Security policyInformation security objectives and planning for their implementation
The main objective is to guarantee customers and users of SW Hosting services access to information with the quality and level of service required for the agreed performance, as well as to prevent loss or alteration of information and unauthorized access to it.
Information security objectives will be established in the relevant functions, focused on improvement and taking into account:
1. Changes in stakeholder needs.
2. The results of the assessment and treatment of risks to ensure the confidentiality, integrity and availability of the information.
3. Opportunities for improvement encountered during the operation of the Information Security Management System (ISMS).
4. Compliance with laws, rules, regulations or provisions to which SW Hosting is subject, especially in terms of personal data protection.
When setting objectives, it should be taken into account that they must be measurable and achievable, hence the planning for their achievement should include:
1. What is going to be done.
2. The necessary resources.
3. Who will be responsible.
4. The deadline for its achievement.
5. Indicators to evaluate the results.
The General Management, together with the ISMS Manager, will be responsible for defining the information security objectives for SW Hosting. These must be specific and consistent with its Information Security Policy, mission, vision and values.
ISMS Objectives
SW Hosting's ISMS must guarantee:
1. That policies, regulations, procedures and operational guidelines are developed to support the Information Security Policy.
2. That the information that must be protected is identified.
3. That risk management is established and maintained in alignment with the requirements of the ISMS policy and SW Hosting's strategy.
4. That a methodology for risk assessment and treatment is established.
5. That criteria are established to measure the level of compliance with the ISMS.
6. That the level of compliance with the ISMS is reviewed.
7. That the personnel receive training and awareness on information security.
8. That all personnel are informed about the obligation to comply with the Information Security Policy.
9. That continuous improvement of the ISMS is carried out.
Risk management
Information Security Management in SW Hosting is based on risk, in accordance with the international standard ISO/IEC 27001.
It is articulated through a general process of risk assessment and treatment, which can potentially affect the information security of the services provided, consisting of:
1. Identifying the threats, which will exploit vulnerabilities of the Information Systems that support, or on which information security depends.
2. Analyze the risk, based on the consequence of the threat materializing and the probability of occurrence.
3. Evaluate the risk, according to a previously established and approved level of acceptable, tolerable and unacceptable risk.
4. Treat the unacceptable risk by means of appropriate controls or safeguards.
This process is cyclical and must be carried out periodically, at least once a year.
Leadership and management commitment
SW Hosting's Management is committed to facilitate and provide the necessary resources for the establishment, implementation, maintenance and improvement of the company's ISMS, as well as to demonstrate leadership and commitment, through the constitution of the Information Security Committee, which will be responsible for:
1. Ensure the establishment of the present policy and objectives of information security, and that these are compatible with the company's strategy.
2. Ensure the integration and compliance with the applicable requirements of the ISMS in the company's processes.
3. Ensure that the necessary resources for the ISMS are available.
4. Communicate the importance of effective security management in compliance with the ISMS requirements.
5. Ensure that the ISMS achieves its intended results.
6. Lead and support people to contribute to the effectiveness of the ISMS.
7. Promote continual improvement.
Organization and responsibilities
1. SW Hosting's General Management is responsible for approving this policy.
2. The Information Security Committee is responsible for reviewing this policy.
3. The ISMS Security Manager is responsible for maintaining this policy.
Approval, review, dissemination and implementation of the policy
SW Hosting has developed this Information Security Policy, which has been approved by the General Management and made known to all company personnel and interested parties.
This Information Security Policy will be reviewed in the reviews of the system by the Management, through the Information Security Committee, whenever significant changes occur, at least once a year.
The General Management will provide the necessary resources for the effective application of this policy, and for its proper development, both in the implementation activities and in its subsequent maintenance and improvement of the entire ISMS.
Madrid, January 1, 2026
The Management