Atlas Platforms Pty Ltd (The Company) is the company responsible for the EthosOne and the Strateji Platform it sits on.

Leadership

Leadership and commitment

The Company is committed to continually enhancing its ISMS. This commitment is demonstrated through the actions of the ISMS Governance Council, which oversees implementation, monitoring, and

improvements.

We ensure:

• Alignment of information security objectives with our strategic goals.
• Allocation of necessary resources, including funding, tools, and expertise.
• Integration of security practices into daily operations and agile workflows.

Information Security Policy

Atlas Platforms's information security policy:

• Aligns with our mission to deliver secure and reliable SaaS solutions.
• Sets the foundation for measurable security objectives.
• Demonstrates compliance with legal, regulatory, and contractual obligations.
• Emphasizes continuous improvement.

Transparency and Awareness:

• This policy is accessible to all employees and contractors via Confluence.
• External parties may access it upon request.
• Annual reviews ensure ongoing relevance and effectiveness.

Roles, responsibilities and authorities

Roles and responsibilities for ISMS are based on Atlas Platforms' flat governance structure:

• ISMS Governance Council Team: Oversees security governance, compliance, and audits.
• Senior Management: Consisting of the organisations Co-Founders, to ensure implementation and
• adherence to ISMS controls.
• All Personnel: Maintain awareness of security requirements and report issues promptly.

Competencies and gaps are assessed through regular reviews and training programs.

Planning

Atlas Platforms prioritizes the identification of risks and opportunities, embedding iterative risk assessments into agile workflows.

Risk Assessment:

Regular evaluation of security risks and prioritization of mitigations.

Documented outcomes and updates tracked in all active products (eg. Strateji and Meta Agility).

Risk Treatment:

Selection and implementation of controls to address identified risks.

Documented approvals and reviews integrated into quarterly retrospectives.

Security Objectives:

1. Protect confidentiality, availability, and integrity of data.
2. Ensure compliance with applicable laws and contractual obligations.
3. Achieve and maintain ISO 27001 certification.
4. Action plans for achieving objectives are reviewed annually and tracked in Strateji

Support

Resources:

Atlas Platforms allocates funding, expertise, and tools to support ISMS operations.

Competence:

Roles impacting information security are evaluated based on training, experience, and education.

Competence gaps are addressed through mentoring, external expertise, or training.

Awareness:

Personnel complete annual awareness training and understand their roles and consequences of non-

compliance.

Communication:

Internal and external security communications are coordinated and documented.

Policies are stored in Confluence and reviewed after major updates or annually.

Processes for creating, updating, and storing ISMS documentation are defined in the 05-ISMS Document Control Procedure.

Control of documented information

Processes for creating, updating, and storing ISMS documentation are defined in the 05-ISMS Document Control Procedure.

Operation

Atlas Platforms integrates information security into agile workflows:

• Operational controls are documented and tracked in Product development tools (eg. Strateji's Jira Board).
• Risks are evaluated during planning cycles, with records maintained for audits.
• External dependencies are assessed and managed effectively.

Performance evaluation

Internal audit

Atlas Platforms performs internal audits of its ISMS on a recurring basis and has defined an ISMS Internal

Audit Procedure. For further details, please refer to the 07-ISMS Procedure for Internal Audits document.

Management review

Atlas Platforms has defined an ISMS Management Review Procedure consisting of the necessary inputs and outputs to ensure that the company's ISMS is operating effectively, as intended, and is continually

improving. For further details, please refer to the 08-ISMS Procedure for Management Review .

Improvement

Continual Improvement

Atlas Platforms is dedicated to perpetually enhancing the relevance, sufficiency, and efficiency of our information security management system.

Nonconformity and corrective action

In case of any deviation from established standards, Atlas Platforms commits to:

• Address the nonconformity, manage its effects, and implement necessary corrections.
• Evaluate the root cause, ensuring it doesn't repeat or emerge in other areas.
• Act upon any required changes and validate the efficacy of those changes.
• All measures taken will be proportionate to the severity of the nonconformities identified.

For transparency and due diligence, Atlas Platforms will document:

• The specifics of any nonconformity and the corrective measures applied.
• The outcomes of those corrective actions. Atlas Platforms has defined an ISMS Corrective Action and
• Continual Improvement Procedure when non-conformities are identified. Non-conformities may be identified during internal audits, external audits, management reviews, or ongoing monitoring of the ISMS. For further details, please refer to the 09-ISMS Procedure for Corrective Action and Continual Improvement document.

Policy violation

All personnel, including employees, contractors, and third parties, must protect Atlas Platforms' data and systems. Violations may result in corrective actions, including training, reassignment, or termination, in line with severity and applicable laws.

ISO 27001 coverage

ISO 27001 4.1; 4.2; 4.3; 5.1

27701 Privacy Information Management System (PIMS) Addendum

This addendum is automatically applicable for organizations implementing ISO 27701 and optional for organizations who are implementing ISO 27001 only.

• All references to "ISMS" in this document are changed to "IS&PMS"
• All references of ISO 27001 in this document are changed to "ISO 27001/27701"
• All references to "information security management system" are changed to "information security and privacy management system"