Introduction

 

Information security is a fundamental pillar for CompassDigital S.L., a Spanish software development company specialized in participating in public tenders.

Within the scope of our activities, we manage sensitive information (our own, our clients’, and that of public organizations), whose proper protection is critical to maintaining trust and business continuity. For this reason, the Management of CompassDigital S.L. has implemented an Integrated Management System (IMS) in accordance with international standards ISO/IEC 27001:2022 and ISO/IEC 20000:2018.

The main objective of this ISMS is to preserve the confidentiality, integrity, and availability of the company’s information, while also ensuring the continuity of operations and services.

 

1. Scope

The scope of this policy covers CompassDigital S.L. in its entirety, including all its organizational areas, software development processes, and activities related to participation in public tenders that fall within the defined scope of the IMS.

This policy applies to all personnel of CompassDigital S.L. (management, employees, and collaborators), as well as external third parties (suppliers, contractors, or partners) who access or process company information.

All information and service assets of the organization are included within the scope, including logical assets (systems, applications, databases, networks), physical assets (equipment, devices, paper records), and information in any format (digital, printed, or oral) that is created, processed, stored, or transmitted by CompassDigital S.L. in the course of its activities.

All recipients of this policy (employees and third parties with access to CompassDigital S.L. information) are required to comply with it within the scope of their respective responsibilities. Any breach of this policy may result in internal disciplinary measures for employees or corresponding contractual actions for third parties, in accordance with applicable regulations and signed agreements.

 

2. Guiding Principles of Information and Service Security

This policy is based on a set of guiding principles for information security adopted by CompassDigital S.L. The first three (confidentiality, integrity, and availability) constitute the fundamental basis of information and service security according to international best practices:

Confidentiality: Ensuring that information is accessible only to duly authorized individuals, entities, or processes. CompassDigital S.L. protects information against unauthorized access or disclosure by ensuring appropriate levels of access control and classification according to its sensitivity.

Integrity: Maintaining the accuracy and completeness of information and its processing methods throughout its lifecycle. The company implements measures to prevent unauthorized alteration of data and ensure that information remains correct, reliable, and free from unwanted modification or destruction.

Availability: Ensuring that systems and information are accessible and operational when required by authorized users. CompassDigital S.L. ensures service continuity and minimizes disruptions by implementing backup controls, redundancy, and continuity plans that guarantee the timely availability of critical data and resources.

Authenticity: Verifying the identity of users, processes, and devices, ensuring that interactions with information systems originate from trusted sources. This principle guarantees the authenticity of information and communications, preventing identity impersonation.

Traceability (Accountability): Ensuring traceability of actions performed on information assets. CompassDigital S.L. maintains records and evidence (logs, audits) that allow tracking of information usage and attribution of responsibilities, ensuring non-repudiation and facilitating the investigation of security incidents.

Legal and regulatory compliance: Strict compliance with all applicable legal, regulatory, and contractual obligations related to information security. This includes adherence to data protection regulations (General Data Protection Regulation – GDPR and Spanish Organic Law 3/2018 on Data Protection and Digital Rights), as well as compliance with the National Security Framework (ENS) where applicable, and any other legislation, regulation, or standard adopted by the organization.

Risk management: Adopting a systematic approach to managing information and service security risks. The organization identifies, evaluates, and proactively addresses risks affecting information, systems, and services, implementing appropriate security measures to mitigate them to acceptable levels. Risk assessments are carried out periodically and upon significant changes.

Training and awareness: Promoting a culture of security within the company through continuous training and awareness programs. All CompassDigital S.L. personnel receive appropriate training in information security, including knowledge of this Security Policy, associated procedures, and best practices.

Continuous improvement: Pursuing continuous improvement of the IMS and implemented security measures. CompassDigital S.L. is committed to monitoring and regularly reviewing the performance of security controls, learning from experience, audit results, and evolving threats.

Additionally, information and service security is governed by the following principles:

• Integration: Security is a fully integrated process aligned with the business, involving the entire organization.

• Cost-effectiveness: Security is guided by business criteria, considering the balance between cost and investment, leveraging synergies to optimize efficiency.

• Continuity: Security must be present throughout its lifecycle: protection, prevention, detection, response, and recovery.

• Adaptability: Security measures must adapt to the business environment and external factors such as competition and social, political, or economic conditions.

 

3. Management Commitments

Top Management of CompassDigital S.L. demonstrates leadership and commitment to the IMS by assuming the following responsibilities:

Leadership and strategic alignment: Integrating information and service security into business objectives and processes. Management ensures that security policies and controls are aligned with strategic objectives and client needs.

Compliance with requirements: Ensuring strict compliance with all applicable legal, regulatory, and contractual obligations related to information security and privacy, including GDPR/LOPDGDD and ENS where applicable.

Provision of resources: Providing the necessary human, technological, and financial resources to implement and maintain appropriate security measures and service delivery. Management assigns qualified personnel and tools, defines responsibilities, and appoints a Chief Information Security Officer (CISO).

Protection of information assets: Safeguarding information assets through appropriate technical, organizational, and physical controls, including access control, encryption, backups, continuity plans, and vulnerability management.

Awareness and training: Promoting a strong security culture through ongoing training and awareness initiatives, ensuring employees understand and comply with this policy.

Risk management and business continuity: Ensuring periodic risk assessments and the implementation of treatment plans to maintain risks under control. Management supports the identification of new threats and ensures robust business continuity and incident response plans.

Service quality and SLAs: Ensuring compliance with agreed service quality levels and contractual agreements (SLAs).

Continuous improvement of the ISMS: Regularly reviewing the effectiveness of the Integrated Management System and promoting continuous improvement through audits, performance evaluation, and corrective actions.

Policy review and update: Ensuring that this policy is reviewed periodically (at least annually) or whenever significant changes occur, guaranteeing its continued suitability. Any modifications must be reviewed and approved by Top Management before formal adoption.