Policies and guidelines

  • About
  • Policies and guidelines

Policies and guidelines

Icelandair group conducts all its business in an honest and ethical manner and wants to ensure that timely and correct information about Icelandair Group is made available to all stakeholders.

Icelandair Group Information Security Policy

Icelandair Group has been listed on the NASDAQ OMX Iceland since 2006. The Group has two main business areas:
This business segment is focused on the well-established international and domestic route networks based on the Hub and Spoke

Route Network:
concept that the Group has developed for the last decades.
With a focus on support to the route network as well as offering value-added service to tourists in Iceland and Icelanders travelling Tourism Services abroad.
Information relevant to Icelandair Group ́s business includes:

  • General information about its operation, accounting, and other related matters.
  • Information about its customers, which is used to increase service value and to develop additional services.
  • Icelandair Group also gathers information about their flight operations and is obligated to protect and store this type of information for audits by the Civil Aviation Authorities.
All Icelandair Group information assets shall undergo a risk analysis and risk evaluation. Control measures will then be selected and implemented to ensure risks are managed and reduced to an acceptable level. A risk assessment will be used to evaluate:
  • The financial and/or operational damage a breach in security for any information asset could have. The information asset owner shall evaluate consequences by threats in order to ensure business continuity, minimise business risk, and maximise return on investments and business opportunities.
  • The realistic probability of a security breach based on the operational threats that are present as well as current control systems.
Icelandair Group security policy and procedural guides are based on ISO/IEC 17799:2005 and information security management is based on ISO/IEC 27001:2013.


This security policy applies to the Icelandair Group information assets in any electronic form. Icelandair Group information security policy will be implemented through a procedural manual that includes guidelines and a management structure for Icelandair Group information security. The manual is intended for all Icelandair Group’s employees involved in the use of the company’s information assets.
Management of information security will include all of Icelandair Group’s operations with particular emphasis on information assets in electronic form that include:
  • Information that is the property of Icelandair Group and protected by the proprietary and/or copyright laws
  • Employee information
  • Customer information
  • Information systems, tools, or other data in the electronic form used for Icelandair Group operations

Definition and concept

In information security management the following concepts are important:
Information:  Information and data that are kept and have operational value for the Icelandair Group.
Information asset:  Information that is categorised as valuable to Icelandair Group ́s operations.
Confidentiality:  Ensuring that information is accessible only to those authorised to have access.
Integrity:  Safeguarding the accuracy and completeness of information and processing methods.
Availability:  Ensuring that authorised users have access to information and associated assets when required.
Continuity:  Ensuring that the operation of the company is preserved at any time.

Security policy

Information security policy


The purpose of this security policy is to protect the Icelandair Group from internal or external threats, either intentional or accidental.


Instituting the Icelandair Group information security policy will be the responsibility of the management team; implementation will be the responsibility of the Icelandair Group Information Security Officer. The purpose of the policy is to provide assurance to Icelandair Group customers, owners, and employees that the Icelandair Group is guarding its information assets. Furthermore, the policy shall provide for confidentiality, integrity, and availability, by assuring:
  • That information is correct and available to authorized users
  • That information is not accessible to unauthorised users and that there are active surveillance measures in place
  • That information will not be made available to unauthorised users through oversight and/or error
  • That information is protected from theft, fire, natural disasters, and other external threats
  • That information is protected from computer viruses and other similar threats
  • That backups are available, correct, and stored safely
  • That information is transported safely through the network to the correct recipient(s)
  • That employees follow company operational guidelines
  • That an operational contingency plan is implemented, maintained, and tested on a regular basis
  • That employees understand their role in the security policy and its implementation and are trained accordingly
  • That abnormalities, misconduct, and identified weaknesses are treated according to defined procedures to improve security


Icelandair Group information security policy applies to all its employees. All employees and managers are responsible for the implementation of the Icelandair Group information security policy. Icelandair Group information security policy must be included in all 3 party contracts. Icelandair Group rdinformation security policy and its implementation are fully supported by the board of directors.


All Icelandair Group information assets will be evaluated on the basis of their risk tolerance.

Icelandair Group will implement a management system based on the results of a risk assessment and create controls that maintain procedures and security according to each information asset’s risk assessment.
Icelandair Group will follow and abide by all laws and regulations that apply to its operation.


All-access to Icelandair Group offices shall be controlled and all employees shall be active in implementing and enforcing access control.

All Icelandair Group employees that are granted access to the Icelandair Group information system from remote locations shall sign a special remote access security declaration.
All communication suppliers shall sign a special non-disclosure agreement that includes a guarantee of confidentiality, integrity, and availability in accordance with the Icelandair Group information security policy.


Icelandair Group executives are responsible for the information security policy and its review. Icelandair Group shall appoint an information security officer that will be responsible for implementing the information security policy.
The information security officer shall be granted full authority to implement all parts of the policy. All Icelandair Group employees shall follow the policy and procedures in their respective work functions and the Icelandair Group information security officer shall provide adequate introduction and instruction for all employees.

All Icelandair Group 3 party rdcontractors shall be informed of the Icelandair Group information security policy, and contracts shall include a clause regarding the contractor’s role in implementing and abiding by said policy.

All employees of Icelandair Group and 3 party contractors shall inform the Icelandair Group Information Security Officer of any breach or potential rdweakness in the implementation of the policy.

Icelandair Group reserves the right to take legal action against any entity or person(s) that threatens the integrity and confirmation of the Icelandair Group information security policy.