Information Security Policy

Purpose

This document sets out the aims, objectives and overall structure of the Information Security Management System (ISMS), in accordance with ISO/IEC 27001:2022. It additionally establishes the security requirements applicable to information systems supporting services delivered to entities of the Spanish public sector, in accordance with Royal Decree 311/2022, which establishes the National Security Framework (ENS), at the Medium Category level.

The Company additionally operates an Artificial Intelligence Management System (AIMS) in accordance with ISO/IEC 42001:2023, governed under Process P11 — AI Governance. AI systems deployed or used by the Company are treated as information assets within the scope of this ISMS; their specific security controls are defined in coordination with the AIMS.

Objectives

Information Security aims to ensure business continuity and minimise disruption by preventing and reducing the impact of Information Security incidents.

In particular, information assets are protected to ensure:

  • Confidentiality – protection against unauthorised disclosure or loss;
  • Integrity – protection against unauthorised or accidental modification of assets;
  • Availability – ensuring information assets are accessible to authorised users when required to meet business objectives;
  • Resilience – ensuring ICT services are prepared for incidents and can recover rapidly when they occur (ISO 27001:2022 emphasis).

Document Scope

This Policy applies to all business functions within the scope of the ISMS. It covers information, information systems, networks, the physical environment (including cloud-based and directly hosted services), as well as the Company’s products and services.

The Policy applies to all employees, contractors and third parties supporting these functions.

AI systems developed, deployed or used by the Company — including those accessed as third-party services — are included as information assets within the scope of this Policy. Controls specific to AI systems are defined in the AIMS (Process P11) and in the relevant ISMS policies: P.IS.03 (Asset Management), P.IS.08 (Data Protection) and P.IS.15 (Secure Systems & Development).

National Security Framework (ENS) — Medium Category

For the purposes of conformity with Royal Decree 311/2022 (ENS), this Policy additionally applies to the information systems supporting services contracted with entities of the Spanish public sector. Those systems are classified at the Medium Category of the ENS, based on the security dimension assessment (availability, integrity, confidentiality, authenticity and traceability) conducted as part of the risk analysis process.

The applicable ENS scope is documented in the ENS Statement of Applicability, maintained and reviewed by the Security Officer (CSO/CISO).

Responsibilities

ISO/IEC 27001:2022

Role

Responsibilities

CEO

Has overall responsibility for Information Security and ensures that sufficient resources are available to support the Information Security function. Formally approves this Policy and its revisions.

Management

Responsible for ensuring that employees and contractors comply with this Policy.

CSO/CISO (Security Officer)

Responsible for the operational management of the ISMS; maintaining and updating ISMS documentation; ensuring compliance with legal, regulatory and contractual obligations; promoting security awareness and training; managing incidents and investigations; and reporting ISMS performance to management.

Data Protection Officer

Responsible for the day-to-day management of data protection matters.

CTO

Responsible for technical security activities, including documentation, systems monitoring, technical incident investigation and liaison with external technical contacts; as well as the management of cryptographic controls, backups, malware protection and access management.

Employees and contractors

Responsible for protecting assets under their control, including locations, hardware, software, systems and information; complying with all security policies and procedures; and reporting any suspected security breaches or vulnerabilities.

ENS Security Structure — Article 11, RD 311/2022

In accordance with Article 11 of Royal Decree 311/2022, the following roles are formally established for systems within the ENS scope. These roles are operationally independent to prevent conflicts of interest.

ENS Role

Function

Responsibilities

Information Owner

CEO

Determines the value and sensitivity of information assets; defines classification and protection requirements; formally accepts residual risks over information assets.

Service Owner

CCO

Owns the services delivered to Spanish public sector clients; defines service-level security requirements; accountable for service continuity and the fulfilment of contractual security obligations.

Security Officer

CSO/CISO

Operationally manages the ISMS; maintains security policies and documentation; ensures regulatory compliance; manages security incidents and coordinates their resolution; reports to the CEO. This role is functionally independent from the System Responsible, with no direct hierarchical dependency between them.

System Responsible

CTO

Manages the technical operation of information systems within the ENS scope; implements security controls as defined by the Security Officer; manages access controls, patching, system configurations and backups.

Principles

This Information Security Policy defines how the Company addresses business risks in line with ISO/IEC 27001:2022. It establishes the requirements for implementing appropriate security controls to manage risks associated with the Company’s activities.

The implementation and ongoing management of this system are fundamental to all work carried out by the Company. The procedures established are adopted and followed by employees at every level of the organisation.

The Company has adopted a process-based approach to develop, implement and continually improve the effectiveness of its ISMS. In doing so, the Company commits to:

  • Understanding business, legal, regulatory and contextual Information Security requirements.
  • Implementing and operating security controls aligned with ISO/IEC 27001:2022 Annex A (Organisational, People, Physical, Technological).
  • Applying a risk-based approach to identify, assess and treat risks.
  • Integrating threat intelligence, data leakage prevention and cloud security into operational activities.
  • Monitoring and reviewing the performance and effectiveness of the ISMS.
  • Pursuing continual improvement based on objective measurement and evaluation.
  • Communicating the importance of complying with statutory and regulatory requirements relevant to the Company’s activities.
  • Ensuring that sufficient resources are allocated to operate, monitor and maintain the ISMS.

ENS Security Principles — Article 5, RD 311/2022

In accordance with Article 5 of Royal Decree 311/2022, the following principles govern information security for all systems within the ENS scope:

Principle

Description

Integral Security

Security is considered across all system components and processes, from inception through end-of-life.

Risk Management

Security decisions are proportional to identified risks, based on a structured analysis of assets, threats, vulnerabilities and potential impact.

Prevention, Detection, Response and Recovery

Security measures address all phases of the incident lifecycle, not only prevention.

Defence in Depth

Multiple independent security layers are applied; no single control is considered sufficient.

Continuous Monitoring

Information systems are continuously monitored to detect anomalies and adapt security measures to an evolving threat landscape.

Separation of Responsibilities

Roles and responsibilities are clearly defined and separated to prevent conflicts of interest, in particular between those who define security requirements and those who operate systems.

Information Security

Information Security considerations are integrated into all daily activities, processes, plans, projects, contracts and partnerships undertaken by the Company.

Employees are required to be aware of and comply with Information Security procedures set out in relevant Policies and guidance documents. Compliance requirements are also included within Contracts of Employment.

Copies of all Information Security Policies are available to all employees.

Any breach of Information Security Policies or procedures may result in disciplinary action, including dismissal.

Employees receive training and guidance on both general and role-specific Information Security requirements. Contracts of Employment also include confidentiality provisions relating to Company business.

The Company maintains a Business Continuity Plan. This plan is regularly tested, reviewed and updated.

Statutory and regulatory requirements are monitored and complied with, including any relevant updates or changes.

Additional Policies and Directives — including those relating to access control, acceptable use of email and the Internet, malware protection, backups, password management and systems monitoring — are implemented, maintained and regularly reviewed.

This Information Security Policy is reviewed at least annually and updated where necessary to ensure ongoing relevance, legal compliance and continual improvement of the ISMS.

The ISMS and associated Information Security activities are subject to continuous improvement through internal and external audits and ongoing risk assessments.

Non-disclosure and confidentiality agreements are established with third-party organisations where appropriate.

Risk Management

The Company applies a risk-based approach to identify, assess and treat risks to information security. Risk assessments are conducted at planned intervals and whenever significant changes occur.

For information systems within the ENS scope, risk analysis follows the MAGERIT v3 methodology (or an equivalent methodology recognised by the National Cryptologic Centre — CCN), covering asset identification, threat analysis, vulnerability assessment and impact evaluation, in accordance with Article 13 of Royal Decree 311/2022.

Incident Management

Security incidents are managed in accordance with the Company’s Incident Management procedures.

Security incidents affecting information systems within the ENS scope are reported to the National Cryptologic Centre (CCN-CERT) within the timeframes and in accordance with the procedures established by Royal Decree 311/2022 (Article 36) and the applicable Security Technical Instructions.

Review and Continuous Improvement

This Policy and the ISMS are reviewed at least annually, or whenever significant changes occur to the business, risk landscape or regulatory requirements. Improvements are informed by risk assessments, incident analysis and performance monitoring.

Internal and external audits are conducted to ensure the effectiveness of the ISMS and continued compliance with ISO/IEC 27001:2022, ISO/IEC 42001:2023 and, where applicable, Royal Decree 311/2022 (ENS).

This Policy is formally approved by the CEO. The current approved version supersedes all previous versions.

Switch The Language