I          Introduction

1. Information exists in different forms. It can be printed or written on paper, saved in electronic format, transferred by mail or using other electronic mediums, shown on film and spoken. Regardless of the form in which appears or the assets used to transmit or store, it should always be adequately protected.
2. Information security is achieved by applying appropriate set of administrative, technical and/or physical controls, that include policies, processes, procedures, organizational schemes, and software and hardware functions.
3. Information security main goals are:
   - Confidentiality – The property of information to be available only to authorized users or processes.
   - Integrity – The property of information to be available for modification only to authorized users or processes.
   - Availability – The property of information to be available to authorized users or processes when there is a business need for it.
4. Other goals of information security are:
   - Identification – Unique identification of the user or process of the system or application.
   - Authentication – Confirmation that the user of the system or application is an identified person or process.
   - Authorization – Granting appropriate rights to a user or process within the system or application after successful identification and verification.
   - Accountability – Activities performed within the system or application relevant for security must be recorded and proven.

II         Organization Context

1. Mozzart is the company for organization of games of chance that operates in Eastern Europe region and other markets. For business needs, a comprehensive information system is created for production, maintenance and upgrading software for organizing games of chance at betting shops and online.
2. The requirements of interested parties relevant to information security are defined within the Register of Interested Parties.
3. The scope of ISMS includes the company activities with aim to organize games of chance in accordance with the Statement of Applicability.
4. ISMS system was established, implemented, continuously maintained and improved in accordance with the requirements of ISO27001:2013 standard.

III        Information Security Policy

1. Management of the company approves Information Security Policy. The policy is published and announced to all employees and third parties.
2. Specific role and responsibilities of information security are determined by lower-level documents, job descriptions and employee contracts.
3. Mozzart regularly reviews Information Security Policy and, if necessary, supplements it when new threats or changes in the environment are observed, new best practices of information security are recognized, major changes in the infrastructure occur, services, organizational scheme or as a result of independent internal or external ISMS audit findings.

IV        Management support

1. Management of the company recognizes that the information security program exists to support business requirements for the successful and competitive operation of the company, as well as for the compliance with relevant standards, and laws and regulations of the markets in which the company operates. Also, management of the company concur the fact that its support is crucial for achieving the company's information security goals and effective planning, and implementation and maintenance of information security controls.
2. Management of the company gives full support in development and realization of information security activities.

IV.1    Organizational roles

1. Mozzart continuously works on identification of information security risks on all markets in coordination with ISMS teams and on creation of measures for information security risks treatment, as well on coordination of activities for their establishment and implementation.
2. ISMS teams were formed on all markets with the aim of effective implementation of information security activities.
3. All employees are responsible to abide by the rules of this Information Security Policy and other information security policies.

V         Information Security Risk Management

1. Mozzart continuously works on the identification and evaluation of information security risks, on defining measures for risk treatment and on coordination of activities for their implementation in accordance with the Risk Management Policy.
2. Information security activities, goals, and implementation and improvement of information security controls are based on identified information security risks and measures for their treatment.
3. Information security goals are set and evaluated on an annual basis.

VI        Information Security Awareness

1. Mozzart continuously works on information security awareness, and organizes and implements various forms of information awareness training of its employees that include, but are not limited to, conducting phishing simulations, organizing and/or conducting online or on-site training and notifications for employees via e-mail and other communication channels.
2. In a one-month period after employment new employees undergo initial training on information security that includes formal familiarization with information security policies and company expectations, and this training continues during the employment, at least once a year.

VII       ISMS System Monitoring and Measurement

1. Mozzart defines the criteria for monitoring and measurement of the ISMS performance that are analyzed and evaluated at least once a year before the ISMS management review.