Integrated Policy on Quality, Environment and Information Security
This is a courtesy translation of our Integrated Policy, originally issued in Spanish. In the event of any discrepancy between this translation and the Spanish original, the Spanish version prevails.
1. Introduction
Autoritas Consulting, S.A. is a company specialized in strategic consultancy and data-analytics-based content management. Our purpose is to provide professional, expert advice that helps our clients define and achieve their business objectives effectively and efficiently, with client satisfaction as our primary goal.
We have a multidisciplinary team committed to the continuous improvement of performance, both in our activities and in respect for the environment and the management of information security. We constantly assess, analyze and optimize our processes, seeking to increase the efficiency, quality and value of the services we provide.
Information is an essential asset for the development of the organization's activity and must be protected against internal and external threats, whether accidental or intentional. For this reason, we integrate the requirements of quality, environment and information security into a single Management System, in accordance with the standards UNE-EN ISO 9001:2015, UNE-EN ISO 14001:2015 and UNE-EN ISO/IEC 27001:2023, as well as with Spain's National Security Framework (ENS) at the medium level for services provided to public administrations and other clients that require it.
Autoritas' Management assumes its responsibility in matters of quality, environment and information security, leading the implementation, review and continuous improvement of the Integrated Management System.
2. Purpose and objectives of the Integrated Management System
The purpose of this Integrated Policy is to establish the principles, commitments and guidelines that govern Autoritas Consulting's Integrated Management System, ensuring that:
- The requirements of clients and other interested parties are met, increasing their trust and loyalty.
- The performance and efficiency of our processes are continuously improved.
- The environment is protected, pollution is prevented, and applicable legal and other environmental requirements are complied with.
- Information assets are protected against any risk that could compromise operations, reputation or legal compliance.
Autoritas Consulting explicitly commits to complying with all requirements applicable to its activity, including client requirements, legal and regulatory requirements, and other subscribed requirements related to service quality, the environmental management system and the information security management system.
This Integrated Policy constitutes the reference framework for establishing, reviewing and monitoring the objectives of the Integrated Management System.
3. Scope
This Policy integrates and supersedes the previous individual policies on quality, environment and information security, and applies to:
- All information systems, services and processes managed by Autoritas Consulting.
- All personnel (employees, collaborators, interns and third parties with access to information or acting on behalf of the company).
- All technological and documentary infrastructure, both in local environments and in the cloud.
It expressly includes:
- The provision of strategic consultancy services and data-analytics-based content management.
- The management of information and related systems (Drive, Laravel, Kanboard, AnythingLLM and other corporate tools).
- The protection of personal data, electronic records, digital communications with clients and public bodies, and other assets relevant to business continuity.
4. Principles and foundations of the Integrated Management System
Autoritas Consulting bases its Integrated Management System on the following principles and commitments:
4.1. Quality
- Client orientation and satisfaction of their needs and expectations.
- Project management based on rigorous planning, coordination and oversight of activities, deadlines and resources.
- The pursuit of excellence in every project, exceeding the requirements established.
- Promotion of continuous learning, innovation and creativity in digital solutions.
4.2. Environment
- Commitment to environmental protection and pollution prevention.
- Compliance with legal environmental requirements and other requirements subscribed to by the organization.
- Optimization of resources, minimization of impacts, and consideration of the life cycle of services wherever possible.
4.3. Information security and the ENS
- Risk management: continuous identification, analysis and treatment of risks, with a methodology aligned with ISO 27005 and the ENS.
- Proportionality: security measures are adjusted to the level of risk and the criticality of the assets.
- Security by design and by default in systems and processes, incorporating protective measures from their conception.
- Business continuity: existence of backup, contingency and incident recovery plans.
- Staff awareness and training in information security and the ENS.
- Compliance with the ENS, GDPR, LOPDGDD, LSSI and other applicable regulations on security and data protection.
- Continuous improvement of the Information Security Management System (ISMS) and of security controls.
5. Organization and responsibilities
To ensure the effectiveness of the Integrated Management System, the following responsibilities are established:
Management
- Approves this Integrated Policy and the annual objectives for quality, environment and information security.
- Ensures the availability of the necessary human, technological and financial resources.
- Oversees the results of audits, management reviews and key indicators.
- Defines the risk acceptance criteria and the required security levels.
Information Security Officer
- Coordinates compliance with ISO/IEC 27001 and the ENS within the Integrated Management System.
- Oversees the implementation and effectiveness of technical and organizational security controls.
- Promotes awareness and training in information security.
- Signs and maintains the Statement of Applicability, as well as the applicable ENS documentation.
System Manager
- Implements and maintains the technical measures necessary for the secure operation of the systems.
- Oversees the configuration, monitoring and maintenance of the infrastructure.
- Reports detected vulnerabilities and incidents to Management and to the Information Security Officer.
Information Owner
- Defines the information classification levels and access criteria.
- Assesses the impact of security incidents on information.
Security Committee / Integrated System Committee
- Composed, at minimum, of Management, the Information Security Officer, the System Manager, the DPO and, where applicable, the quality and environmental managers.
- Meets periodically (at least once a year and whenever significant changes occur) to review the status of the Integrated Management System, alignment with the ENS, and opportunities for improvement.
6. Requirements and lines of action of the Integrated Management System
Autoritas Consulting develops its Integrated Management System in accordance with the following lines of action:
- Process management: identification, sequence, interaction and control of key processes, with performance indicators and measurable objectives.
- Risk management: continuous assessment of threats, vulnerabilities and impacts on service quality, the environment and information security.
- Access management: control of authentication, authorization, segregation of duties and the principle of least privilege.
- Physical and logical protection: security of facilities, equipment and networks; encryption of data in transit and at rest where applicable.
- Incident management: detection, logging, analysis, response and lessons learned from security incidents and nonconformities.
- Supplier management: inclusion of quality, environmental and security requirements in contracts, with periodic reviews of their performance.
- Business continuity: backup, contingency and recovery plans tested regularly.
- Verification and audit: periodic verification of compliance with the Integrated Management System, including internal and external audits (ISO and ENS).
7. Regulatory compliance
This Policy is aligned, among others, with the following standards and requirements:
- UNE-EN ISO 9001:2015 — Quality management systems.
- UNE-EN ISO 14001:2015 — Environmental management systems.
- UNE-EN ISO/IEC 27001:2023 — Information security management systems.
- Royal Decree 311/2022, regulating Spain's National Security Framework (ENS).
- Regulation (EU) 2016/679 (GDPR).
- Organic Law 3/2018 (LOPDGDD).
- Law 34/2002 (LSSI), as well as other applicable legislation and contractual requirements.
8. Communication and training
Autoritas Consulting will communicate this Integrated Policy to all personnel and relevant third parties, ensuring that it is known, understood and applied.
The organization commits to:
- Carrying out periodic awareness and training activities in quality, environment, information security and the ENS.
- Encouraging people's participation in identifying risks, opportunities and improvement proposals.
9. Review and continuous improvement
This Policy will be reviewed at least once a year or whenever significant changes occur in the organization, the technological environment, or legal or strategic requirements.
As part of the management review, the following will be analyzed:
- Results of internal and external audits.
- Degree of achievement of quality, environmental and information security objectives.
- Results of the risk assessment and ENS compliance.
- Complaints and suggestions from clients and interested parties.
- Opportunities for improvement and resource needs.
The conclusions of the management review may lead to updates to this Integrated Policy and to the redefinition of the objectives of the Integrated Management System, ensuring its consistency with this reference framework.
10. Approval
This Integrated Policy on Quality, Environment and Information Security is mandatory for all personnel of Autoritas Consulting, S.A. and will be made available to relevant interested parties.
Valencia, December 22, 2025
On behalf of Management
