Information Security Policy
Organizational and technological framework to ensure the Availability, Integrity, Confidentiality, Authenticity and Traceability of information and services.
picture_as_pdf View full document in PDFIntroduction
EASYDATAHOST SL, as a demonstration of its commitment to the security of its information systems, has developed this Information Security Policy, in compliance with Royal Decree 311/2022, of May 3, which regulates the Spanish National Security Scheme (ENS).
The Security Policy is an ethical, responsible statement of strict compliance across the entire Organization, deployed through the various Standards and Procedures that ensure risks are adequately addressed.
Objective and scope of application
This document establishes an organizational and technological framework within the Organization.
Security shall be understood as a comprehensive process comprising all technical, human, material and organizational elements related to information systems, excluding any isolated or circumstantial actions.
It must be known and complied with by all personnel of the Organization, regardless of their position, role and responsibility within it.
Reference legislation and standards
Regulatory framework governing the Organization's activities within the scope of this Security Policy.
Royal Decree 311/2022, of May 3, which regulates the Spanish National Security Scheme (ENS).
EU Regulation 2016/679 (GDPR), concerning the protection of natural persons with regard to the processing of personal data.
Organic Law 3/2018 (LOPDGDD), on the Protection of Personal Data and Guarantee of Digital Rights.
EU Regulation 910/2014 (eIDAS), on electronic identification and trust services for electronic transactions.
Resolution of March 27, 2018, Technical Security Instruction for the Security Audit of Information Systems.
Principles and guidelines
The fundamental principles for ensuring information security are prevention, detection, response and recovery.
Prevention
Avoid or prevent information or services from being harmed by security incidents, implementing the minimum ENS measures and additional controls identified through risk assessment.
- check_circle Authorize systems before they enter operation.
- check_circle Regularly evaluate security.
- check_circle Request periodic review by independent third parties.
Detection
Operations must be continuously monitored to detect anomalies in service delivery levels and act accordingly. Detection, analysis and reporting mechanisms shall be established to reach those responsible on a regular basis.
Response
- check_circle Mechanisms to effectively respond to security incidents.
- check_circle Designated point of contact for incident communications.
- check_circle Protocols for sharing incident-related information.
Recovery
To ensure the availability of critical services, ICT systems continuity plans and recovery activities are developed.
Other general principles
Information Security Organization
Organizational structure for information security management.
Security Committee
Multidisciplinary team that coordinates security activities and controls, ensures regulatory compliance and meets at least once a year.
Security Officer
Oversees policy compliance, coordinates with specialized bodies and establishes appropriate security measures in accordance with the ENS.
Information & Services Officer
Classifies information and determines security levels across each dimension in accordance with Annex I of the ENS.
Information System Officer
Development, operation and maintenance of the system throughout its entire lifecycle. Prepares technical procedures and continuity plans.
Data Protection Officer
Informs and advises on GDPR obligations, supervises compliance and acts as the point of contact with the Supervisory Authority.
Data Controller
EASYDATAHOST SL, as the data controller, ensures compliance with the principles relating to the processing of personal data.
Security Dimensions
Services and information systems are maintained according to these fundamental principles.
Confidentiality
Information can only be accessed by authorized persons.
Integrity
Information must not be altered by unauthorized persons.
Availability
Guaranteed access to information and resources when required.
Training and awareness
The Organization proposes and organizes training and awareness sessions so that all persons involved in the process and their line managers are sensitive to the risks they face.
Risk analysis and management
A risk analysis shall be carried out in accordance with the MAGERIT methodology:
- check_circle Regularly, at least once a year.
- check_circle When there are changes to services or infrastructure.
- check_circle When a serious security incident occurs.
- check_circle When severe threats or serious vulnerabilities are identified.
Regulatory structure
Documentation related to Information Security is classified into four levels:
warning All personnel, both internal and external, are obligated to know and comply with this Security Policy. Manifest non-compliance may result in disciplinary measures and corresponding legal responsibilities.
Effective date
The Security Policy is applicable from the day following its publication on the website. Document signed in Alcobendas, on September 20, 2025, by Manuel Rios Fernandez, CEO of EASYDATAHOST SL.
Need more information?
You may request further information by sending a message to info@easydatahost.com.