Policy of Security of Information and Operating System

The Management of AMADEO MARTÍ CARBONELL, S.A. (AMC), which operates in the automotive sector, is committed to preserving the confidentiality, integrity and availability of all the information it processes and stores, as well as the information assets that support business processes.

AMC maintains an Information Security Management System (ISMS) whose scope includes the processes defined in the document “D01 Scope of the ISMS” and framed within the context of the organization, its activity and the relevant parties for the ISMS. The ISMS that AMC has implemented meets the requirements established in the international standard ISO/IEC 27001:2022.

Information and information security requirements must be maintained and always remain aligned with organizational objectives and must comply with applicable laws and regulations as well as contractual obligations. The ISMS is the appropriate mechanism to reduce information-related risks to acceptable levels. Both this policy and the ISMS as a whole are monitored and reviewed periodically with the aim of guaranteeing their continuous improvement.

Management establishes that all personnel within the scope of the ISMS must comply with this security policy and must know the defined documented information security procedures or must know how to quickly locate them if necessary.

AMC’s information security objectives focus on guaranteeing the availability of the information systems in its data processing center, as well as the integrity and confidentiality of the data that is processed and stored.

All AMC personnel within the scope of this ISMS are trained in information security and good practices. Those responsible for the system have specialized training regarding information security with the objective of providing AMC clients with excellent service as well as maintaining outstanding internal security standards.

All AMC personnel must be aware of and agree to comply with the organization’s good information security practices.

Finally, AMC Management assumes the main leadership in supervising the ISMS, as it is a strategic element in achieving its business objectives; and understands the implementation of the Information Security Management System as a commitment to the security of the organization’s processes.

The General Scope of the information systems associated with the business processes that are subject to certification of the UNE ISO/IEC 27001 standard is the following: Information Security Management System to guarantee the traceability, integrity, availability and confidentiality of the systems that support the business, and in particular the engineering area in the design, development and manufacturing of both prototypes and series of parts, according to the current Applicability Statement.

The Management of the organization is committed to facilitating and providing the necessary resources for the establishment, implementation, maintenance and improvement of the Information Security Management System, as well as to demonstrate leadership and commitment regarding it, through the constitution of the Security Committee, its functions and responsibilities. It is the mission of this Directorate:

• Maintain full legal compliance;
• Promote training and awareness plans;
• Maintain optimal reputational levels;
• Efficiently and effectively manage security incidents;
• Develop an adequate communicative and transparent policy;
• In general, preserve the confidentiality, integrity and availability of the information.

This commitment extends to the interested parties described in the context of the ISMS, to satisfy their interests and expectations in information security.

At a strategic level, information security will have the commitment and support of all management levels of the organization, so that it can be coordinated and integrated with the rest of the strategic initiatives and their execution requirements, to form a framework of completely coherent and effective work.
The organization is subject, by way of example and not limitation, to the following rules and regulations:

• Regulation (EU) 2016/679 of the European Parliament and of the Council, of April 27, 2016, relating to the protection of natural persons with regard to the processing of personal data and the free circulation of these data and by which Directive 95/46/EC (General Data Protection Regulation) is repealed.
• Organic Law 3/2018, of December 5, on the Protection of Personal Data and guarantee of digital rights.
• Law 34/2002, of July 11, on information society services and electronic commerce.
• Royal Legislative Decree 1/1996, of April 12, Intellectual Property Law.

The organization, to achieve compliance with its main body (ISO 27001) and its annex A (ISO 27002), which include the basic principles and minimum requirements, has implemented various security measures proportional to the nature of the information and the services to be protected and taking into account their risk analysis and their statement of applicability.

All members of the organization have the obligation to know and comply with this Information Security Policy and the Security Regulations, and it is the responsibility of the Security Committee to provide the necessary means for the information to reach those affected.

All members of the organization will attend an ICT security awareness session at least once a year. A continuous awareness program will be established to serve all members of the organization, particularly those who are new to the organization.

Persons with responsibility for the use, operation or administration of ICT systems will receive training in the safe handling of the systems to the extent they need it to carry out their work. Training will be mandatory before assuming a responsibility, whether it is your first assignment or whether it is a change of job or responsibilities therein.