Security Policy

Security Policy of Information Security and Privacy Management System (ISPMS)


1. Declaration of the Security Policy of the Information Security and Privacy Management System (ISPMS)

The Security Policy establishes the guidelines and principles set by the IE group (hereinafter IE) to endorse the protection of information, privacy, and the protection of personal data subject to processing, as well as the fulfillment of defined security objectives, ensuring the confidentiality, integrity, and availability of information systems and, of course, ensuring compliance with all applicable legal obligations.

The IE management, aware of the importance of information security in the workplace, assumes and establishes the following commitments regarding the Information Security and Privacy Management System (hereinafter ISPMS):

  • To ensure that information security objectives are established, always aligned with the company's strategy.
  • To ensure that security requirements are integrated into the organization's processes.
  • To ensure the necessary resources for the management system.
  • To communicate the importance of effective information security management in accordance with ISPMS requirements.
  • To ensure that ISPMS achieves the intended results.
  • To lead and support people to contribute to the effectiveness of the information security management system.
  • To promote continuous improvement of the management system.
  • To support relevant roles in demonstrating their leadership in their areas of responsibility.
  • To achieve compliance with applicable data protection legislation and/or regulations, including but not limited to the principles and provisions established in the General Data Protection Regulation (GDPR) and the Organic Law on Data Protection and Digital Rights Guarantee (OLDPDRG).
  • To ensure the completeness of the contractual terms agreed between the organization and its partners, subcontractors, and relevant third parties, such as students or clients, where the duty of information is fulfilled and responsibilities are clearly assigned to each party. For this, the management will ensure that IE personnel comply with the regulations, policies, procedures, and instructions related to information security.

Through the development of its ISPMS, IE aims to ensure the following security objectives:

1. Ensure the confidentiality, integrity, and availability of information.

2. Ensure the privacy and protection of personal data processed within the organization's processes.

3. Comply with all applicable legal requirements.

4. Have a continuity plan that allows for the recovery of processes and activities in the event of an incident, in the shortest time possible.

5. Train and raise awareness among all employees about information security.

6. Meet expectations and needs in terms of security.

7. Manage all incidents properly.

8. Inform all employees of their roles and security obligations and ensure they are responsible for fulfilling them.

9. Continuously improve the IS&PMS and, therefore, the organization's information security.

Through the development of its ISPMS, IE aims to ensure the following security objectives:

1. Ensure the confidentiality, integrity, and availability of information.

2. Ensure the privacy and protection of personal data processed within the organization's processes.

3. Comply with all applicable legal requirements.

4. Have a continuity plan that allows for the recovery of processes and activities in the event of an incident, in the shortest time possible.

5. Train and raise awareness among all employees about information security.

6. Meet expectations and needs in terms of security.

7. Manage all incidents properly.

8. Inform all employees of their roles and security obligations and ensure they are responsible for fulfilling them.

9. Continuously improve the IS&PMS and, therefore, the organization's information security.

To ensure the proper functioning of the ISPMS and meet the established objectives and requirements, the management of IE has appointed an ISPMS Committee that will ensure compliance with the guidelines set out in this policy.

2. Purpose

The purpose of this policy is to establish general guidelines and the commitment of the Management for the company to manage information security effectively.

This policy constitutes the reference framework of the IS&PMS that exists at IE, based on the ISO IEC 27001:2022 and 27701:2019 standards.

3. The review of the ISPMS security policy

The information security policy, like the processes of the Management System, is regularly reviewed at planned intervals or if significant changes occur to ensure its continued suitability, effectiveness, and efficiency. In general, they are reviewed annually during the internal audit process of the ISPMS .

The management also plays a crucial role in reviewing the system, conducting a thorough analysis of the system, and identifying possible improvements and deficiencies.

There are monitoring procedures that provide information about the proper performance of the ISPMS .