The ISQe Privacy and Information Security Policy defines the general principles that guide the protection and management of assets under the responsibility of ISQe, within its Privacy and Information Security Management, ensuring a systematic and effective approach to ensure the confidentiality, integrity, availability and quality of the data and systems under its management. The ISQe Management when establishing the Privacy and Security Management System (IS), assumes the commitments defined in this policy integrated into the Integrated Management System (IS), aligned with the following standards and requirements:

• ISO/IEC 27001:2022 – Information Security, Cybersecurity and Privacy Protection: Information Security Management Systems (Requirements).
• ISO/IEC 27701:2019 – Private Information Management (Privacy Information Management) extension.
• Applicable laws and regulations on information security, cybersecurity and data protection.

The loss or theft of information or personal data may have serious legal, financial and/or reputational consequences, ISQe is committed to safeguarding the privacy, confidentiality, integrity and availability of your information or business partners. This information is an essential asset for ISQe, taking various forms such as physical documents, electronic records or communications transmitted by digital means. Regardless of the support, use or format, it is essential to ensure adequate protection of information based on its relevance and value.

This commitment includes the integration of privacy and information security requirements into organizational processes and ensuring that the resources necessary for their implementation are properly secured. The ISQe Management also recognizes its responsibility to stakeholders and commits itself to ensuring that:

• There is adequate management in the field of Information Security, Cybersecurity and Privacy Protection;
• The information is protected against unauthorized access;
• The information is only accessible by people and processes duly authorized for this purpose;
• The integrity of information is maintained through the accuracy of information and processing methods;
• All applicable laws and regulations are respected;
• Information security when business continuity is appropriate, maintained and regularly tested;
• All information security breaches detected or suspected are investigated by the competent areas;
• All your business partners know, always, the rules and principles relating to the protection and processing of personal data (transparency);
• Personal data is processed lawfully and impartially (lawfulness and loyalty);
• Personal data is collected and processed for specific, explicit and legitimate purposes (purpose limitation) and stored only for the necessary period (retention limitation);

• Personal data is adequate, relevant and limited to what is necessary, considering the purposes for which it is processed (data minimization);
• Personal data is accurate and, where necessary, rectified and updated (accuracy).

Ensuring this commitment, ISQe maintains an Integrated Privacy and Information Security Management System (also referred to as the Integrated-IS System) consisting of this policy and other related documented information, being that it has been designed to maintain, review and continuously improve the privacy and security of information, based on an assessment and treatment of existing risks and ensuring compliance with the Continuous Improvement Cycle presented in the ISQe Government Model.

1.1. Objectives of the Integrated System
The main objectives of IS are:

1. Provide information security in accordance with relevant business requirements, laws and regulations;
2. Manage the organization’s assets while maintaining appropriate protection responsibilities;
3. Manage the organization’s assets while maintaining appropriate protection responsibilities;
4. Ensure the access of authorized users and prevent unauthorized access to systems and services;
5. Prevent unauthorized physical access, damage and interference to the information and information processing resources of the organization;
6. Prevent exploitation of technical vulnerabilities;
7. Ensure that information security is designed and implemented within the lifecycle of information systems development;
8. Ensure a consistent and effective approach to information security incident management, including reporting of events and security vulnerabilities;
9. Ensure information security continuity in the organization’s business continuity management systems;
10. Contribute to a culture of information security, in a logic of continuous improvement;
11. Ensure that the data is processed in a lawful, fair and transparent manner;
12. Ensure that data is accurate and updated whenever necessary;
13. Ensure that the retention period of personal data is the minimum in accordance with legal requirements or business continuity;
14. Ensure that personal data is processed in a manner that maintains its integrity and confidentiality.

2. Responsibilities

In the context of IS, the highest organ of the company is its Managing Director, who will be responsible for:

• Ensure that the IS is part of, and integrated with the organization’s processes and with the overall management structure;

• Maintain a formally operational Privacy and Information Security Committee, with the responsibility of planning, guiding, defining, monitoring and controlling initiatives and measures related to privacy and information security;
• Keep formally appointed the Chief Information Security Officer (CISO) who will be the privileged interlocutor with the other structures of the organization in IS management activities within the scope of information security;
• Keep formally appointed the Data Protection Officer (DPO) - Data Protection Officer who will be the privileged interlocutor with the other structures of the organization in IS management activities within the scope of data privacy.

All Department Coordinators should be aware of the need for business and support processes to comply with the organization’s privacy and information security policies, as well as the obligation to implement, in their areas, the initiatives that are necessary for this.

All employees, as well as third parties, who in some way may interact with information from business partners, employees and ISQe itself, are required to comply with and enforce all rules of privacy and information security, should promptly report to the CISO or DPO any event that may cause, or has caused, a breach of privacy or information security via email to infosec@ISQe.com.

The employees, as well as third parties, may be disciplined or judicially liable in case of non-compliance with privacy and information security policies and standards established by ISQe.

3. Maintenance

The Privacy and Information Security Policy is periodically reviewed ensuring that it remains appropriate to ISQe, being communicated and made available to all employees, and other interested parties if necessary.

Pedro Correia
Managing Director