1. Introduction

This policy defines how Information Security will be set up, managed, measured, reported on and developed within Busha Digital Limited.
The International Standard for Information Security, BS ISO/IEC 27001:2022 (referred to in this document as ISO/IEC 27001), is a development of the earlier British Standard, BS 7799.
Busha has decided to pursue full certification to ISO/IEC 27001 in order that the effective adoption of information security best practice may be validated by an external third party.

‍

2. ISMS Policy

2.1 Scope of the ISMS

‍For the purposes of certification within Busha, the boundaries of the Information Security Management System are defined as follows:

The Information Security Management System (ISMS) at Busha applies to all processes, personnel, technologies, and physical and digital assets that support the delivery of its cryptocurrency exchange, digital wallet, payment solutions, and related services.

The organisational boundaries for the ISMS encompass:

• Business Units: All departments involved in product development, operations, customer support, compliance, risk management, marketing, legal, Engineering
• People:All employees, contractors, consultants, and third-party service providers who access Busha’s information assets, systems, or premises are included within the ISMS scope.
• Locations:
  
  • All remote-working environments where employees and contractors access Busha information systems.
  • Busha’s physical office is located at 12B, Admiralty Way, Lekki, which houses network infrastructure and core business operations.
    ‍

• Information Assets: Customer personal information, transaction data, authentication credentials, internal documentation, software source code, operational data, and all supporting records essential to service delivery.
• Systems and Infrastructure:
  
  • Cloud environments (e.g., hosting, storage, and computing resources used by Busha for its platform operations).
  • Business applications, communication systems, security monitoring tools, customer-facing platforms (website, mobile apps), and internal IT infrastructure.
• Third Parties: External vendors, managed service providers, cloud service providers, and partners who process or store Busha information assets or provide critical services (e.g., KYC verification services, cloud hosting, customer support tools) are considered within the scope, and are managed via contractual and technical controls.
• Products and Services: Cryptocurrency trading platform, digital wallet services, payment and settlement services, and associated customer-facing applications.

‍

‍

2.1.1 Exclusion from the ISMS Scope‍

Personal IT Devices Not Used for Business Purposes: Employee-owned personal devices (e.g., personal laptops, smartphones, tablets) that are not authorised for use in Busha's business operations or information systems are excluded from the ISMS scope.

Justification: These devices do not process, store or transmit organisational information assets and therefore do not pose a material risk to Busha's information security objectives

‍

2.2 Information Security Requirements

A clear definition of the requirements for information security will be agreed and maintained with the business so that all ISMS activity is focused on the fulfilment of those requirements. Statutory, regulatory, and contractual requirements will also be documented and input into the planning process. Specific requirements with regard to the security of new or changed systems or services will be captured as part of the design stage of each project.

It is a fundamental principle of Busha's Information Security Management System that the controls implemented are driven by business needs and this will be regularly communicated to all staff through team meetings and briefing documents.

‍

2.3  Top Management Leadership and Commitment

Commitment to information security extends to senior levels of the organisation and will be demonstrated through this ISMS Policy and the provision of appropriate resources to provide and develop the ISMS and associated controls.
Top management will also ensure that a systematic review of performance of the programme is conducted on a regular basis to ensure that quality objectives are being met and quality issues are identified through the audit programme and management processes. Management Review can take several forms including departmental and other management meetings.

‍

2.4  Management Representative 

The Information Security Management System manager shall have overall authority and responsibility for the implementation and management of the Information Security Management System, specifically:

• The identification, documentation and fulfilment of information security requirements
• Implementation, management and improvement of risk management processes
• Integration of processes
• Compliance with statutory, regulatory and contractual requirements
• Reporting to top management on performance and improvement

‍

2.5  Framework for Setting Objectives and Policy 

An annual cycle will be used for the setting of objectives for information security, to coincide with the budget planning cycle. This will ensure that adequate funding is obtained for the improvement activities identified. These objectives will be based upon a clear understanding of the business requirements, informed by the annual management review with stakeholders.

ISMS objectives will be documented for the relevant financial year, together with details of how they will be achieved. These will be reviewed on a quarterly basis to ensure that they remain valid. If amendments are required, these will be managed through the change management process.

In accordance with ISO/IEC 27001:2022 the control objectives and policy statements detailed in Annex A of the standard will be adopted where appropriate by Busha. These will be reviewed on a regular basis in the light of the outcome from risk assessments and in line with the Information Security Risk Treatment Process. For references to the controls that implement each Annex A control, please see Statement of Applicability.

‍

2.6 Roles and Responsibilities  

Within the field of information security, there are a number of management roles that correspond to the areas defined within the scope set out above. In a larger organisation, these roles will often be filled by an individual in each area. In a smaller organisation these roles and responsibilities must be allocated between the members of the team.

Full details of the responsibilities associated with each of the roles and how they are allocated within Busha are given in a separate document, Information Security Roles and Responsibilities.

It is the responsibility of the ISMS Manager to ensure that staff understand the roles they are fulfilling and that they have appropriate skills and competence to do so.

‍

2.7 Continual Improvement Policy  

Busha is committed to maintaining and continuously enhancing the effectiveness of its Information Security Management System (ISMS) to ensure it remains resilient, agile, and aligned with international best practices and evolving business needs.

To achieve this, Busha undertakes the following continual improvement initiatives:

1. Drive Ongoing Effectiveness of the ISMS
   Busha continually evaluates and enhances its ISMS to ensure it effectively protects the confidentiality, integrity, and availability of information assets across its digital asset exchange, wallet services, and supporting operations.
2. Benchmark Processes Against Best Practice
   Existing information security policies, procedures, and controls are regularly reviewed and enhanced to align with the latest good practices as defined by ISO/IEC 27001:2022 and ISO/IEC 27002:2022.
3. Drive Ongoing Effectiveness of the ISMS
   The organisation is committed to achieving and sustaining ISO/IEC 27001 certification through regular internal audits, management reviews, and alignment with certification body requirements.
4. Foster a Culture of Proactive Security
   Busha promotes a forward-thinking security culture by actively identifying, communicating, and mitigating risks before they materialise, thereby enhancing stakeholder trust and reinforcing its reputation as a security-first digital finance platform.
5. Improve Measurability of Information Security
   Information security processes and controls are continuously refined to become more measurable, allowing data-driven decisions and meaningful reporting to management and stakeholders.
6. Annual Metrics Review
   Key performance indicators (KPIs) and security metrics are reviewed annually to determine their ongoing relevance and effectiveness, based on historical trends and shifts in the threat landscape.
7. Stakeholder-Driven Improvement Initiatives
   Ideas for improvement are actively gathered through regular engagement with internal and external stakeholders, including product teams, compliance, risk management, and customer support, and documented in the Continual Improvement Plan.
8. Review and Prioritise Improvements
   The Continual Improvement Plan is formally reviewed during scheduled ISMS management review meetings to assess priority, resource allocation, business impact, and implementation timelines.

‍

Ideas for improvements may be obtained from any source including employees, customers, suppliers, IT staff, risk assessments and service reports. Once identified they will be added to the Continual Improvement Plan and evaluated by the staff member responsible for Continual Service Improvement.

As part of the evaluation of proposed improvements, the following criteria will be used:

1. Cost  

What this means at Busha:

Cost is evaluated in terms of both capital (e.g., technology purchases, software licenses, third-party services) and operational expenditure (e.g., staff time, training, implementation costs).

• Consideration is given to how the cost aligns with Busha’s lean, scalable operating model and its focus on efficient digital service delivery.
• Security investments must deliver clear value without compromising the company’s ability to remain agile and competitive in fast-evolving crypto and fintech markets.
• Preference may be given to solutions that are cloud-native, open source, or that integrate easily with Busha’s existing platforms.

2. Business Benefit  

What this means at Busha:

Business benefit is assessed based on how the improvement contributes to

• Enhancing trust with users of Busha’s crypto trading, wallet, or payment services.
• Enabling market growth or expansion into regulated jurisdictions by meeting specific compliance/security requirements.
• Strengthening resilience and uptime for Busha’s always-on digital platforms (a critical driver of customer retention and brand reliability).
• Supporting the company’s long-term goals, such as enabling institutional partnerships or scaling services across Africa.

‍

3. Risk  

What this means at Busha:

Risk is analysed in terms of how the proposed improvement:

• Reduces current information security risks (e.g., vulnerabilities in wallet architecture, cloud infrastructure misconfigurations, third-party access).
• Addresses non conformities found during audits, incidents, or risk assessments.
• Mitigates regulatory, reputational, or operational exposure, especially in markets with strong data protection, AML, or crypto-specific compliance frameworks.
• Increases preparedness for threats such as data breaches, smart contract exploits, insider threats, or DDoS attacks on critical systems.

‍

4. Implementation Timescale  

What this means at Busha:
Speed of implementation is crucial in Busha’s rapidly evolving ecosystem.

• Improvements must be assessed for delivery within realistic timeframes, often within quarterly sprints or regulatory deadlines.
• Quick wins (e.g., a patch management automation or revised KYC workflow) may be prioritised for immediate impact.
• Longer-term projects (e.g., a full cloud security audit or SIEM overhaul) must be aligned with resource planning and security roadmaps.

5. Resource Requirement  

What this means at Busha:
The required human, technical, and operational resources are evaluated to determine:

• The impact on lean teams or critical staff, including cybersecurity, DevOps, risk, and compliance functions.
• The ability to leverage existing tools or partnerships (e.g., existing CSPs or compliance providers).
• Whether specialised resources (e.g., blockchain penetration testers or regulatory consultants) are needed and available.
• Integration feasibility within Busha’s remote-first workforce and cloud-native architecture.

‍

If accepted, the improvement proposal will be prioritised in order to allow more effective planning.

2.8 Approach to Managing Risk 

Risk management will take place at several levels within the ISMS, including:

• Management planning – risks to the achievement of objectives
• Information security and IT service continuity risk assessments
• Assessment of the risk of changes via the change management process
• As part of the design and transition of new or changed services

‍

High level risk assessments will be reviewed on an annual basis or upon significant change to the business or service provision.

2.8.1  Risk Assessment Process

A risk assessment process will be used which is in line with the requirements and recommendations of ISO/IEC 27001, the International Standard for Information Security. This is documented in the Risk Assessment and Treatment Process.

This requires that the assets of a function are identified and then the following aspects are considered:

• Threats
• Vulnerabilities
• Impact and likelihood before risk treatment
• Risk treatment (e.g. reduction, removal, transfer)
• Impact and likelihood after risk treatment

From this analysis, a risk assessment report will be generated followed by a risk treatment plan. This will then give rise to the selection of appropriate controls.

2.8.2  Risk Evaluation Criteria‍

Risk will be evaluated according to two main criteria:

2.8.2.1  Likelihood‍

How likely is the combination of the threat and any identified vulnerabilities to result in an impact to the asset under consideration? This will be judged on a scale of 1 (low) to 5 (high) and will take into account the following considerations:

• Has the risk happened before? If so, how long ago and what (if anything) has changed since then to make it more or less likely?
• Are there any available statistics or other information that can give an objective view of how likely the risk is to occur? e.g. crime figures by post code
• Has the risk previously come to pass to any other organisations in the geographical area, similar industry or with the same assets etc.?
• Such information will help to inform the discussion about likelihood and arrive at a realistic estimate. Risks which are very unlikely to happen will almost certainly not warrant the use of business resources to address them (unless perhaps their impact is catastrophic).

‍

2.8.2.2  Impact ‍

The other criterion that must be considered is the impact to the asset and therefore the wider organisation should the risk occur. Again this will be assessed on a scale from 1 (low) to 5 (high) and should be evaluated in several different ways:

• Cost – what will the financial impact be to the organisation if this risk happens. This may consist of direct cost such as lost productivity or indirect such as lost sales. What will it cost to put the situation right again in the short and long term?
• Reputation – will our organisation’s reputation in the marketplace be damaged if this risk were to occur?
• Legal, Contractual and Regulatory – will we be put into a position where the law is being broken? Will we be in breach of contract or out of compliance with regulatory requirements?

The overall risk factor will then be calculated by multiplying the two numbers together to give a score. This will then give a risk classification of Low, Medium or High.

2.8.3  Risk Acceptance Criteria 

In general the following criteria will be adopted for the acceptance of risks according to their classification:

• Low – these risks will generally be accepted with no further action required
• Medium – these will be carefully reviewed and monitored and actions decided on an individual basis
• High – these risks must be addressed as a matter of urgency to prevent significant impact to the organisation

‍

These criteria will be reviewed on an annual basis to ensure they remain appropriate to the organisation’s needs.

‍

2.9 Human Resources  

Busha will ensure that all staff involved in information security are competent on the basis of appropriate education, training, skills and experience.

The skills required will be determined and reviewed on a regular basis together with an assessment of existing skill levels within Busha. Training needs will be identified and a plan maintained to ensure that the necessary competencies are in place.

Training, education and other relevant records will be kept by the HR Department to document individual skill levels attained.

‍

2.10 Auditing and Review  

Once in place, it is vital that regular reviews take place of how well information security processes and procedures are being adhered to. This will happen at three levels:

1. Structured regular management review of conformity to policies and procedures

2. Internal audit reviews against the ISO/IEC 27001 standard by the Busha Audit Team

3. External audit against the standard in order to gain and maintain certification

‍

Details of how internal audits will be carried out can be found in Procedure for ISMS Audits.

2.11 Documentation Structure  and Policy 

All information security policies and plans must be documented. This section sets out the main documents that must be maintained in each area.

Details of documentation conventions and standards are given in the Procedure for the Control of Documented Information.  

‍

2.12 Policy Availability

Busha Digital Limited shall ensure that its Information Security Policy is made available, upon formal request, to external interested parties, including customers, regulatory bodies, and independent auditors, in order to demonstrate compliance with applicable requirements and to foster transparency.