Incident management and corrective actions

Identification and reporting of incidents

Fellow Digitals has procedures in place for the identification, reporting, handling, and follow‑up of security incidents, privacy incidents, and other deviations. These procedures ensure that incidents are handled in a consistent, timely, and controlled manner, with appropriate attention to impact, continuity, and compliance.

Classification and assessment

Deviations and disruptions may arise from various sources, such as operational issues, audits, customer reports, or changes in systems or processes. Such events are assessed to determine whether they constitute an information security incident, a privacy incident (data breach), or another form of non‑conformity. This assessment supports appropriate response, escalation, and coordination.

Incident handling and response

Information security incidents and data breaches are handled through a dedicated incident management process. This process supports prompt containment, impact assessment, and coordination of response activities. Employees and relevant external parties are expected to report suspected incidents or weaknesses so that registration, analysis, and follow‑up can take place.

Corrective actions and root cause analysis

A key element of this control is the systematic analysis of incidents and deviations. Events are reviewed to identify underlying causes rather than only addressing immediate effects. Based on this analysis, corrective actions are defined and implemented to address root causes and to reduce the likelihood of recurrence. Where appropriate, the effectiveness of these corrective actions is evaluated.

Learning and continuous improvement

Incidents and corrective actions contribute to broader security and privacy governance. Relevant outcomes may serve as input for risk reassessment, control adjustments, or improvement initiatives within the Information Security Management System (ISMS). This ensures that incident handling supports continuous improvement and risk‑based decision‑making.

Notification and reporting obligations

Regulatory, contractual, or customer‑specific notification and reporting obligations are addressed where applicable, including coordination with customers or other stakeholders when incidents affect shared services or data processing responsibilities.

Through this structured approach to incident management and corrective actions, Fellow Digitals ensures that security and privacy incidents are not only resolved, but also used systematically to strengthen controls and improve the ISMS over time.