.
Reasonable sufficiency principle
"Absolute" assets protection is impossible. Means of protection, adequate to present threats, shall be selected based on the risk analysis.
Validity principle
When choosing and implementation of the information security measures, the Company shall strictly follow the applicable laws, requirements of regulatory legal and technical documents in the field of information security.
Manageability principle
Information security provision and improvement processes should be manageable, i.e., it is required to conduct monitoring, measurement of parameters, and correct the processes in time. 5
Personal liability principle
Each employee within their powers shall be liable for information security provision.
The following information security provision principles were determined in the Company:
Systemativity principle
The assets shall be considered as interrelated components of one system. Mutual interaction of components shall be taken into account in the analysis of information security risks and threats.
Completeness (complexity) principle
With the purposes to provide information security, the wide tange of measures, methods and means of protection is used, the complex use of which provides neutralization of actual threats and absence of vulnerabilities in integration points.
Echelon principle
Relying on the protective border only is inadmissible. The information security provision system should be built in a way to place the most protected security zone inside the other protected zones.
Strength uniformity principle
The efficiency of protection mechanisms should be brought to ought by a weak link that appeared as the result of underestimation of threats or use of inadequate protection measures.
Continuance principle
Information security provision is a continuous task-oriented process, provising for taking protection measures at all stages of assets life cycle.
Reasonable sufficiency principle
"Absolute" assets protection is impossible. Means of protection, adequate to present threats, shall be selected based on the risk analysis.
Validity principle
When choosing and implementation of the information security measures, the Company shall strictly follow the applicable laws, requirements of regulatory legal and technical documents in the field of information security.
Manageability principle
Information security provision and improvement processes should be manageable, i.e., it is required to conduct monitoring, measurement of parameters, and correct the processes in time. 5
Personal liability principle
Each employee within their powers shall be liable for information security provision.
Responsibility for the Policy violation
The Company employees are obliged to meet the information security requirements and rules at work with information and information assets of the Company, its partners and counterparties.
High corporate standards and rules of information security provision in the Company are obligatory for all the Company employees without exception, and should be taken into account in relations with partners and counterparties.
When using Internet, communicating in social networks and messengers, using e-mail, other electronic means and communication platforms, the Company employees should show discretion and caution.
For non-fulfillment of information security requirements, each Company employee may be held liable in accordance with the applicable legislation, which can include disciplinary, civil, administrative, or criminal proceedings.
Employees of partners and counterparties who use the Company information assets, and information provided to them, shall be liable in accordance with the contractual provisions, and the applicable legislation.
The Company employees are obliged to meet the information security requirements and rules at work with information and information assets of the Company, its partners and counterparties.
High corporate standards and rules of information security provision in the Company are obligatory for all the Company employees without exception, and should be taken into account in relations with partners and counterparties.
When using Internet, communicating in social networks and messengers, using e-mail, other electronic means and communication platforms, the Company employees should show discretion and caution.
For non-fulfillment of information security requirements, each Company employee may be held liable in accordance with the applicable legislation, which can include disciplinary, civil, administrative, or criminal proceedings.
Employees of partners and counterparties who use the Company information assets, and information provided to them, shall be liable in accordance with the contractual provisions, and the applicable legislation.
Policy application
The Information Security Policy is mandatory for all employees, contractors, interns, and external parties who access or process the Company's information assets.
This Policy is made available to all employees and relevant external parties via the Company's Sharepoint service. All new employees are briefed on this Policy during their onboarding. Changes to the Policy are communicated via email and are reflected in the next scheduled information security awareness training
HOW TO CONTACT US
If you have any questions about KL ENGINEER’s privacy practices or use of your personal data, please feel free to contact us at corp@klengineer.com or by mail at:
KL Engineer LLC
Pirumyanneri 14/12, 0054 Yerevan, Armenia
corp@klengineer.com
klengineer.com