ES EN CAT GL

Security Policy

1. Approval and entry into force

The present Information Security Policy has been prepared and approved by the Security Committee of LENER ASESORAMIENTO EMPRESARIAL, hereinafter GRUPO LENER, and shall be effective and applicable from the date of its publication through the organisation’s intranet and the corresponding communication to users.

2. Introduction

GRUPO LENER has developed this Information Security Policy to define the principles and the necessary foundations for an adequate management of the information security handled by the organisation, as well as to comply with the requirements of the reference standard ISO 27001.

For the development of its activities, GRUPO LENER depends on ICT systems (Information and Communication Technologies) to achieve its objectives. These systems must be managed diligently, adopting appropriate measures to protect them against accidental or deliberate damage that may affect the availability, integrity or confidentiality of the information processed or of the services provided.

The purpose of information security is to ensure the quality of the information and the continuous provision of services, acting preventively, supervising daily activity and responding quickly to incidents.

ICT systems must be protected against rapidly evolving threats with the potential to affect the confidentiality, integrity, availability, intended use and value of the information and the services. To defend against these threats, a strategy is required that adapts to changes in the environment in order to guarantee the continuous provision of services. This implies that the departments must apply the minimum security measures required by the reference standard, as well as carry out continuous monitoring of the levels of service provision, follow up and analyse reported vulnerabilities and prepare an effective response to incidents to guarantee the continuity of the services provided.

The various departments must ensure that ICT security is an integral part of every stage of the system life cycle, from its conception to its withdrawal from service, including decisions on development or acquisition and operational activities. Security requirements and funding needs must be identified and included in the planning and development of the organisation’s different internal or external projects.

2.1 Company overview

GRUPO LENER is a Spanish firm founded in 1982 and focused on business advisory services. Our concern for providing legal-economic solutions to the industrial business fabric has led us to evolve and expand our services in all fields of Business Law, thus forming a Group that aims to cover all the needs of the business world in insolvency matters, debt recovery, financial advisory services, as well as tax, labour and accounting advisory services, without losing the focus that has driven us from the beginning as experts in business restructuring.

GRUPO LENER currently comprises more than 300 lawyers and economists, offering an integrated legal-economic service at national and international level through its six offices in Madrid, Barcelona, Oviedo, Valladolid, Vigo and Seville, which guarantees close access and support to the interests of our clients.

We have first-hand knowledge of the economic sectors in which we operate. We know that the creation of opportunities for our clients arises from considering perspectives that are very difficult to achieve without the skills derived from extensive sectoral experience.

We have a high level of specialisation in different legal areas. This is a necessary, though not sufficient, condition for becoming part of our organisation.

We are organised into multidisciplinary teams, with the objective of offering the most enriching visions and solutions, with the greatest added value for our clients.

Our communication is agile and direct. Our structure is very flat. The involvement of partners and senior associates is the norm. This is highly valued by our clients.

As part of GRUPO LENER, we also have the company TAX MASTER GESTIÓN, a tax, labour and accounting advisory firm that helps companies comply with their recurring obligations in terms of filing and payment of taxes, personnel management and administration, bookkeeping and all matters related to the optimisation of these areas.

Its activity covers a wide range of areas: working for all sectors of activity, family businesses, foundations, individuals with large estates and institutions with different characteristics.

2.2 Organisation values

Knowledge
Top-level financial and legal knowledge of the economic sectors in which we operate, which translates into the creation of new opportunities for our clients.

Experience
Our activity has been carried out in all areas of corporate law for more than 35 years, operating throughout the national and international sphere.

Values
Commitment to results, honesty and firmness in the execution of alternatives, creativity in the generation of solutions, proactivity in the most delicate processes, and accompanying our clients in their objectives, walking the path together.

3. Scope

This Policy shall apply to the information systems of GRUPO LENER that support the services provided by the different organisations of the group.

In particular, GRUPO LENER has decided to certify the management of information security according to the ISO 27001 standard for the following scope:

ISO 27001:
“Information Security Management System that supports the services provided by the different companies that offer: legal advisory services in the business, financial, legal, tax and insolvency fields, and the provision of these same services to clients through Cloud services”.

4. Regulatory framework

For the development of this Security Policy and the associated management system, the information security regulatory framework applicable to the organisation and the main reference standards have been taken into consideration, these being mainly:

  • UNE-EN ISO/IEC 27001:2023 Information security, cybersecurity and privacy protection. Information security management systems. Requirements.
  • UNE-EN ISO/IEC 27002:2023 Information security, cybersecurity and privacy protection. Information security controls.
  • Royal Decree 311/2022, of 8 January (Official State Gazette of 29 January), regulating the National Security Framework in the field of electronic administration.

Additionally, all regulations or standards related to information security that may be applicable or relevant to the organisation are taken into consideration and are identified through the Legal Compliance Procedure and its associated record. Among these reference standards, the following may be considered, among others:

  • ISO 27017:2021 Security controls for cloud services.
  • Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (GDPR).
  • Organic Law 3/2018, of 5 December, on the Protection of Personal Data and guarantee of digital rights.

The maintenance of the regulatory framework shall be the responsibility of GRUPO LENER and it shall be kept as an annex to the Legal Compliance Procedure.

5. Compliance with minimum security requirements

To comply with the requirements of the aforementioned security standards and regulations, GRUPO LENER has implemented various security processes and measures proportional to the nature of the information and the services to be protected.

5.1 Security as a comprehensive process and minimum privilege

Security is understood as a comprehensive process made up of all the technical, human, material, legal and organisational elements related to the system. The management of information security at GRUPO LENER shall be governed by this principle, which excludes any one-off action or temporary treatment.

Maximum attention shall be paid to raising awareness among the people involved in the process and their line managers, in order to prevent ignorance, lack of organisation and coordination or inadequate instructions from becoming sources of risk to security.

Information systems must be designed and configured according to the minimum privilege principle, which implies incorporating the following aspects:

  • The system shall provide only the essential functionality for the organisation to fulfil its responsibilities and contracts.
  • The operation, administration and activity logging functions shall be the minimum necessary and it shall be ensured that they are only performed by authorised persons, from authorised locations or equipment.
  • In a production system, unnecessary or inappropriate functions shall be removed or disabled through configuration control. Ordinary use of the system must be simple and secure, so that unsafe use requires a deliberate act by the user.
  • Security configuration guides adapted to the organisation shall be applied in order to eliminate or disable unnecessary or inappropriate functions.

5.2 Continuous monitoring, periodic re-evaluation and integrity, system updating and continuous improvement of the security process

Continuous monitoring by GRUPO LENER shall allow the detection of anomalous activities or behaviours and an appropriate response.

Ongoing assessment of the state of the security of assets shall make it possible to measure their evolution, detect vulnerabilities and identify configuration deficiencies.

Security measures shall be periodically re-evaluated and updated, adapting their effectiveness to the evolution of risks and protection systems and, if necessary, entailing a rethinking of security.

The inclusion or modification of any physical or logical element in the updated asset catalogue of the system shall require prior formal authorisation.

Ongoing evaluation and monitoring shall make it possible to adapt the security status of systems in view of configuration deficiencies, identified vulnerabilities and updates, as well as the early detection of any incident that may occur.

The comprehensive security process implemented shall be updated and improved on a continuous basis. For this purpose, recognised national and international criteria and methods relating to information technology security management shall be applied.

5.3 Personnel management and professionalism

All personnel, whether their own or external, related to GRUPO LENER’s information systems within the scope of the Information Security Management System (ISMS), shall be trained and informed of their duties, obligations and responsibilities regarding security. Their performance shall be supervised in order to verify that the established procedures are being followed.

Acceptable use rules relating to corporate assets, e-mail, media, etc. shall be drawn up and approved by the Security Committee. Likewise, the training and experience requirements of staff for the performance of their job shall be determined.

The security of information systems shall be addressed, reviewed and audited by qualified staff, dedicated and trained in all phases of the system life cycle: planning, design, acquisition, construction, deployment, operation, maintenance, incident management and decommissioning.

In an objective and non-discriminatory way, it shall be required that the organisations that provide services have qualified professionals and appropriate levels of management and maturity of the services provided.

5.4 Risk-based security management, risk analysis and management

Risk analysis and management shall be an essential part of the security process and shall be a continuously updated activity.

Risk management shall allow the maintenance of a controlled environment, minimising risks to acceptable levels. Reduction to such levels shall be undertaken through an appropriate application of security measures, in a balanced manner and proportional to the nature of the information processed, the services to be provided and the risks to which they are exposed.

This management shall be carried out through the analysis and treatment of the risks to which the system is exposed, using a recognised methodology. The measures adopted to mitigate or remove risks must be justified and, in any case, there must be proportionality between them and the risks.

5.5 Security incidents, prevention, detection, reaction and recovery

GRUPO LENER has security incident management procedures in accordance with the requirements of the ISO 27001 standard and the requirements derived from the applicable regulations (for example, data protection regulations), as well as detection mechanisms, classification criteria, analysis and resolution procedures and the communication channels to the interested parties.

The security of the system shall include actions relating to prevention, detection and response, in order to minimise vulnerabilities and ensure that threats do not materialise or that, if they do, they do not seriously affect the information handled or the services provided.

Preventive measures may incorporate deterrent components or a reduction of the attack surface and must eliminate or reduce the possibility of threats materialising.

Detection measures shall be aimed at discovering the presence of a cyber incident.

Response measures shall be managed in a timely manner and shall be aimed at restoring the information and services that may have been affected by a security incident.

The information system shall ensure the preservation of data and information on electronic media.

Likewise, the system shall keep services available throughout the life cycle of digital information, through a conception and procedures that form the basis for preserving digital assets.

5.6 Existence of lines of defence and prevention in relation to other interconnected information systems

GRUPO LENER has implemented a protection strategy for the information system made up of multiple layers of security, consisting of organisational, physical and logical measures, so that when one layer has been compromised, it shall be possible to develop an appropriate response to incidents that could not be prevented, reducing the likelihood that the system will be compromised as a whole and minimising the final impact on it.

The perimeter of the information system shall be protected, especially when the organisation’s system is connected to public networks, reinforcing prevention, detection and response activities to security incidents.

In all cases, the risks arising from the interconnection of the system with other systems shall be analysed and their point of connection controlled.

5.7 Differentiation of responsibilities, organisation and implementation of the security process

GRUPO LENER has organised its security by committing the relevant members of the organisation through the designation of different security roles with clearly differentiated responsibilities, as set out in the “Security organisation” section of this document.

5.8 Authorisation and access control

GRUPO LENER has implemented access control mechanisms for the information system, limiting it to users, processes, devices and other information systems that are duly authorised, and exclusively to the permitted functions.

5.9 Protection of facilities

GRUPO LENER has implemented physical access control mechanisms to prevent unauthorised physical access and damage to information and resources, by means of security perimeters, physical controls and general protections in areas.

5.10 Acquisition of security products and contracting of security services

For the acquisition of security products or the contracting of security services, GRUPO LENER shall, whenever possible, take into account suppliers that hold recognised security certifications such as ISO 27001, ISO 27017, ISO 27018, ISO 22301 and similar.

5.11 Protection of information stored and in transit and business continuity

GRUPO LENER shall pay special attention to information stored or in transit through portable or mobile equipment or devices, peripheral devices, information media and communications over open networks, which must be specially analysed in order to achieve adequate protection.

Systems shall have backup copies and the necessary mechanisms shall be put in place to ensure operational continuity in the event of loss of the usual means.

5.12 Activity logging and detection of malicious code

In order to meet the applicable regulations, with full guarantees of the right to honour, personal and family privacy and the personal image of those affected, and in accordance with the regulations on personal data protection, GRUPO LENER shall log user activities, retaining only the information strictly necessary to monitor, analyse, investigate and document improper or unauthorised activities, identifying the person acting at all times.

In order to preserve the security of information systems, and in accordance with the General Data Protection Regulation and with the principles of purpose limitation, data minimisation and storage limitation, GRUPO LENER may, to the extent strictly necessary and proportionate and solely for information security purposes, analyse incoming or outgoing communications, in such a way as to prevent unauthorised access to networks and information systems, stop denial-of-service attacks, prevent the malicious distribution of harmful code and other damage to such networks and information systems.

In order to correct or, where appropriate, demand responsibilities, each user accessing the information system must be uniquely identified so that it is known at all times who receives access rights, of what type, and who has carried out a specific activity.

6. Security organisation

6.1 Information security roles and responsibilities

To ensure compliance with and adaptation to the measures required by Royal Decree 311/2022 of 3 May, regulating the National Security Framework, security roles or profiles have been created as part of the Security Committee and the positions or bodies that shall hold them have been designated as follows:

  • Information and Services Owner: Head of central services.
  • ENS Information Security Officer: IT Director.
  • ENS System Owner: Head of Development.

The remaining roles and profiles related to information security, and the responsibilities of each of them, shall be defined through GRUPO LENER’s ISMS Management Manual.

Below are the functions and responsibilities of each of the defined roles, which shall be communicated to the appointed persons, who shall formally accept such responsibilities.

Functions of the Information and Services Owner

  • Establishing and approving the security requirements applicable to the service and the information within the framework established in Annex I of Royal Decree 311/2022 of 3 May and GDPR, being able to request a proposal from the ENS Security Officer and taking into account the opinion of the ENS System Owner and the Data Protection Officer.
  • Informing about the access rights to the Service and the Information.
  • Accepting the residual risk levels that affect the Service and the Information.
  • Informing the Security Officer and the Data Protection Officer of any change regarding the Information and Services for which they are responsible, especially the addition of new services or information.
  • Ensuring the proper performance of their duties within the appropriate security framework, helping to disseminate the knowledge and security and data protection culture necessary for the correct processing of data and information.
  • Collaborating in the definition and approval of personal data processing activities within their area of responsibility.
  • Determining the security requirements of the information processed and the services provided.
  • Receiving information about incidents and the actions taken to resolve them.
  • Carrying out the assessments referred to in Article 40 of the ENS (security categories) and any subsequent modification.
  • Determining the criteria for assigning and modifying the security level required for each type of information and being responsible for its documentation and formal approval.

Functions of the ENS Security Officer

  • Maintaining and verifying the appropriate security level of the information handled and of the electronic services provided by the information systems.
  • Determining the decisions necessary to meet the security requirements of the information and the services.
  • Determining the applicable security measures, based on the assessments made by the Information and Services Owners.
  • Supervising the implementation of the necessary measures to ensure that the requirements are met and reporting on these matters.
  • Formalising and approving the selected measures in the Statement of Applicability, including compensatory or complementary monitoring measures and their correspondence with the measures in Annex II of the said Royal Decree.
  • Verifying that the information security measures have been properly implemented by the System Owner.
  • Determining the security category of the system, based on the assessments of the Information and Services Owners.
  • Promoting training and awareness in information security within their area of responsibility.
  • Promoting the performance of risk analyses.
  • Appointing those responsible for carrying out the risk analysis, for drawing up the Statement of Applicability, identifying security measures, determining necessary configurations and preparing system documentation.
  • Providing advice on determining the category of the system, in collaboration with the System Owner and/or the Information Security Committee.
  • Participating in the development and implementation of security improvement plans and, where appropriate, business continuity plans, and validating them.
  • Managing internal or external reviews of the system.
  • Managing certification processes.
  • Analysing first-, second- or third-party audit reports relating to systems within their area of responsibility and presenting their conclusions to the System Owner and, where appropriate, to the Information Security Committee.
  • Submitting for the Security Committee’s approval changes and other system requirements.
  • Explicitly approving changes that involve a HIGH level of risk prior to their implementation.
  • Analysing risks prior to the deployment of artificial intelligence systems in the organisation, taking into account the evaluations of the Information and Services Owners and, where appropriate, the Data Protection Officer, and supervising their deployment.
  • Participating in the drafting and proposal of the Information Security Policy and procedures, regulations and instructions in application of the ENS.
  • Preparing and proposing for the organisation’s approval the security policies, regulations and procedures that will include appropriate and proportionate technical and organisational measures to manage the risks that arise for the security of the networks and information systems used and to prevent and minimise the effects of cyber incidents that affect the organisation and its services.
  • Preparing and approving the Statement of Applicability, taking into account the requirements of the Information and Services Owners.

With regard to security incidents, in coordination with those responsible for the organisation, information and services:

  • Acting as the specialised point of contact for coordination with the reference CSIRT, in particular CCN-CERT or INCIBE.
  • Notifying the competent authority, through the reference CSIRT and without undue delay, of incidents that have a disruptive effect on the provision of services.
  • Receiving, interpreting and applying the instructions and guidelines issued by the Competent Authority, both for ordinary operations and for correcting observed deficiencies.
  • Collecting, preparing and providing information or documentation to the Competent Authority or the reference CSIRT, either upon request or on their own initiative.

Informing and coordinating with the Data Protection Officer to verify possible data exfiltration and the occurrence of personal data breaches. Identifying the context, volume of affected data, level of sensitivity, number of affected persons, origin of such persons and everything necessary to analyse and identify the security incident that may have caused the destruction, loss or accidental or unlawful alteration of the personal data processed, or the unauthorised communication or access to them.

When the system processes personal data, the Security Officer shall record the data protection requirements established by the data controller or processor, with the advice of the DPO, and which must be implemented in the systems according to their nature, scope, context and purposes, as well as the risks to rights and freedoms in accordance with Articles 24 and 32 of the GDPR and with the result of the data protection impact assessment, if carried out.

Functions of the ENS System Owner

  • Developing, operating and maintaining the information system throughout its life cycle, including its specifications, installation and verification of its correct operation.
  • Developing the specific way of implementing security in the system and supervising the daily operation of the system, and being able to delegate to administrators or operators under their responsibility.
  • Defining the topology and management of the information system, establishing usage criteria and services available within the system.
  • Ensuring that security measures are properly integrated within the general security framework.
  • Providing advice for determining the System Category, in collaboration with the Security Officer and/or the Information Security and Privacy Committee.
  • Participating in the development and implementation of security improvement plans and, where appropriate, continuity plans.
  • Proposing the suspension of the processing of certain data or the provision of certain services if serious security deficiencies are observed that could affect compliance with established requirements. The final decision, which shall be taken by the organisation’s management, must be agreed with the Information and Services Owners and the Security Officer.
  • In security incident management (cyber incidents), and in agreement with the Security Officer, provisionally and urgently suspending data processing and service provision as a containment measure. This suspension must be communicated to the Information and Services Owners and, in the event of an impact on personal data, to the Data Protection Officer and, if it affects administrative processing, to the organisation’s legal services.
  • Adopting appropriate corrective measures derived from first-, second- or third-party audit reports.
  • In the case of systems with a HIGH category, and in view of the audit opinion and possible seriousness of deficiencies, temporarily suspending the processing of information, service provision or overall system operation until problems have been suitably corrected or mitigated.
  • Adopting corrective measures derived from audits, in accordance with the conclusions submitted by the Security Officer.

Carrying out security administration functions, which include:

  • The implementation, management and maintenance of the security measures applicable to the information system.
  • The management, configuration and updating, where appropriate, of the hardware and software on which the security mechanisms and services of the information system are based.
  • The application of Operational Security Procedures (POS).
  • Informing the Security Officer or the System Owner of any anomalies, compromises or vulnerabilities related to security.
  • Cooperating in the investigation and resolution of security incidents, from detection to resolution.
  • The management of the authorisations granted to users of the system, in particular the privileges granted, including the monitoring of system activity and its correspondence with what has been authorised.
  • Verifying that the established security controls are properly observed.
  • Verifying that the approved procedures for operating the information system are applied.
  • Verifying hardware and software installations, modifications and improvements to ensure that security is not compromised and that they comply with the relevant authorisations at all times.
  • Monitoring the security status of the system reported by event management tools and technical auditing mechanisms implemented in the system.

6.2 Security Committee

To ensure compliance with the requirements of the ISO 27001 standard and the National Security Framework, and to establish an information security organisation adapted to the organisation’s needs and particularities, a Security Committee has been set up, composed of different managers and members of the company, and which has the following responsibilities in terms of information security:

  • Regularly informing Management of the state of information security.
  • Promoting the continuous improvement of the Information Security Management System.
  • Developing the organisation’s evolution strategy with regard to information security.
  • Coordinating the efforts of the different areas in terms of information security, to ensure that efforts are consistent and aligned with the established strategy, avoiding duplications.
  • Preparing (and regularly reviewing) the Information Security Policy for approval by Management.
  • Preparing and submitting the Information Security Regulations for approval.
  • Preparing and approving training and qualification requirements for administrators, operators and users from an information security perspective.
  • Preparing training programmes to train and raise awareness among staff in Information Security and, in particular, in the protection of personal data.
  • Monitoring the main residual risks assumed by the organisation and recommending possible actions.
  • Monitoring the performance of security incident management processes and recommending possible actions in relation to them. In particular, ensuring coordination among the different security areas in the management of such incidents.
  • Promoting periodic audits to verify compliance with the organisation’s obligations in terms of security.
  • Preparing plans to improve the organisation’s information security. In particular, ensuring coordination between different plans that may be carried out in different areas.
  • Prioritising security actions when resources are limited.
  • Ensuring that information security is taken into account in all ICT projects from their initial specification to their deployment. In particular, ensuring the creation and use of shared services that reduce duplications and support homogeneous operation of all ICT systems.
  • Verifying the development of information security procedures and other documentation for approval.
  • Resolving conflicts of responsibility that may arise between the different information security roles and/or between different organisational areas, escalating those cases where sufficient authority to decide is lacking.
  • Responding to requests from the Administration and the different areas in terms of Information Security, and regularly reporting on the state of Information Security.
  • Providing advice on Information Security.
  • Resolving conflicts of responsibility that may arise between different organisational units.

6.3 Composition of the Information Security Committee

The Security Committee shall be made up of the roles mentioned above, related to compliance with the National Security Framework, as well as the organisation’s Data Protection Officer, the Legal Compliance Officer and the management representatives and area managers deemed necessary depending on the issues to be addressed.

Furthermore, since the Information Security Committee is not a technical committee, it shall regularly gather relevant information from internal or external technical personnel for decision-making or advisory purposes. This advice shall be determined in each case and may take different forms:

  • Specialised working groups, internal, external or mixed.
  • External advisory services.
  • Attendance at courses or other training events or experience-sharing activities.

The Information Security Committee shall hold its meetings on GRUPO LENER premises on a quarterly basis, with the corresponding minutes being produced for each meeting reflecting the decisions taken.

The Information Security Committee shall also be responsible for resolving conflicts and/or differences of opinion that may arise between the security roles.

7. Personal data

In general, GRUPO LENER shall only collect personal data when it is adequate, relevant and not excessive and is related to the scope and purposes for which it was obtained. Likewise, it shall adopt the technical and organisational measures necessary to comply with the applicable data protection regulations in each case.

In view of the entry into application on 25 May 2018 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and its repeal of Directive 95/46/EC (General Data Protection Regulation) and its incorporation into Spanish law through Organic Law 3/2018 of 5 December on the Protection of Personal Data and guarantee of digital rights, appropriate measures have been adopted such as the analysis of the legal basis of each data processing activity, risk analysis, impact assessment where the risk is high, the record of processing activities and the appointment of whoever is to perform the functions of Data Protection Officer.

The organisation has defined the necessary procedures, policies and security measures to ensure effective compliance with the regulations.

8. Development of the Information Security Policy

Compliance with the objectives established in this Security Policy is achieved through the development of documentation that makes up the security standards and procedures associated with compliance with ISO 27001 and the rest of the applicable regulations. For its organisation, a procedure for document management has been defined, which sets out guidelines for organisation, management and access.

The annual review and approval of this Policy is the responsibility of the Security Committee, which shall propose such improvements as it deems appropriate where necessary.

9. Obligations of personnel

All members of GRUPO LENER who fall within the scope of the National Security Framework shall be subject to this Security Policy and must take it into account when carrying out their work activities. In this sense, all personnel shall receive appropriate awareness-raising in information security, through talks, training activities, communications, defined good practices, etc. A continuous awareness programme shall be established to reach all members of GRUPO LENER, particularly new hires.

Those responsible for the use, operation or administration of ICT systems in the ICT Department shall receive training for the secure operation of the systems to the extent necessary to perform their work. Training shall be mandatory before assuming any responsibility, whether it is their first assignment or a change of job or responsibility.

10. Third parties

When GRUPO LENER provides services to other entities or handles information from such entities, they shall be made aware of this Security Policy.

GRUPO LENER shall define and approve the channels for coordinating information and the procedures for action in response to security incidents, as well as the other actions carried out by the organisation in relation to information security in connection with other entities.

When GRUPO LENER uses third-party services or discloses information to third parties, they shall be informed of this Security Policy and of the existing security regulations applicable to such services or information. Such third party shall be subject to the obligations established in those regulations and may develop its own operational procedures to fulfil them. Specific procedures for communication and incident resolution shall be established.

It shall be ensured that third-party personnel are adequately aware of information security, to at least the same level as that established in this Security Policy.

When some aspect of this Security Policy cannot be met by a third party as required in the foregoing paragraphs, a report shall be requested from the ISMS Manager specifying the risks entailed and how they are to be dealt with.

11. Changes and version control

Edition Date Prepared by Approved by Changes compared to previous edition
1.0 27/09/2022 Jorge Domingos Security Committee Initial edition
2.0 10/04/2025 Jorge Domingos Security Committee Minor formatting changes. Labelling. Minor corrections. Replacement of LENER ASESORAMIENTO EMPRESARIAL with GRUPO LENER.
3.0 17/11/2025 Jorge Domingos Security Committee Security Policy updated to ensure compliance with ENS requirements and the definition of responsibilities derived therefrom.