Home / Information Security Policy
Share:
Information Security Policy
1. Information Security Policy Statement
The purpose of this policy is to provide guidelines or directives to be followed in order to protect the Organization’s information from a wide range of threats, in order to:
- Ensure the security of operations carried out through Information Systems.
- Mitigate information security incidents.
- Manage information security risks.
- Ensure compliance with the Organization’s objectives.
ANDERSEN is committed to ensuring that the principles of the Information Security Policy form part of the Organization’s culture, and to this end has implemented an Information Security Management System based on an internationally recognized standard.
All ANDERSEN staff, relevant stakeholders, and management must be aware of and comply with this policy.
This Policy will be developed through regulations, procedures, operating instructions, guides, manuals, and all other organizational tools considered useful for achieving its objectives.
2. Information Security Policy
2.1. Scope
The scope of the Information Security Policy coincides with the scope of the Information Security Management System (ISMS). This document develops the requirements of ISO/IEC 27001:2022 in section 5.2, “Policy.”
This policy covers all information used for the development of activities by entities that are part of the Information Security Management System (ISMS).
2.2. Definitions and Acronyms
For the purposes of a correct interpretation of this Policy, the following definitions are included:
- Information: data that has meaning, in any format or medium. It refers to any communication or representation of knowledge.
- Information System: refers to a set of related and organized resources for the processing of information, according to certain procedures, both computerized and manual.
2.3. Objectives of the Information Security Policy
The main objective of the creation of this Information Security Policy, by the Head of the Information Security Management System (ISMS), the Director of Cybersecurity and Risk, and the General Management of ANDERSEN, is to guarantee customers and users of the services access to information with the quality and level of service required for the agreed performance, as well as to prevent serious loss or alteration of information and unauthorized access to it.
A framework is established for achieving the information security objectives for the Organization. These objectives will be achieved through a series of organizational measures and specific, clearly defined rules.
This Security Policy will be maintained, updated, and adapted to the purposes of the organization.
The principles that must be respected, based on the basic dimensions of security, are as follows:
- Confidentiality: the property whereby only those authorized to do so may access the information managed by ANDERSEN, after identification, at the appropriate time and by the appropriate means.
- Integrity: the property that guarantees the validity, accuracy, and completeness of the information managed by ANDERSEN, its content being that provided by the parties concerned without any manipulation and allowing it to be modified only by those authorized to do so.
- Availability: the property of being accessible and usable at agreed intervals. The information managed by ANDERSEN is accessible and usable by authorized and identified customers and users at all times, with its own persistence guaranteed in the event of any foreseeable eventuality.
Additionally, given that any Information Security Management System must comply with current legislation, the following principle will be observed:
- Legality: referring to compliance with the laws, rules, regulations, or provisions to which ANDERSEN is subject, especially in terms of personal data protection.
2.4. Planning
In order to comply with the security policy statement, a series of actions are contemplated, focused on the implementation, management, and maintenance of an ISMS, always in line with said policy. Within the planning stage, it is considered essential to carry out an analysis of the risks related to the organization’s security. Based on this study, a specific treatment plan is drawn up for those risks that the organization does not consider acceptable.
2.5. Implementation
The implementation of the ISMS is the primary responsibility of the Cybersecurity and Risk Director responsible for security, supported at all times by the other Area Directors and with the full support of the General Management.
Based on the results obtained during the planning stage, the necessary security controls are implemented, and the procedures defined in the ISMS are put into operation, all with the aim of complying with the requirements established by the ISO 27001 standards.
2.6. Review
The information security policy and the ISMS are reviewed regularly at planned intervals or if relevant changes occur, in order to ensure their continued suitability, efficiency, and effectiveness. In general, they are reviewed annually together with the ISMS internal audit processes.
2.7. Improvements
Possible improvements to the Information Security Policy and the ISMS are established either during the review phases or based on contributions considered interesting from both ANDERSEN staff and external personnel.
These improvements are evaluated and, once their feasibility has been studied, they are implemented, operated, and maintained.
2.8 Resources allocated to the ISMS
ANDERSEN has identified and made available the resources necessary to ensure the establishment, implementation, maintenance, and continuous improvement of its Information Security Management System (ISMS). This allocation of resources reflects an organizational commitment to the effectiveness of the system and to the fulfillment of the organization’s strategic and operational objectives.
In terms of human resources, the management structure responsible for the ISMS is composed mainly of two key figures: the Chief Information Officer and the Director of Cybersecurity and Risk, who lead and supervise the processes related to the management of the system. These functions are complemented by the support of a specialized external consultancy, whose intervention provides an objective view, as well as additional technical knowledge that strengthens the implementation and evolution of the ISMS.
Together, these resources enable ANDERSEN to maintain effective management, ensure compliance with applicable requirements, and promote continuous improvement in all areas covered by the system.
3. Risk management
Information security management at ANDERSEN is risk-based, in accordance with the international standard ISO/IEC 27001:2022.
It is articulated through a general process of risk assessment and treatment, which can potentially affect the information security of the services provided, consisting of:
- Identifying threats that will exploit vulnerabilities in the information systems that support, or on which the security of information depends.
- Analyzing risk based on the consequences of the threat materializing and the probability of its occurrence.
- Assessing the risk according to a previously established and approved level of risk that is widely acceptable, tolerable, and unacceptable.
- Treating unacceptable risk through appropriate controls or safeguards.
This process is cyclical and must be carried out periodically, at least once a year. An owner will be assigned for each identified risk, with multiple responsibilities falling to the same person or committee.
4. Information security objectives
In order to help minimize and control the Organization’s risks, a series of realistic and measurable objectives will be defined. These objectives must be measured at least every six months and reviewed annually to ensure they are aligned with ANDERSEN’s strategy.
Information security objectives are set taking into account the following inputs:
- Reports from the Director of Cybersecurity and Risk and the ISMS Manager, approved by ANDERSEN’s Managing Partner.
- Opportunities for improvement identified during the operation of the ISMS.
- Contributions from the Data Protection Officer (DPO), who supervises and advises on compliance with data protection regulations, as well as on the identification and mitigation of risks associated with the processing of personal data.
When setting objectives, it must be taken into account that they must be measurable and achievable, which is why the plan for achieving them must include:
- What is to be done
- The necessary resources
- Who will be responsible
- The deadline for achieving them
- How the results will be evaluated
- If applicable, the indicator associated with that objective
The Managing Partner, together with the Director of Cybersecurity and Risk, will be responsible for defining the information security objectives for ANDERSEN. These must be specific and consistent with its Information Security Policy, mission, vision, and values.
5. Organization and Responsibilities
The organization of information security is structured around an Information Security Management System (ISMS) and a series of committees and roles involved in its scope.
- The Managing Partner of ANDERSEN is responsible for approving this policy.
- The Information Risk Management Committee is responsible for reviewing this policy.
- The Director of Cybersecurity and Risk is responsible for maintaining this policy.
- The Data Protection Officer supervises and advises on compliance with the measures implemented.
6. Application of the Policy
ANDERSEN has developed this document containing the General Policy for Information Security, which has been approved by the Managing Partner and made known to all company personnel.
7. Training and Awareness
The most effective way to strengthen security is to provide ongoing training and integrate it into daily work tasks.
Training programs will include specific courses on information security, tailored to the relevant area and target audience, as deemed appropriate. In addition, security awareness campaigns will be carried out periodically, targeting all staff, using the channels deemed most appropriate.
The Director of Cybersecurity and Risk must ensure that all personnel involved in the ISMS are aware of this policy, its objectives, and processes through dissemination, training, and awareness-raising activities. In the case of data protection training, the requirements of the Data Protection Officer shall be taken into account. The Director must also ensure the distribution of the documents that apply to each level, in accordance with the different roles defined in the company.
8. Business continuity management
ANDERSEN will put in place the necessary plans for the implementation of the Business Impact Analysis (BIA) process and the Business Continuity Plan, as well as the activation of the latter when necessary. The Information Technology department shall generate a Business Continuity Plan, documenting and implementing processes and procedures to ensure the technological continuity required by the company.
All employees shall collaborate in the timely resumption of all services critical to ANDERSEN in the event of a serious contingency, thereby helping to restore most services in the shortest possible time.
9. Audit
ANDERSEN’s General Management must guarantee and verify, through internal and external audits, the degree of compliance with the guidelines of this Policy and that they are correctly operated and implemented, taking responsibility for the compliance with any corrective measures that may have been determined in order to maintain continuous improvement.
10. Validity and Implementation
This policy is effective from the moment of its publication and is reviewed at least once a year.
The purpose of periodic reviews is to adapt it to changes in the context of the organization, paying attention to external and internal issues, analyzing information security incidents and non-conformities found in the ISMS. All of this is harmonized with the results of the different risk assessment processes.
When reviewing the Policy, all the Standards and other documents that develop it will also be reviewed, following a periodic update process subject to any relevant changes that may occur: company growth and organizational changes, changes in infrastructure, development of new services, among others.
As a result, a list of objectives and actions to be undertaken and executed during the following year will be drawn up to guarantee Information Security and the proper use of the resources that support and process it at ANDERSEN.
11. Penalties
Failure to comply with the Information Security Policy and other regulations and procedures that develop it will result in the application of penalties, according to the magnitude and characteristics of the non-compliant aspect, in accordance with current labor legislation.
12. Validity
The Information Security Policy will come into force on the day of its publication.
13. Ratification
The signatories of the document attached to this page fully accept and agree to the content of this Policy and undertake to apply it in their respective areas to ensure the proper functioning of the Information Security Management System.