<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-K634RCTH" height="0" width="0" style="display:none;visibility:hidden">
Skip to content
0
English

Information Security Policy

Check our Information Security Policy below:

1. Purpose

The purpose of this Information Security Policy is to establish the general guidelines for effectively protecting the confidentiality, integrity, and availability of the information managed by the organization, within the framework of its activities in the validation of computer systems, consultancy, training, and quality auditing in accordance with regulatory standards of the European Union and the FDA, aimed at the pharmaceutical and medical device industries, as well as the provision of ICT services across all sectors.


This policy serves as the reference framework for setting information security objectives and is developed in compliance with the ISO/IEC 27001:2022 standard, industry best practices, and applicable legal and regulatory requirements.

 

2. Scope

This policy applies to all processes, systems, services, resources, and information assets managed by the company, regardless of the medium (physical or digital), and which are involved in the following areas:

  • Validation of computer systems in compliance with regulatory requirements.
  • Consulting, training, and quality auditing services for the pharmaceutical and medical device sectors.
  • Provision of ICT services to clients in any sector.
  • Internal information management, including corporate and support systems.


It applies to all company personnel, as well as external collaborators, suppliers, contractors, and third parties who have access to the organization’s information or systems.

 

3. Responsibilities

Compliance with this Information Security Policy is the responsibility of everyone in the organisation, at all hierarchical levels. The responsibilities are detailed below:

Top Management

Top Management holds ultimate responsibility for ensuring information security within the organization. 
Its functions include:
  • Approving and supporting the Information Security Management System (ISMS).
  • Providing the necessary resources (human, technological, and financial) for the development, implementation, maintenance, and continuous improvement of the ISMS.
  • Establishing strategic objectives related to information security.
  • Promoting an organizational culture focused on risk management and protection of information assets.

CISO (Chief Information Security Officer)

The CISO will be directly responsible for managing the development, implementation, and maintenance of the ISMS, acting as the technical and strategic reference in information security. Their responsibilities include:
 
  • Defining and promoting information security policies, procedures, and controls.
  • Coordinating risk analysis and management activities related to information.
  • Overseeing responses to security incidents.
  • Ensuring compliance with applicable legal and regulatory requirements.
  • Regularly reporting to Top Management on the status of the ISMS, identified risks, and improvement plans.

Employees and Collaborators

All employees, consultants, contractors, and external collaborators with access to the company's information or systems are responsible for:

  • Complying with this Policy and with internal information security procedure.
  • Protecting the information assets they access, avoiding disclosure, loss, alteration, or misuse.
  • Participating in information security awareness and training activities.
  • Immediately reporting to the CISO or the designated area any incident, security breach, or suspicious behavior that could affect information security.

4. Commitments

The company’s Management expresses its strong commitment to information security through the following principles, which serve as the reference framework for the objectives of this policy:

  • Confidentiality: Garantizar que la información esté accesible solo para las personas autorizadas, evitando accesos no permitidos, filtraciones o divulgación indebida.
  • Integrity: Ensuring the accuracy, consistency, and reliability of the information and the systems that process it, protecting it from unauthorized modifications or loss.
  • Availability: Maintaining system operability and ensuring that authorized users can access the information when needed.
  • Access control and cloud security: Restricting access to sensitive information strictly to authorized individuals based on their roles and responsibilities.
    As a Cloud services provider, implementing specific security controls to protect cloud environments and prevent unauthorized access or data leaks.
  • Regulatory compliance: Ensuring compliance with applicable legal, contractual, regulatory, and other relevant requirements in information security, including commitments made with clients, authorities, and other stakeholders.
  • Awareness and training: Fostering a culture of information security through continuous training and raising employee awareness about risks and best practices.
  • Risk management: Systematically identifying, assessing, and addressing information security risks by applying appropriate controls to minimize their impact.
  • Continuous improvement: Promoting ongoing improvement of the Information Security Management System (ISMS) through periodic reviews, internal audits, incident analysis, and stakeholder feedback.

This policy will be reviewed periodically to ensure its adequacy in light of regulatory, technological, and organizational changes, and it is available to all relevant stakeholders.