|Version||Author||Approved by||Approval date||Comment|
|1.0||Edwin Mata||Coordination Committee||26 January 2018||Initial version of the document|
|2.0||Edwin Mata||Coordination Committee||13 June 2018||
|2.1.||Edwin Mata||Coordination Committee||25 January 2019||
|3.0||Pau Mestre||Coordination Committee||30 April 2019||
|3.1||Milagros Quintana||Coordination Committee||8 April 2021||
The objective of this high-level Policy is to define the purpose, direction, principles and basic rules for information security management.
This Policy applies to the entire Information Security Management System (ISMS), as defined in the ISMS Scope Document.
The users of this document are all Signaturit employees, as well as relevant external parties.
Confidentiality – a characteristic of information whereby it is only available to authorised persons or systems.
Integrity – a characteristic of information whereby it is only modified by authorised persons or systems in a permitted manner.
Availability – characteristic of information whereby it can be accessed by authorised persons when needed.
Information security – preservation of confidentiality, integrity and availability of information.
Information security management system – part of the overall management processes responsible for planning, implementing, maintaining, reviewing and improving information security.
Signaturit shall establish and evaluate objectives on an annual basis. All objectives are detailed in the document ISMS and QMS Objectives Review Coordination Committee. Please refer to the specific document for the applicable objectives for each audited period.
Compliance with all objectives shall be measured by an independent expert. This measurement shall be carried out at least once a year and AENOR INTERNACIONAL, S.A.U., a company with registered offices at Calle Génova, nº 6, 28004 Madrid, incorporated for an indefinite period of time by public deed executed before the Notary Public of Madrid, Mr. Amalio MENÉNDEZ LORAS on 13 July 2001, under notarial deed number 2,024, and registered in the Companies Register of Madrid, volume 16,834, folio 79, page M-287,700, 1st entry, is the independent expert body appointed. Its evaluation report will be forwarded directly to the Coordination Committee for review.
This Policy and the entire ISMS must comply with legal and regulatory requirements as well as relevant contractual obligations for the organisation and its cloud service customers in the field of information security and the protection of personally identifiable information (PII).
The list of legislation and technical standards applicable to the services provided by Signaturit is detailed in section 2.1 of the ISMS Scope Document. As for contractual obligations, Signaturit’s Legal Department has a file with all the contracts Signaturit has signed with third parties; access to this file is restricted. In addition, the Legal Department supervises the company’s day-to-day compliance with third parties and legislation, and issues recommendations to Signaturit’s governing body when necessary.
The process for selecting controls (safeguards) is defined in the Risk Assessment and Treatment Methodology.
The selected controls and their implementation status are listed in the statement of applicability.
The Business Continuity management of Signaturit’s services is established in the following three documents:
The responsibilities of the ISMS are as follows
The Legal Department shall ensure that all Signaturit employees, as well as the appropriate external parties, are aware of this Policy. Therefore, this Policy is available to all Signaturit personnel in Confluence, together with all the policies that make up the documentary structure of the Information Security Management System.
In addition, new communications of this document shall be sent by email to [email protected], indicating that its content is mandatory for all Signaturit employees.
The Coordination Committee hereby declares that the implementation of the ISMS and continuous improvement shall be supported with adequate resources to achieve all the objectives established in this Policy, as well as to satisfy all the identified requirements of ISO 27001.
The owner of this document is the Head of the Legal Department, who is required to check and, where appropriate, update the document at least every six months.
In assessing the effectiveness and adequacy of this document, the following criteria should be taken into account: