Information Security Policy

In pursuit of sustainable operation and the protection of our customers’ trust in us, Acer began implementing an information security management system in 2019. At the foundation of this ISMS is Acer’s information security policy, helping ensure the security of information assets and the continuity of information services, thus mitigating the threat from and impact of information security incidents.

Information Security Governance

As a global brand, Acer considers maintaining information security immensely important, especially with regard to earning and keeping the trust of those investing in the brand, customers, and other interested stakeholders. We continue to work to improve global information security organization and policy, and to coordinate work on the various aspects of information security management systems, to ensure that the Group’s information assets comply with relevant laws, regulations, and standards. We also strive to set out the security control measures necessary to protect the Group’s information systems and services. 

We have established a global information security management organization, and in accordance with the organizational structure, powers, and responsibilities, jointly worked to maintain the system’s sound operation, achieving our goal of stronger information security management. The head of ISMS is the Head of the Global IT and assigns a co-convenor. The head of each division is a member of the information security management organization and assigns representatives to establish the Information Security Management Team, the Information Security Establishment Team and the Information Security Incident Response Team. The information security internal audit team is staffed by the auditing office, and the support team draws from Human Resources, General Affairs, Marketing, Legal Affairs and Finance Departments. 

Since October 2021, Acer has launched the Global Re-architect project, spending 2 years to re-examine information

security and infrastructure across the globe. Each year, we undergo reviews and revalidation by third-party certification body BSI to ensure the continued effectiveness of our ISO 27001 certification. Acer maintains mechanisms for planning, establishing, executing, and

monitoring to safeguard the confidentiality, integrity, and availability of information assets.

In 2024, Acer Headquarters' Cybersecurity Center was reorganized, with the Cybersecurity Department promoted to a

Cybersecurity Center. Additionally, adjustments were made to the newly implemented control measures in accordance with the ISO 27001:2022 version. To further enhance information security management, Acer Headquarters' Cybersecurity Center organized the 2024 Acer Group Cybersecurity Workshop.

Through this workshop, Acer Headquarters' Cybersecurity Center shared cybersecurity experiences with the subsidiaries,

strengthening connections between the group and the headquarters to achieve an effective collaborative defense

against cyber threats.

Download the certificate

Information Security Training

Acer Corporation has implemented personnel education and training programs to strengthen information protection mechanisms and information security management. In the second quarter of 2024, all IT personnel in the global IT department successfully completed security education and training. Furthermore, comprehensive security education and training sessions were conducted for all employees across all departments worldwide, addressing important topics such as passwords, phishing, remote work, ransomware, business email attacks, and the reporting procedures for phishing incidents.

In 2024, the Acer Headquarters Cybersecurity Center provided cybersecurity awareness training to a total of 6,148 Acer employees worldwide, including those from unlisted subsidiaries. Of these, 5,728 employees successfully completed the training, resulting in a completion rate of approximately 93%. The standard for completion required passing a post-training assessment, with all test scores needing to reach 100%.

Information Security Drill

To ensure staff can respond promptly to and handle issues resulting from the impact of major system failures, negative human factors, or natural disasters, Acer holds annual vulnerability scans, penetration tests, and business continuity drills to examine the risk coefficient of all processes and establish recovery plans that strengthen the Company’s emergency response capability and tolerance against cyber attacks. The details of this are as below:     

Acer regularly conducts annual disaster response drills for fire, power outage, earthquake, etc. In addition, Acer also conducts quarterly drills for the core systems (including the ERP system, order management system, and accounting system) and more than 100 sub-systems to implement different levels of recovery control measures according to the plan, so as to minimize the impact of a disaster.

Evaluation Mechanism

ISO 27001 third-party audits are conducted annually, with regular internal and external ISMS audits following the PDCA continuous improvement cycle. In 2024, four audits identified 59 findings: 14 non-conformities and 45 recommendations. (Please refer to the following figure) By December 31, 2024, 80% (47 items) have been resolved. The organization is implementing automation tools to improve information security management, with remaining issues planned for resolution in 2025. 

• Regularly implement information security drills, stress tests, and data recovery drills during non-audit periods
• Regularly conduct: personal data inventory and risk assessment and handling of personal data for equipment security control

• Occasionally conduct: Training of personal data processing managers, implementation of data security test drills, and supervision of outsourced vendors to comply with personal data protection regulations.