carVertical

Information Security Policy

1. Information security policy (hereinafter – Policy) is the main document of UAB cV Group (hereinafter – cV Group or the Company) information security management system (hereinafter – ISMS). ISMS documents and/or separate parts of it can be provided to parties related to cV Group information for access.

2. The purpose of policy is to present the position of cV Group management to information security and to protect all verbal, written and electronic information received, sent, created, managed and used by cV Group from all possible threats: external, internal, intentional or accidental, which may affect the activities and reputation of cV Group.

3. To implement ISMS objectives, the following information security goals are set:

  • ensure and manage information security, considering cV Group strategic goals for to provide its services;
  • ensure and manage compliance with external and internal information security requirements by performing periodic compliance assessment and eliminating identified discrepancies;
  • ensure the resolution of information security violations and elimination of their reasons, implementing information security incidents management;
  • ensure the appropriate selection and implementation of information security and processing measures, performing an annual risk assessment and implementing the required information security measures;
  • ensure the effectiveness of applied information security measures;
  • ensure the adequacy of the Business continuity management plan by periodically reviewing and testing it.

4. Information is a strategically important asset for cV Group operations, therefore, its loss, illegal alteration, damage, disclosure or termination of information processing may cause disruptions to cV Group operations. Due to that, this Information security management policy establishes the basic guidelines that all cV Group employees, contractors and other related parties doing business with cV Group undertake to comply with.


5. The information security management policy applies to all cV Group business processes related to services provided and includes verbal and written information, information systems, computer networks, physical environment, virtual environment, employees, related parties, partners, contractors, or other persons working at cV Group, including employees working for third parties and those legally processing cV Group information.


6. Information security includes three main aspects:

  • information confidentiality – protection of information from unauthorised disclosure;
  • information integrity – protection of information from unauthorised or accidental change; 
  • information accessibility – ensuring that information is accessible when it is required for proper performance of cV Group activities.

7. Purpose of regulations is: 

  • To safeguard its information assets, including client data received from various sources and third parties, encompassing confidentiality, integrity, accessibility, and both tangible (e.g., computer and communication devices, premises, etc.) and intangible (e.g., reputation, image) aspects; 
  • determine the responsibility for information security; 
  • provide references to the security documents that make up the information security management system.

8. The ISMS documents must be reviewed at least once a year.

9. The implementation of cV Group information security requirements is ensured and managed through consistent planning, implementation, evaluation and improvement of the ISMS in accordance with the requirements of the standard ISO/IEC 27001 (as well as its latest versions)

10. The scope of cV Group ISMS certification includes all information technology products and related projects in the group of companies.

11. Information security management at cV Group is based on risk management. Information security risk assessment creates the conditions for information security management measures applied in cV Group business to meet the main goals of cV Group activities and information security.


12. cV Group information security risks are assessed every calendar year according to the approved Risk assessment policy. A review of the Company context should be performed during the information security risk assessment.

13. Policy is also applicable to carVertical OÜ, which applies the requirements for third parties as described in the Policy.