Information Security Policy

Information Security Policy

i2S is a certified company in accordance with the standard ISO/IEC 27001:2013 since January 2020.

This certification applies to the information security system implemented, to the design and development of IT solutions for the insurance business and to the implementation and technical assistance services provided to IT solutions built on those applications.


Information Security Policy

To protect the handling, safeguard and transmission of confidential information regarding clients, in a manner consistent with professional, ethical, legal, regulatory and contractual requirements, is one of i2S’ key priorities, and is recognised as fundamental to the organisation’s success. The loss or theft of confidential information may have serious consequences from a legal, financial and/or reputational point of view, and i2S is committed to safeguard the confidentiality, integrity and availability of clients’ confidential information, be it physical, digital or intellectual.

Therefore, the principles of the information security policy are to ensure that:

  • the information is protected against non-authorised access;
  • the information’s confidentiality is guaranteed;
  • the information’s integrity is maintained;
  • all the applicable laws and regulations are observed;
  • the appropriate business continuity plans are maintained and tested on a regular basis; and
  • every information security breach detected or under suspicion is investigated by the areas that are competent to perform those actions.

Information Security Management System

i2S maintains an Information Security management System (ISMS), which includes policies and procedures, and that has been designed to maintain, to revise and to continuously improve the security of the information in i2S, on the basis of risk assessment. The aims of the ISMS are the following.

  • To include information security as an essential part of business planning and operations and of the product, ensuring compliance with the standard.
  • To continuously raise awareness on information security, ensuring that all employees know the information security policies, understand how information security is part of their functions and their responsibility regarding the protection of information’s confidentiality, integrity and availability.
  • To continuously analyse threats to information security, guaranteeing that these are identified and managed on the basis of risk assessment procedures and applying appropriate control.
  • To promote the appropriate protection of the organisation’s infrastructure of information systems and communications against the loss, misuse or undue access.
  • To promote the detection, registration, report and investigation of security incidents in an effective and efficient manner, to ensure minimum impacts of this type of incidents on the organisation.
  • To guarantee the implementation and testing of business continuity plans, so as to ensure the continuity of operations and to minimise the impact of a security incident or of an emergency situation.

Information Security Management System’ responsibilities

Under the ISMS, i2S’ highest body is the Executive committee, whose mains responsibilities are as follows.

  • To ensure that the ISMS belongs to and is integrated with the organisation’s processes and its global management structure.
  • To approve the functions and responsibilities associated with information security.
  • To formally maintain a nominated CISO (Chief Information Security Officer) and Information Security Manager (ISM), who will be the main interlocutors with the remaining structures within the organisation as far as the activities on the management of the ISMS are concerned.

The people responsible from the different business and support areas must be aware of the need to have business and support processes that comply with the organisation’s information security policies, as well as of their obligation to implement, within their areas, the initiatives which may be necessary.

All employees, as well as third parties who may in any way have access to confidential information from i2S’ clients, are obliged to observe and to enforce all the organisation’s policies on information security, and shall promptly report to the CISO or the ISM any security incident, that is, any event which has led or may lead to an information security breach.