INGECID, in its commitment to continuous improvement of the Integrated Management System, has obtained the UNE-EN-ISO/IEC 27001:2017 certificate for “Information Security Management Systems”, which joins those previously held: ISO 9001, ISO 14001, UNE 166002 and UNE 73401.
This international certification recognises the effective management of assets and the controls in place for their protection, as outlined in our statement of applicability. The international standard ISO/IEC 27001:2013 specifies requirements for the establishment, implementation, maintenance and continual improvement of an information security management system. This standard also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organisation.
During the process of obtaining this accreditation, the following actions have been carried out:
- Prior diagnosis of the management system previously in place at INGECID.
- Identification of legislative and regulatory requirements.
- Preparation of the inventory of assets.
- Preparation of the detection of information security risks and the action plan.
- Preparation of the applicability statement, establishing the controls indicated in the UNE-EN ISO/IEC 27002:2017 without exclusions.
For this integration of the Information Security Management process, new procedures and instructions have been developed:
- Development of the Information Security procedure, which details the system used to inventory and catalogue assets, manage risks and establish the appropriate controls.
- Instruction relating to the Internal Information Security Policy.
- Business Continuity Plan
- Constitution of the Information Security Committee
In addition, it was necessary to review and improve existing procedures, notably:
- Communication procedure.
- Infrastructure procedure.
- Non-conformity procedure to incorporate the detection and treatment of information security incidents.
- Documentation control procedure.
- Procurement procedure with regard to information security and data protection.
- Audit procedure, including the performance of the annually scheduled internal audit.
The correct implementation of improvements by INGECID in all the company’s departments is completed with various awareness-raising and training actions for all staff.
Finally, Bureau Veritas, an entity accredited by ENAC, has carried out the external certification audits, distributed in two phases, granting the Management System certificate in accordance with the requirements of the UNE-EN ISO/IEC 27001:2017 standard, valid until 2025.
This achievement reaffirms the importance that INGECID gives to information security in its internal processes and services offered, as well as to the requirements of legislation and of our clients in the most demanding and competitive sectors: design, training and software development in the fields of civil and engineering engineering.