3 steps to improve Test Data Management. Download Gartner's report.
Home / Security policy

Security policy

Information Security Management System

Date created: 06/2010 | Reviewed by: C.S.I.P.
Changes: V 1.10 – 06/02/2026 – Alignment with the ENS framework

Synopsis

This document sets out the information security framework and principles of icaria Technology, including prevention, detection, response and recovery in the event of incidents, as well as the associated responsibilities.

Approval and effective date

Text approved on 06/02/2026 by CSIP.

This Information Security Policy is effective from that date until it is replaced by a new Policy.

This text supersedes the previous version, approved on 17/07/2025 by CSIP.

Purpose

icaria Technology helps organisations take full control of their data, transforming manual processes into automated and intelligent workflows. Our solutions ensure governance, security and instant accessibility, driving efficiency and reliability at scale.

Our flagship product, icaria TDM, is a Test Data Management (TDM) platform designed for mission-critical applications and OSS/BSS environments. It ensures data is secure, accurate and always available—exactly when needed and as often as required.

Leading organisations in banking, telecommunications and insurance already rely on icaria TDM to:

  • Increase test-team productivity by reducing data delivery times by 50%.
  • Expand automated test coverage by removing bottlenecks in CI/CD flows.
  • Enable testing of the most complex scenarios, detecting issues early and avoiding production problems.
  • Ensure GDPR compliance and minimise the risk of data breaches.

With compatibility across leading industry platforms—including Oracle, SAP, Jenkins, Salesforce, IBM and Hadoop—icaria TDM integrates seamlessly into diverse technology ecosystems, providing a reliable and future-ready solution for enterprise software development and testing.

Given our core business, the management of icaria Technology (netZima) is aware that information systems, applications, communications infrastructures, files and cabinets, databases, etc. constitute netZima’s primary asset. Damage to, or loss of, these assets affects operations and may jeopardise the continuity of the organisation.

For this reason, icaria Technology considers that ICT systems and assets must be protected against rapidly evolving threats with the potential to affect the confidentiality, integrity, availability, traceability and authenticity of information and services. To defend against these threats, a strategy is required that adapts to changing environmental conditions to ensure continuous service delivery. This implies that departments must apply the minimum security measures required by the National Security Framework (ENS), as well as continuously monitor service delivery levels, follow up and analyse reported vulnerabilities, and prepare an effective incident response to ensure continuity of the services provided.

Accordingly, icaria Technology considers that establishing an appropriate information security policy provides the basis for defining and delimiting objectives and responsibilities for the various technical and organisational actions required to ensure information security, in compliance with the applicable legal framework and with the directives, specific policies and defined procedures.

These actions are selected and implemented based on the risk analysis performed. As a result of this risk analysis, a set of controls is selected and implemented, always with the aim of achieving a balance between the level of risk that company management considers acceptable for its assets and the cost of the measures that can be implemented to mitigate that risk.

In addition, the risk analysis and management report identifies the risk evaluation criteria that have been taken into account, as well as the residual risk assumed by management.

The owners of information assets, together with the ISMS Manager and IT Manager, must define security requirements by identifying and prioritising the importance of the different elements of the activities performed, so that the most important and/or sensitive processes receive greater protection.

Departments must ensure that security is an integral part of every stage of the system life cycle, from conception through to decommissioning, including development or acquisition decisions and operational activities. Security requirements and funding needs must be identified and included in planning, requests for proposals, and tender specifications for ICT projects.

It is the responsibility of the Information Security Committee to promote and support the implementation of the technical and organisational measures necessary to minimise the potential risks to which information is exposed in achieving the strategic objectives of the business.

The purpose of this policy is to achieve adequate protection of icaria Technology’s (netZima) information by taking appropriate measures to protect it against accidental or deliberate damage that may affect the principles of security:

  • Confidentiality: ensuring that information is accessible only to those authorised to have access to it.
  • Integrity: ensuring the accuracy and completeness of information and of the methods used to process it.
  • Availability: ensuring that authorised users have access to information and associated assets when required.
  • Traceability: ability to reconstruct and attribute relevant activities and events.
  • Authenticity: assurance of the identity of users, systems and services.

These basic principles must be preserved and ensured in whatever form information takes, whether electronic, manual, printed, visual or spoken, and regardless of whether it is processed on icaria Technology (netZima) premises or elsewhere.

Likewise, these principles must be considered in the following security areas:

  • Physical: covering the security of premises, facilities, hardware systems, media and any physical asset that processes or may process information.
  • Logical: including protection aspects for applications, networks and electronic communication channels and IT systems.
  • Corporate/policy: comprising security aspects relating to the organisation itself, internal rules, regulations and legal requirements.

Prevention

The various organisational areas of icaria Technology (netZima) must avoid, or at least prevent as far as possible, information or services being harmed by security incidents. To this end, area managers, together with the Security Officer, must implement the minimum security measures determined by the ENS, as well as any additional control identified through a threat and risk assessment. These controls, and the security roles and responsibilities of all personnel, must be clearly defined and documented.

To ensure compliance with the policy, departments must:

  • Authorise systems before they go into operation.
  • Regularly assess security, including assessments of routine configuration changes.
  • Request periodic third-party reviews in order to obtain an independent assessment.

Detection

Given that services can quickly degrade due to incidents—ranging from a simple slowdown to a complete stoppage—services must be continuously monitored to detect anomalies in service delivery levels and act accordingly.

Detection, analysis and reporting mechanisms shall be established so that responsible parties are informed regularly and whenever a significant deviation occurs from parameters previously established as normal.

Response

The various organisational areas of icaria Technology (netZima) must:

  • Establish mechanisms to respond effectively to security incidents.
  • Designate a point of contact for communications regarding incidents detected in other areas or other bodies.
  • Establish protocols for sharing incident-related information. This includes two-way communications with Computer Emergency Response Teams (CERTs).

Recovery

To ensure the availability of critical services, the organisational areas of icaria Technology (netZima) must develop system and service continuity plans as part of their overall business continuity plan and recovery activities.

Statement of intent

Senior management of icaria Technology (netZima), with Pedro Luis Primo as President and Enrique Almohalla as Managing Director, recognises that information is an asset of high value to the organisation and therefore requires adequate protection in order to guarantee continuity of the organisation’s activities and to achieve an optimal level of competitiveness in today’s market.

Accordingly, icaria Technology (netZima) has decided to implement an Information Security Management System based on the National Security Framework (ENS), with the aim of preserving the confidentiality, integrity, availability, traceability and authenticity of information and protecting it against a broad range of threats. This management system is intended to ensure continuity of business lines, minimise damage, maximise return on investment and business opportunities, and drive continuous improvement.

Senior management’s intention has been to define the most appropriate processes for icaria Technology (netZima) to undertake an improvement programme in the management of information security, with the conviction that this will result in greater effectiveness of production and management processes. Therefore, when detailing specific applications or solutions addressing the points contained in this document, this perspective will be applied, promoting wherever possible those solutions that bring security to icaria Technology’s (netZima) relevant information.

The ultimate intention of the system defined and developed is to offer the best service to our customers, improving our processes and scrupulously respecting their legally established rights.

For all these reasons, senior management of icaria Technology (netZima) expressly records its knowledge, commitment and approval of the policies developed in this document, so that all personnel must know them and assume them as part of their job responsibilities.

To make all this possible, the necessary resources will be allocated for the proper development of what is set out here, both at the start of the project and in its future maintenance.

Scope of the information security management system

Information Security Management System supporting the processes and services of design, development, evolution, commercialisation, implementation, parameterisation, integration and maintenance of enterprise management software applications developed with icaria Technology.

This information system is supported by:

  • Databases associated with users hosted by an external provider (Holded).
  • Informational website (icariatechnology.com).
  • Cloud servers as the basis for service management for development, testing and integration (Acens and Arsys).
  • Access management and control via a shared firewall in cloud systems and a firewall for managing access to the intranet.
  • Employees, interns, suppliers, partners, collaborators and other interested parties.
  • Databases associated with customers and prospects hosted by an external provider (HubSpot).
  • Technical infrastructure (servers, switches, routers, user devices, physical security equipment).

This policy applies to all icaria Technology (netZima) systems and services and to all members of the organisation. It is further developed through specific standards and procedures. In particular, an ISO/IEC 27001 Statement of Applicability and an ENS Statement of Applicability (version 1.2 dated 06/02/2026) are maintained, identifying applicable controls/measures, their status and evidence.

Security principles

icaria Technology (netZima) carries out its activity relying on the processing of different types of data and information. This support enables us to execute core business processes.

Systems, applications, communications infrastructures, files, databases, archives, etc. constitute netZima’s primary asset, such that damage to or loss of them affects operations and may endanger the continuity of the organisation. To prevent this, the management of icaria Technology (netZima) establishes the following points as baseline objectives, a starting point and support for the objectives and principles of information security:

Comprehensive security

Security shall be managed globally and coherently, integrating measures relating to people, processes, technology and information, and applying to all assets, services and systems within scope.

Risk-based management

Security decisions shall be based on risk analysis and treatment, defining acceptance criteria and prioritising the implementation of controls and safeguards according to impact and likelihood.

Defence in depth and lines of defence

Asset protection shall be implemented through a combination of organisational, physical and logical measures, incorporating preventive, detection and containment controls to reduce exposure to internal and external threats.

Prevention, detection, response and recovery

A full incident and contingency management cycle shall be maintained, including prevention and detection capabilities, response procedures, and recovery and service restoration mechanisms, minimising impact and avoiding recurrence.

Incident management and evidence recording

Mechanisms shall be in place to record and handle security incidents, including obtaining, preserving and protecting evidence to substantiate facts, facilitate analysis and, where appropriate, identify those responsible.

Periodic reassessment and continuous improvement

Security shall be reviewed continuously and periodically to adapt to organisational or technological changes, the emergence of vulnerabilities, incidents that occur and evolving context, driving improvement actions and strengthening controls where necessary.

Proportionality and effectiveness

Security measures shall be proportionate to the system category and the accepted level of risk. The organisation shall verify the effectiveness of controls through audits, reviews and tests, correcting deviations and weaknesses detected.

Differentiated function and segregation of duties

Clear security responsibilities shall be defined and maintained, ensuring segregation of duties and an appropriate organisational structure, including differentiated roles for Information, Service, System and Security, as applicable.

Information classification and protection

The organisation shall establish an information and data classification scheme, determining protection requirements according to the value and criticality of assets, and applying specific safeguards for relevant records.

Internal regulation: policies, standards and procedures

A set of rules, standards and procedures applicable to governing bodies, employees, collaborators, partners and suppliers shall be maintained, ensuring awareness and compliance. Consequences of non-compliance shall be specified in the employment and contractual context.

Legal and contractual compliance

The organisation shall observe applicable regulations on data protection, intellectual and industrial property, labour law, information society services, criminal law and any other legal and contractual obligations affecting the security of assets.

Awareness and training

Ongoing user training and awareness in information security and safe use of ICT shall be promoted as an essential measure to reduce risks and strengthen a security culture.

Service continuity and availability

Measures shall be adopted to reduce unavailability and ensure continuity of operations through continuity plans, recovery procedures and proper asset management, in order to guarantee an efficient service and maintain customer trust.

Control of traffic and information media

The exchange and transport of information and data across networks and media (electronic and physical) shall be controlled, minimising the risk of loss, leakage, alteration or unauthorised access.

Protection of intellectual capital

The organisation’s knowledge assets and sensitive information shall be protected to prevent unlawful disclosure or use.

Change control and security oversight

Processes shall be established for validating and analysing changes with security impact, and monitoring mechanisms to evaluate the effectiveness of implemented measures, including analysis of incidents, trends and effects.

Through the development and implementation of this Information Security Management System, icaria Technology (netZima) management makes the following commitments:

  • Develop products and services that comply with legislative requirements, identifying the legislation applicable to the business lines developed by the organisation and included within the ISMS scope.
  • Establish and meet contractual requirements with interested parties.
  • Define security training requirements and provide the necessary training by establishing training plans.
  • Prevent and detect malware and any other malicious software through specific policies and contractual agreements with specialised organisations.
  • Manage business continuity by developing continuity plans aligned with internationally recognised methodologies.
  • Establish consequences for security policy breaches, to be reflected in contracts signed with interested parties, suppliers and subcontractors.
  • Act at all times in accordance with the strictest professional ethics.

Regulatory framework

Within the organisation, the laws, current legislation and other applicable legal regulations are observed, respected and complied with in relation to:

  • Criminal law
  • Intellectual property
  • Industrial property
  • Data protection
  • Prevention of money laundering and terrorist financing
  • Administrative
  • Legal
  • Accounting and tax
  • Labour
  • Occupational Health and Safety (PRL)
  • LOPD
  • GDPR
  • Criminal Law
Law/Regulation/DirectiveBrief summary
Royal Decree 1784/1996, 19 JulyApproval of the Regulations of the Commercial Register
Royal Legislative Decree 1/1996, 12 AprilApproval of the consolidated text of the Intellectual Property Law, regularising, clarifying and harmonising the provisions in force
Organic Law 3/2018, 5 DecemberProtection of Personal Data and guarantee of digital rights
Regulation (EU) 2016/679 of the European Parliament and of the Council, 27 April 2016General Data Protection Regulation
Royal Decree 513/2017, 22 MayRegulation on Fire Protection Installations
Royal Decree 902/2022, 13 OctoberEqual pay for women and men
Royal Decree-Law 3/2021, 2 FebruaryMeasures to reduce the gender gap and other matters in Social Security and the economy
Royal Legislative Decree 1/1996, 12 AprilConsolidated text of the Intellectual Property Law, regularising, clarifying and harmonising the provisions in force
Law 34/2002, 11 JulyLaw on information society services and electronic commerce
Directive (EU) 2016/1148 of the European Parliament and of the Council, 6 July 2016Measures to ensure a high common level of security of network and information systems in the Union
Law 12/2018, 7 SeptemberLaw on security of networks and information systems
Royal Decree 39/1997, 17 JanuaryRegulation of Prevention Services
Law 54/2003, 12 DecemberReform of the regulatory framework for occupational risk prevention
Royal Decree 773/1997, 30 MayMinimum health and safety requirements for the use of personal protective equipment by workers
Royal Decree-Law 28/2020, 22 SeptemberRemote working
Law 2/2023, 20 FebruaryProtection of persons reporting regulatory infringements and anti-corruption measures
Organic Law 3/2007, 22 MarchEffective equality of women and men
Royal Decree 901/2020, 13 OctoberRegulation of equality plans and their registration
Royal Decree 311/2022Current ENS. National Security Framework (ENS) and minimum security requirements
CCN-STIC Guides (800 series, where applicable)Technical support guides for ENS implementation and verification of measures

System categorisation

The organisation determines the system category in accordance with the ENS criteria, based on the potential impact on information and services. The current category and its justification are documented in the risk analysis and in the ENS Statement of Applicability.

Current ENS category: MEDIUM.
Determination date / last review: 20/01/2026
Criterion: impact assessment by dimensions (confidentiality, integrity, availability, authenticity, traceability).

Security organisation

Security committee: functions and responsibilities

A collegiate body with management, supervision and approval functions in relation to information security, reporting directly to the Managing Director on the status of the ISMS.

  • Approves and reviews this Policy and the security regulations.
  • Validates the risk analysis, acceptance criteria and treatment plans.
  • Oversees compliance with ISO/IEC 27001 and ENS, including audits and compliance plans.
  • Reviews relevant incidents, lessons learned and corrective actions.
  • Approves continuity and recovery plans and oversees their periodic testing.
  • The CISO / Security Officer reports the security status to the Committee.

Roles within the Committee:
Committee Secretary: A Secretary is appointed (usually assumed by the Information Owner or whomever the committee designates), responsible for convening meetings, recording minutes of decisions and safeguarding the documentation generated in the management tool.

The Committee meets at least twice per year, and extraordinarily in the event of critical incidents.

The organisation chart for the CSIP is as follows:

Roles: functions and responsibilities

The roles of Information Owner, Service Owner, Security Officer and System Owner are formally designated by the Managing Director.

These appointments are made explicitly and recorded in Management Committee minutes or through a signed appointment letter, ensuring that the designated persons know and accept their functions and responsibilities. The up-to-date list of persons holding these positions is maintained and available in the current Security Organisation Chart (Register Minutes).

In compliance with the National Security Framework (ENS), the following key information security roles are defined, together with their functions and responsibilities:

Security Officer

The Information Security Officer is responsible for driving, coordinating and overseeing the measures necessary to ensure the protection of the organisation’s information systems and the data it handles.

Functions and responsibilities:

  • Leads the security strategy and ensures compliance with ISO 27001, ENS and applicable regulations.
  • Performs the risk analysis and maintains the Statement of Applicability.
  • Oversees the effectiveness of controls and promotes improvements.
  • Manages security incidents and related communications.
  • Promotes security training and awareness.
  • Validates relevant changes to ensure regulatory compliance.
  • Prepares and presents reports on the security status to the Committee/Management.
  • Manages the internal audit programme and the follow-up of corrective actions.

Relationship with the Security Committee:
The Security Officer acts as the technical and operational link between the various organisational areas and the Security Committee, presenting status reports, improvement proposals and follow-up on relevant incidents.

System Owners

The System Owner is responsible for ensuring the correct operation and security of the information systems under their administration.

Functions and responsibilities:

  • Operates and maintains the system applying the established security measures.
  • Manages day-to-day operations: maintenance, monitoring and updates.
  • Implements measures arising from the risk analysis.
  • Controls configuration according to least-privilege and hardening criteria.
  • Detects and reports technical incidents.
  • Contributes to system categorisation.
  • May suspend services in the event of serious security deficiencies.

Service Owner

Responsible for services provided (internally or to customers) and for defining service levels, continuity and service security requirements.

Functions and responsibilities:

  • Defines service security requirements.
  • Integrates security throughout the service life cycle (design → decommissioning).
  • Establishes operational controls (changes, continuity, monitoring, incidents).
  • Coordinates with the Security Officer to ensure ENS compliance.
  • Participates in audits and service reviews.
  • Accepts residual risks affecting service continuity and availability.

Information Owner

Responsible for determining information security requirements (classification, use, retention, access, disclosures), in coordination with the ISMS Security Officer and the Service Owner.

Functions and responsibilities:

  • Defines information security requirements.
  • Classifies information according to confidentiality, integrity, availability, authenticity and traceability.
  • Establishes protection needs throughout the information life cycle.
  • Determines access requirements and authorised roles.
  • Participates in system categorisation.
  • Verifies that established security requirements are met.
  • Accepts residual risks affecting the security of their information.

Appointment procedures

The RI, RSv, RS and RSI roles are formally designated by Management/CSIP. The organisation maintains an up-to-date record of appointments, substitutions and delegations. They shall be reviewed at least every 2 years or when there are significant changes in structure or scope.

Personal data

icaria Technology (netZima) processes personal data in accordance with Regulation (EU) 2016/679 (GDPR). The master document that captures relevant information includes:

  • An up-to-date catalogue of personal data files, databases and processing activities.
  • The designation of responsible persons (processor and/or controller).
  • Consent, legal bases, retention periods and authorised recipients.
  • Security measures.

Security measures

All icaria Technology (netZima) information systems shall comply with the principles of Article 32 GDPR:

  • Risks to individuals’ rights and freedoms shall be assessed (e.g. loss, destruction, unauthorised access to or alteration of data).
  • Appropriate technical and organisational measures shall be implemented in line with the level of risk, taking into account: state of the art and implementation costs; nature, scope, context and purposes of processing.

These measures may include (depending on context):

  • Pseudonymisation and encryption of data.
  • Safeguards for the confidentiality, integrity, availability, traceability and authenticity of systems.
  • Ability to restore promptly after technical or physical incidents.
  • Processes to test and regularly evaluate the effectiveness of such measures.

It shall be ensured that any person authorised to process data does so only under instructions and in compliance with the GDPR.

Record-keeping and accountability

All personal data processing activities are documented in the Record of Processing Activities, in accordance with Article 30 GDPR.

Clear responsibilities are assigned:

  • The Data Controller, with a duty to ensure GDPR compliance and to designate a Processor where applicable.
  • The Data Processor, who operates under documented instructions and ensures that its staff comply with security measures.

Specific policies (such as “privacy by design” and “privacy by default”) are applied in the development or acquisition of new systems.

Awareness and review

Regular and mandatory data protection training is provided to staff, with particular focus on technical staff and administrative roles.

An annual review of security measures is carried out, as well as after any serious incident or substantial change in processing activities.

Where any processing involves a high risk, a Data Protection Impact Assessment (DPIA) shall be carried out, in accordance with Article 35 GDPR.

Audits and policy review

This Policy provides the reference framework for the continuous improvement of the Information Security Management System and thereby enables the establishment and review of ISMS objectives. This policy is communicated to the entire organisation through the document management system installed in the organisation and its publication on information boards. It is reviewed annually for adequacy and exceptionally when special situations and/or substantial changes occur in the ISMS, such as:

  • Significant changes in netZima work processes
  • Improvement proposals arising from audits performed
  • Changes in the current legislation relating to what this standard establishes
  • Significant technological changes

Internal ISMS audits are conducted according to a planned schedule, and external audits are conducted in line with certification requirements. In addition, the system subject to ENS undergoes a conformity audit at the frequency required by the ENS (at least biennially) and/or as applicable due to significant changes.

Risk management

All systems subject to this Policy must carry out a risk analysis, assessing the threats and risks to which they are exposed. This analysis shall be repeated:

  • regularly, at least once a year
  • when the information handled changes
  • when the services provided change
  • when a serious security incident occurs
  • when serious vulnerabilities are reported

To harmonise risk analyses, the ICT Security and Privacy Committee (CSIP) shall establish a reference assessment for the different types of information handled and the different services provided. The ICT Security and Privacy Committee (CSIP) shall drive the availability of resources to meet the security needs of the different systems, promoting horizontal investments.

Development of the Information Security Policy

The security regulations shall be available to all members of the organisation who need to know them, in particular those who use, operate or administer information and communications systems.

The security regulations shall be available at:

  • URL: Security Policy
  • ISMS_noticeboard
  • Printed on the noticeboard located in the Administration area

Staff obligations

All members of icaria Technology (netZima) are obliged to know and comply with this Information Security Policy and the Security Regulations, and it is the responsibility of the ICT Security Committee to provide the necessary means to ensure that the information reaches those affected.

All members of icaria Technology (netZima) shall attend an ICT security awareness session at least once a year. A continuous awareness programme shall be established to reach all members of icaria Technology (netZima), particularly new joiners.

Persons with responsibility for the use, operation or administration of ICT systems shall receive training for the secure handling of systems to the extent they need it to perform their work. Training shall be mandatory before assuming responsibility, whether it is their first assignment or a change of role or responsibilities within the same role.

Third parties

When icaria Technology (netZima) provides services to other bodies or handles information belonging to other bodies, they shall be informed of this Information Security Policy; channels shall be established for reporting and coordination between the respective ICT Security Committees; and procedures shall be established for action in response to security incidents.

When icaria Technology (netZima) uses third-party services or discloses information to third parties, they shall be informed of this Security Policy and the Security Regulations applicable to such services or information. Such third parties shall be subject to the obligations set out in those regulations and may develop their own operational procedures to comply. Specific procedures for incident reporting and resolution shall be established. It shall be ensured that third-party personnel are adequately security-aware at least to the same level as established in this Policy.

Where any aspect of the Policy cannot be met by a third party as required in the preceding paragraphs, a report shall be required from the Security Officer specifying the risks incurred and how they are to be treated. Approval of this report shall be required from the Information Owners and Service Owners concerned before proceeding.

Related content

Legal notice (link).
Cookie policy (link).
Privacy policy (link).

Funded by
Certificates and awards
magnifiercrossmenuchevron-down