Security policy

Garrigues

ELIGE TU PAÍS / ESCOLHA O SEU PAÍS / CHOOSE YOUR COUNTRY / WYBIERZ SWÓJ KRAJ / 选择您的国家

The Garrigues Group has taken the decision to manage its information systems (ISMS) using international best practices, in line with ISO/IEC standard 27001 and the Spanish National Security System (ENS).

With this in mind, the Information Security Policy has been prepared in compliance with the legal requirements envisaged in the following regulations:

  • Royal Decree 311/2022, of May 3, 2022, regulating the National Security System.
     
  • ISO standard 27001: 2022.
     
  • Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), Organic Law 3/2018, of December 5, 2018, on data protection and the safeguard of digital rights (LOPD-gdd).

The objective of the Information Security Policy is twofold:

  • Firstly, to define the reference framework to enable us to safeguard the security features of the assets that support Garrigues Group processes. The framework is based on the results of the risk analysis performed, on the alignment of strategic business requirements and security requirements, and on legal and contractual requirements. As specified in the above-mentioned framework, this Information Security Policy serves to establish the fundamental security principles of the information systems set out in the regulations, procedures, technical instructions, records or other documents necessary in order to specify the use of the information, of the systems and of the assets that support them.
     
  • Secondly, the Garrigues Information Security Policy seeks to establish adequate organizational, physical and technical security measures to safeguard the security features of the above-mentioned assets, based on the premise that security must be conceived as an integral and cross-cutting process (that includes all technical, human, material and organizational elements related to information and communications systems) and should not be considered a management expense but rather an investment to prevent negative impacts on the business.


This policy is applicable to the information systems related to client processes performed by the Garrigues Group in the pursuit of its activities. Any internal regulations, procedures or documents that deal with a specific security aspect of the information systems must respect and comply with this policy.

The policy applies to all employees, partners and other members of the Garrigues Group companies integrated into Garrigues’ systems, as well as collaborators and third parties involved in the business activities and processes defined in the scope of the ISMS, which support the client-related processes of the Garrigues Group (the “users of the information” or, simply, the “users”).

The fundamental principles of the Information Security Policy are:

  1. Regulatory compliance principle: all information systems will be brought into line with the applicable legislation, regulations and industry rules on information security, particularly those relating to personal data protection, and the security of systems, data, communications and electronic services.
     
  2. Risk management principle: risks should be minimized to acceptable levels and a balance should be sought between security controls and the nature of the information. Security objectives should be established, reviewed and consistent with information security aspects.
     
  3. Awareness and training principle: information security training programs and awareness campaigns will be drawn up for all users with access to information.
     
  4. Principles of confidentiality, integrity, availability, traceability and authenticity:
     
    • The confidentiality of the information must be guaranteed, such that it can only be accessed by authorized persons.
       
    • The integrity of the information worked with must be guaranteed, so that it is concise and precise, with an emphasis on accuracy, both of the content of the information and the processes involved.
       
    • The availability of the information must be guaranteed, ensuring the continuity of the business supported by the information services through contingency plans.
       
    • The traceability of the information must be guaranteed, to ensure that the actions of an entity (person or process) can be unequivocally traced to that entity.
       
    • The authenticity of the information must be guaranteed, to ensure the identity of the entity (person or process) processing such information.
       
  5. Proportionality principle: controls to mitigate asset security risks should be implemented, seeking a balance at all times between the security measures, the nature of the information and the risk.
     
  6. Responsibility principle: All members of the Garrigues Group should be responsible for their conduct as regards information security, complying with the rules and controls established.
     
  7. Continuous improvement principle: the degree of effectiveness of the security controls implemented at the firm will be reviewed on a continuous basis in order to increase the ability to adapt to the constantly changing nature of risks and of the technological environment.


This policy constitutes the reference framework for setting security objectives.

Garrigues has a business continuity plan to guarantee the availability of critical services and systems. Specifically, Garrigues has established the following:

  • Business continuity plan.
     
  • Business impact analysis.
     
  • Disaster recovery plan.


Garrigues’ Continuity Plan is designed to support continued operation of key support activities at Garrigues, reduce the damage and impact of unexpected service incidents and improve the ability to quickly recover the business.

In accordance with the provisions of article 33 of Royal Decree 311/2022, of May 3, 2022, Garrigues will notify clients of any incidents that have a significant impact on the security of the information handled and of the services provided in relation to the National Security System categorization.

Any third party that accesses Garrigues information, in the context of providing services, must have knowledge of this Information Security Policy and of the associated regulations and must undertake to duly comply with the obligations deriving from same, and may define their own operating procedures to fulfill such obligations. Specific procedures will be established for the reporting and resolution of incidents. The personnel of such third parties must be sufficiently security-aware, at least to the same level as established in this Information Security Policy. 

If you require any additional information on our information security policy or have any suggestions in this regard, you can send an email to the following address: [email protected]