1. Introduction

The pfs Board of Directors considers information security to be a fundamental aspect of the company’s strategy, since adequate protection improves the overall performance of our business processes and the trust that customers place in our organisation, thus facilitating the growth of our activity and positively affecting our image and reputation.

The purpose of this policy is to establish the commitment of the  pfs Board of Directors to information security and the protection of its information assets, which are fundamental for the correct development of business processes and the achievement of our objectives.

This commitment is embodied in the implementation of an Information Security System (ISMS), based on the ISO/IEC 27001:2013 standard which, based on a risk management methodology that regularly analyses the degree of exposure of our information assets to threats that could have an adverse impact on our activity, guarantees business continuity, minimises the risks to which the company is exposed and, should a threat materialise, reduces its impact on the organisation.

The fulfilment of this policy, as well as of any procedure or documentation included within the ISMS, is mandatory and concerns all personnel of the organisation, as well as all external personnel included within the scope of the ISMS, who will be supervised by internal personnel for the fulfilment of this policy. The Board of Directors has established to include within the scope of the ISMS all its corporate assets as well as all its physical location.

This policy shall be reviewed and, where appropriate, updated regularly, at least once a year and whenever circumstances so require, such as organisational changes or modifications to current legislation, with the permanent objective of continuous improvement.

2. Objectives

The information security policy shall ensure the following objectives:

• To protect the correct development of the organisation’s business processes and to be aligned with the organisation’s objectives.
• To adequately safeguard the information provided by our clients.
• To guarantee the confidentiality, integrity and availability of the information relevant to the company.
• Minimise the company’s risk exposure.
• Comply with all applicable legal, regulatory and statutory requirements, especially those relating to the Information Society, Personal Data Protection and Electronic Signature; as well as the contractual requirements that the company acquires with its clients, especially those related to information security.
• Promote a corporate culture of information security.
• To analyse any incident related to information security that may occur, in order to apply the necessary corrective and/or preventive measures.

3. Commitment

In order to achieve all these objectives, the pfs Board of Directors is committed to:

• Facilitate and provide the means and people necessary for the establishment, implementation, maintenance and improvement of the ISMS.
• Understand and meet the needs of all interested parties.
• Monitor information security risks and take the necessary measures to keep them at acceptable levels.
• Establish the technical measures and controls necessary for the correct protection of its information assets.
• Develop and implement rules, procedures and work instructions for the safe performance of its personnel’s activities.
• Establish and monitor indicators and metrics to evaluate the level of security of the organisation, as well as ensure the performance of periodic audits and the analysis of their results in order to solve weaknesses and take advantage of opportunities for improvement.
• Create an organisational structure with defined roles and responsibilities under least privilege criteria to minimise operational risks.
• Communicate the policy to all stakeholders and train all staff appropriately in information security.
• Maintain continuous contact with national and international information security authorities and bodies.