Information security policy

The Management of Exceltic identifies and protects its information assets and those of its Customers, ensuring internal business continuity and continuity in the services provided to our customers.

Our strategy is based on prevention: minimising the risk of damage by preventing security incidents, as well as reducing their potential impact when they are unavoidable, whether they occur deliberately or accidentally.


Information must always be protected, regardless of how it is shared, communicated or stored. It must be preserved and secured:

  • Its confidentiality, ensuring that only those who are authorised can access the information, avoiding destruction, disclosure, modification and unauthorised use, especially that related to the personal data of employees, customers and suppliers.
  • Its completeness, ensuring that the information and its processing methods are accurate and complete, based on its classification by use (internal/external).
  • Its availability, ensuring that authorised users have access to the information and its associated assets when they require it and can meet the relevant timescales of the development of critical business processes and the agreed deadlines of the services provided.
  • Its compliance with regulations, laws and regulations in force, especially the data protection law.

Security Principles:

  • Information Security objectives shall be set annually.
  • The organisation will use a risk management methodology to regularly analyse, assess, treat and monitor the exposure of our significant assets to threats that may exploit vulnerabilities and introduce adverse impacts on our internal activities and the performance of services to our customers.
  • Corresponding controls will be established in accordance with the risk needs arising from the risk analysis process managed.
  • Means shall be put in place to ensure business continuity and continuity plans shall be maintained, tested and updated at least annually.
  • All staff shall be informed and held accountable for information security as relevant to the performance of their work. Security training shall be sufficiently complied with and updated for all employees.
  • All staff shall be informed and held accountable for information security as relevant to the performance of their work. Security training shall be sufficiently complied with and updated for all employees.
  • Business, legal or regulatory requirements and contractual safety obligations shall be complied with.
  • The entire Management System, including this policy, shall be regularly reviewed at planned intervals or if significant changes occur, to ensure its continuing suitability, effectiveness and efficiency.
  • The company is committed to continuous improvement of information security management, identifying and establishing opportunities for improvement, as well as corrective actions to mitigate the deficiencies found.


  • The management team is responsible for ensuring that information security is properly managed throughout the organisation.
  • Each manager is responsible for ensuring that the people under his or her control protect information in accordance with the standards set by the organisation.
  • The security officer advises the management team, provides expert support to the organisation's staff and ensures that information security status reports are available. He/she also protects communication systems and the internal network, equipping security systems with the necessary elements to protect information.
  • Each staff member has the responsibility to maintain the security of information within their work-related activities and not to disclose or directly use information to which they have access in the course of their employment with EXCELTIC.
  • Ensure that all employees or contracted third parties understand their responsibilities and properly perform their roles in ensuring Exceltic's Information Security.
  • Any non-compliance with laws, legal, regulatory or contractual obligations and safety requirements shall be avoided.
  • Compliance with this policy and any procedure or documentation included in the IMS is mandatory and concerns all staff of the organisation. Visitors and external personnel accessing our facilities are not exempt from compliance with the obligations indicated, and internal personnel will observe compliance.

In Madrid, 16 December 2019

Mr. José Antonio Suárez and Mr. Eduardo Requejo

Directorate-General for EXCELTIC

EXCELTIC S.L. holds the Information Security Management System certificate under the UNE-EN ISO 27001:2013 Standard for the activity of: Technical Assistance Engineering Services and Development of Technology Projects

Last updated: 10 December 2021