Policy SMSI



The purpose of this document is to define Gestimed’s Information Security Policy in line with the requirements established in the information security standard UNE - ISO/IEC 27001, thus ensuring the confidentiality, completeness and availability of information systems of Gestimed, and the effective and secure management of the services provided, while ensuring compliance with all applicable legal obligations.

This policy is aimed at:

• Ensuring the confidentiality, completeness and availability of the information.
• Complying with all applicable legal requirements.
• Defining a continuity plan that allows to recover from a disaster in the shortest possible time.
• Training and raising awareness among all employees in information security.
• All employees are informed of their duties and obligations in terms of security and are responsible for fulfilling them.
• There is a security officer in charge of the company's information security management system (ISMS).
• Continuously improving the ISMS and, therefore, the company's information security.
• Guaranteeing an uninterrupted service and the rapid resolution of incidents.
• Complying with the legal requirements that affect Gestimed’s activity, as well as with the standards, specifications and codes applicable to our products.
• Encouraging internal and external communication, in a way that secures the identification of our clients’ needs and expectations for Gestimed to be able to meet them.

This Policy is the framework of reference in terms of information security within Gestimed. In order to ensure the goals in terms of information security are met, Gestimed has developed a series of security regulations and procedures, including technical, organisation and management measures that are necessary to guarantee compliance with the guidelines defined herein.

These regulations and procedures must be constantly updated and will be reviewed from time to time, at least once a year, to make sure they are in line with Gestimed's specific needs. This process will require the involvement of the members of the organisation from the start, to encourage a positive, critical and constructive attitude to permanently seek for improvement and quality in the processing of information.