1. Purpose

The purpose of this policy is to provide the directives or guidelines to be followed in order to protect the Organization’s information from a wide range of threats.

2. Scope

The scope of the Information Security Policy coincides with the scope of the ISMS as established in the document “I-TIC-001 Context of the Organization”.

3. Definitions and Acronyms

For the correct interpretation of this Policy, the following definitions are included:

• Information: Data that has meaning, in any format or medium. It refers to all communication or representation of knowledge.
• Information System: A set of related and organized resources for processing information, according to specific procedures, both computerized and manual.

4. Specifications

4.1. Objectives of the Information Security Policy

To ensure that clients and service users have access to information with the quality and service level required for agreed performance, and to prevent loss or alteration of information and unauthorized access.

A framework is established for achieving the organization’s information security objectives. These objectives will be achieved through a series of organizational measures and clearly defined rules.

This Security Policy will be maintained, updated, and adapted to the organization’s purposes.

The principles to be respected, based on the basic dimensions of security, are:

• Confidentiality: Only those authorized and properly identified may access the information managed by INOXPA, at the appropriate time and through the enabled means.
• Integrity: Ensures the validity, accuracy, and completeness of the information managed by INOXPA, allowing it to be modified only by those authorized.
• Availability: Information managed by INOXPA is accessible and usable by authorized and identified clients and users at all times, with its persistence guaranteed against foreseeable events.

Additionally, since any Information Security Management System must comply with current legislation, the following principle applies:

• Legality: Refers to compliance with laws, regulations, or provisions applicable to INOXPA, especially regarding personal data protection.

4.2. Risk Management

Information Security management at INOXPA is risk-based, in accordance with the international standard ISO/IEC 27001:2022.

Processes will be periodically generated to identify potential risks that may affect the security of the information of the services provided. These risks will then be analyzed and evaluated to take appropriate treatment actions through measures or controls.

This process is cyclical and must be carried out periodically, at least once a year. Each identified risk will be assigned an owner, and multiple responsibilities may fall on the same person or committee.

4.3. Roles, Responsibilities, and Authorities

Described in the document “N-TIC-007 Roles, Responsibilities, and Authorities”.

4.4. ISMS Objectives

The INOXPA ISMS must ensure:

• Development of policies, regulations, procedures, and operational guides to support the information security policy.
• Identification of information that must be protected.
• Establishment and maintenance of risk management aligned with the ISMS policy and INOXPA’s strategy.
• Establishment of a methodology for risk assessment and treatment.
• Establishment of criteria to measure ISMS compliance.
• Correction of non-conformities through corrective actions.
• Training and awareness of personnel on information security.
• Informing all personnel of their obligation to comply with the information security policy.
• Allocation of necessary resources to manage the ISMS.
• Identification and compliance with all legal, regulatory, and contractual requirements.
• Identification and analysis of information security implications regarding business requirements.
• Measurement of the maturity level of the information security management system.
• Continuous improvement of the ISMS.

4.5. Organization and Responsibilities

• The General Management of INOXPA is responsible for approving this policy.
• The Information Security Management Committee is responsible for reviewing this policy.
• The ISMS Security Officer is responsible for maintaining this policy.

4.6. Policy Implementation

INOXPA has developed this document containing the General Information Security Policy, which has been approved by General Management and communicated to all company personnel.

4.7. Training and Awareness

The ISMS Security Officer must ensure that all personnel involved in the ISMS are aware of this policy, its objectives, and processes through dissemination, training, and awareness actions.

The ISMS Communication Officer must ensure the distribution of documents applicable to each level, according to the different roles defined in the company.

4.8. Audit

The General Management of INOXPA must ensure and verify, through internal and external audits, the degree of compliance with this Policy and that it is properly operated and implemented, being responsible for the implementation of corrective measures to maintain continuous improvement.

4.9. Validity and Update

This policy is effective from the moment of its publication and is reviewed at least once a year.

5. References

• I-TIC-001 – Context of the Organization
• N-TIC-007 – Roles, Responsibilities, and Authorities

6. Sanctions

Failure to comply with the Information Security Policy and other related regulations and procedures will result in sanctions, depending on the severity and nature of the non-compliance, in accordance with current labor legislation.

7. Ratification

All signatories below fully accept the content of this Policy and commit to applying it in their respective areas to ensure the proper functioning of the Information Security Management System.

?????

Banyoles, May 14, 2024

?????

General Management

ISMS Security Officer

?????