1. SCOPE

This policy establishes the general goals applicable to the Information Security Management System (ISMS), formalizing the strategic definitions approved for information security, cybersecurity and privacy protection that are assumed by COMPUWORKS, Lda. (hereinafter, “COMPUWORKS”).

Information security is supported by the ISMS, implemented in accordance with the requirements of the ISO/IEC 27001:2022 standard, also having as requirements all applicable legislation and regulations on information security, in order to preserve the confidentiality, integrity, availability and privacy of the information, and the Declaration of Applicability is defined based on the security control list presented in Annex A of the ISO/IEC 27001:2022 standard.

Following the commitment adopted by the organization with Information Security, COMPUWORKS leadership established the ISMS, applicable to all information and associated assets under the organization’s responsibility.

2. APPLICATION

This policy is intended for all employees, regardless of their employment relationship, interns, suppliers and service providers and their employees, as well as any other interested parties who have access to information under the responsibility of COMPUWORKS. To this extent, everyone is obliged to comply with and enforce this policy, and other documents related to information security, and to report any event that causes or may cause a breach of information security.

Violation of this policy implies disciplinary action, which may include termination of the contractual relationship and reporting to the judicial authorities situations that indicate the commission of a crime.

3. PRINCIPLES

COMPUWORKS’ information security policy aims to guarantee the following principles:

  • Ensure the confidentiality, availability, integrity, data privacy of information, whether under normal operating circumstances or in exceptional circumstances;
  • Ensure that information is only accessible to authorized persons and complies with the principles of identification, authentication and non-repudiation;
  • Ensure compliance with information security requirements and the security of the processing of personal data in accordance with contractual obligations, with the legal and regulatory requirements provided for in national and community legislation;
  • Appropriate business continuity plans are maintained and tested regularly;
  • All detected or suspected information security breaches are investigated by the areas with competence for this purpose.

4. GOALS

The main objectives of the ISMS are:

  • Ensure the assessment of the suitability and practicality of the policy adopted for information security, at planned intervals, with a view to continuous improvement, or whenever there are relevant changes at the organizational level;
  • To ensure resources for the operationalization of processes and activities in the context of Information Security management, including in terms of raising employee awareness of this issue and their respective responsibilities in contributing to the effectiveness of the ISMS;
  • Ensuring that the information security management system achieves the intended results;
  • Ensure awareness of information security, cybersecurity and privacy through training and awareness-raising actions;
  • Identify, assess and treat information security risks in accordance with the established methodology and criteria, implementing mitigating techniques and organizational measures for risks considered unacceptable;
  • Ensure that all information security incidents and suspected weaknesses are detected, reported and addressed;
  • Continuously improve the effectiveness of management systems by defining, monitoring and reviewing objectives and indicators;
  • To promote the continuous improvement of the ISMS, through periodic reviews, at planned intervals or justified by significant changes that occur in the organization, in order to provide an improvement in applicability, suitability and effectiveness.

5. REVIEW AND COMMUNICATION OF THIS POLICY

This policy will be subject to annual assessment and revisions whenever necessary. Disclosure to interested parties and publication is ensured through a process of communication of this public document.

Update date: 17/04/2025