Integrated Management System Policy

SIA's mission is to provide IT solutions and digital signatures to its clients and to collaborate in their development. Its Management has developed and implemented an Integrated Management System (IMS), subject to a process of continuous improvement, in accordance with the requirements of the Information Security Management System (ISO/IEC 27001), the Environmental Management System (ISO/IEC 14001), the Quality Management System (ISO/IEC 9001), the Business Continuity Management System (ISO/IEC 22301), the IT Service Management System (ISO/IEC 20000) and the applicable legislation regulating the National Security Plan and the Protection of Personal Data, as well as the eIDAS regulations applicable to entities providing trusted services in the field of digital signature (Trusted Service Provider), such as SIACERT.

The present Policy is developed with the purpose of establishing a unique framework of action that allows for the alignment of each of the GIS areas and the commitment of the Management to provide the necessary resources for its implementation and continuous improvement.

The Management of SIA designates the Integrated Management System Committee as the highest authority in charge of reviewing, maintaining and disseminating it. The document "Roles, Responsibilities and Authority," defines the organizational framework, its structure, members, relevant roles, responsibilities and powers to ensure the conformity, adequacy and proper conduct of the GIS, in accordance with this Policy, as well as the procedure for its appointment and renewal.

This Policy shall be communicated, disseminated and followed by all staff of the Organization and other interested parties (clients, contractors, suppliers,...) who share services with SIA or process their information, being mandatory within their area of responsibility.

Non-compliance may lead to the initiation of the necessary disciplinary measures and, where appropriate, the corresponding legal responsibilities.

This policy is articulated and integrated into a set of standards, guidelines and procedures that address specific aspects. This documentation, as well as the rest of the documents that make up the IMS (procedures, records, reports, attestations and tests, programmes, etc.) are kept up to date with the latest approved versions by means of a document management system that uses the company intranet, accessible to all employees and stakeholders according to the classification used and the knowledge needs of the groups or individuals. Guidelines for structuring, managing and accessing this documentation are contained in the document "SGI Document Control and Management".

The Management of SIA assumes the following objectives as strategic commitments:

1. Implement a documented and measurable management system, ensuring the continuous improvement of processes, procedures, products and services, in order to provide services that meet the requirements of clients.
2. Assign the necessary functions and responsibilities for the correct functioning of the GIS, based on the corresponding procedures for its designation. Develop personnel management, training programs and awareness of personnel that guarantee the level of qualification, competence and implications in the GIS suitable to their duties.
3. Comply with the applicable legislation in effect, especially that which arises from the provision of services to citizens by the Public Administrations and the processing of personal data by the organization. In the document management system, on the intranet, the corresponding security document shall be kept up to date, which includes the files and processes affected, the corresponding persons responsible and the applicable security measures, which will be implemented and periodically reviewed in accordance with the nature, purpose and processing of personal data.
4. Analyze and manage the risks to which the Organization is exposed by means of internationally recognized methodologies.
5. Establish measures and their continuous evaluation, necessary for maintaining adequate levels of integrity, confidentiality, availability, traceability and authentication of the information itself and that of related suppliers and clients, as well as of the systems and personnel that process and maintain it.
6. Prevent incidents and plan an effective reaction together with a subsequent analysis in the event that they occur, as well as ensure the continuity of the critical operations of the Organization in case of such incidents.
7. Guide the activity of the Organization and its suppliers with regard to the Client by complying with the requirements, both explicit and implicit, of the agreed terms and conditions.
8. Reach the adequate levels of IT services offered by the Organization to its clients, and demand the same from its suppliers, so that they certify and guarantee quality, satisfaction and mutual cooperation.
9. Contribute to the prevention of contamination and establish the proper management of environmental waste, whether generated internally or through our suppliers.
10. Guarantee the continuity of operations in the event of disruptive incidents.
11. Provide digital signature services in accordance with ETSI standards and legal regulations applicable to TSPs.

The Policy shall be in force from the date of its approval by the Management of SIA, the previous version being annulled, and will be reviewed annually.