Security Policy

1 .Introduction

MERCANZA, S.L.U. (hereinafter, Mercanza) is a Spanish company dedicated to the design and implementation of technological solutions for business management. These solutions are aimed at providing greater Business Intelligence, a substantial improvement in Business Management and an increase in the Productivity of resources with a set of value-added services aimed at providing greater value to the technological resources of organisations.

This policy is understood, implemented and kept up to date at all levels of the company and has the full commitment and support of Mercanza’s Management, which establishes, develops and applies it through its Information Security Management System (hereinafter, ISMS) in accordance with the UNEISO/IEC 27001 standards and Royal Decree 311/2022, of 8 January, which regulates the National Security Scheme in the field of Electronic Administration.

2. Scope

This Policy applies to the entire scope of Mercanza, and compliance with it is mandatory for all personnel who, on a permanent or temporary basis, provide their services therein.

3. Content

The quality and safety of services are strategic objectives for Mercanza and the information related to them constitutes a fundamental asset for efficient decision-making. For these reasons the Management declares its express commitment to the continuous improvement of its Information Security Management System as a pillar of a strategy aimed at risk management and the consolidation of a culture based on security.

The scope of the Management System is as follows:

‘The information systems that support the activities of customised developments, internet services, technological consultancy, training and support and installation of systems and infrastructures, in accordance with the declaration of applicability and conformity in force at the date of issue of the certificate’.

Terms and definitions

  • ISMS: stands for Information Security Management System (regulated by the UNEISO/IEC 27001 Standard), which is a set of interrelated or interacting elements (organisational structure, policies, activity planning, responsibilities, processes, procedures and resources) used by an organisation to establish an information security policy and objectives and to achieve these objectives, based on a risk management and continuous improvement approach.
  • ENS: This is the acronym for the National Security Scheme, regulated by Royal Decree 311/2022 of 8 January, which applies to public sector e-administration. Its purpose is to establish the security policy and create the necessary conditions for confidence in the use of electronic media, through measures to guarantee the security of systems, data, communications and electronic services, allowing the exercise of rights and the fulfilment of duties through these media.
  • Stakeholder: A person or group that has an interest in the performance or success of the organisation.
  • Authenticity: Property that a person and or company that has accessed and used the information is what it claims to be.
  • Confidentiality: The property of information not to be made available or disclosed to unauthorised persons and/or undertakings.
  • Integrity: The property or characteristic that the information asset has not been altered in an unauthorised manner.
  • Traceability: A quality that allows all actions performed on information or an information processing system to be unambiguously associated with a person and/or company.
  • Availability: The property of information to be accessible and usable at the time it is required by the authorised person and/or company.
  • Asset: In relation to information security, this refers to any information or element related to the processing of information (systems, media, buildings, people, etc.) that has value for the organisation.
  • Risk: The possibility that a particular threat could exploit a vulnerability to cause loss or damage to an information asset. It is usually considered as a combination of the probability of an event and its consequences.
  • Threat: The potential cause of an unwanted incident, which may result in damage to a system or the organisation.
  • Risk analysis: The process of understanding the nature of risk and determining the level of risk.
  • Risk treatment: The process of modifying the risk by implementing controls.
  • Personal data: Any information relating to an individual that is identifiable or can be used to identify that individual.


Mission and legal and regulatory framework

Royal Decree 311/2022 of 8 January, which regulates the National Security Scheme (ENS), obliges us to protect the services we provide to our stakeholders. With the implementation of an ISMS under the UNE ISO/IEC 27001 Standard integrated with the ENS of MEDIUM category in accordance with the criteria established in Annex I of RD 311/2022, and the application of the requirements described in the CCN Technical Guides and Instructions, the security of our services is strengthened, as well as the information and data they include and which are necessary for their correct and adequate provision.

Mercanza processes certain personal data that must be registered and kept up to date by means of the document ‘Data Protection Risk Analysis’, in order to facilitate the control, management and protection of rights, analysing the risks and applying specific security measures to comply with REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation), equivalent to Organic Law 3/2018, of 5 December, on the Protection of Personal Data and Guarantee of Digital Rights, which was created to facilitate implementation and compliance in Spain.

Mercanza’s ISMS/ENS will be maintained in compliance with and respecting the Intellectual Property Law regarding the use of software, as well as the rest of the applicable regulations set out in the ‘Regulatory Framework’ document.

Management leadership and commitment

Mercanza’s Management undertakes to facilitate and provide the necessary resources for the establishment, implementation, maintenance and improvement of the entity’s ISMS/ENS, as well as to demonstrate leadership and commitment to it, through the constitution of the Information Security Committee, which will be responsible for:

Ensuring the establishment of this policy and the objectives of information security, and that these are compatible with Mercanza’s strategy for the promotion of the information society in Spain.
Ensure integration and compliance with the applicable ISMS/ENS requirements in the entity’s services and processes.
Ensure that the necessary resources for the ISMS/ENS are available.
Communicate the importance of effective security management and compliance with ISMS/ENS requirements.
Ensure that the ISMS/ENS achieves the intended results.
Lead and support people to contribute to the effectiveness of the ISMS/ENS.
Promote continuous improvement.
Support other relevant management roles, leading their areas of responsibility for information security. Details of the specific functions of the Information Security Committee are described in its charter.

Information security objectives

Information security objectives shall be set at the relevant functions and levels, with a focus on improvement and using as a frame of reference:

  • Changes in stakeholder needs leading to an improvement of the scope of the system.
  • Applicable information security requirements and the results of risk assessment and risk treatment to ensure confidentiality, integrity, availability, traceability and authenticity of information, as well as protection of personal data.
  • Internal factors such as the implementation of organisational techniques to improve the monitoring of the handling and resolution of security incidents.
  • External factors such as technological developments, the application of which improves the effectiveness of risk management.
  • Improving the effectiveness of the training and awareness of personnel working in the entity and affecting their performance in information security.


Likewise, planning for the achievement of the established information security objectives shall be carried out taking into account the following elements:

  • What is to be done.
  • The necessary resources.
  • Who is responsible.
  • Timeframe for achievement.
  • Indicators to evaluate the result/compliance.


Establishment, implementation, maintenance and improvement of Mercanza’s ISMS/ENS and documentation management guidelines.

The deployment of Mercanza’s ISMS/ENS is carried out on the basis of the ‘Security Risk Map’, which makes it possible to determine the level of security required by the organisation and to identify the controls necessary to treat the risk and bring it to an acceptable level, in accordance with Annex I of Royal Decree 311/2022 and Annex A of the ISO 27001 standard.

The security controls must be implemented, maintained and continuously improved and be available as documented information to be reviewed and approved by the Information Security Committee on behalf of the General Management.

In compliance with Article 12 of the Royal Decree of the ENS, this Security Policy shall be developed by applying the following minimum requirements and shall be included in the documentation of the system:

  • Organisation and implementation of the security process.
  • Risk analysis and management.
  • Personnel management.
  • Authorisation and control of access.
  • Protection of facilities.
  • Procurement of products.
  • Security by default.
  • System integrity and updating.
  • Protection of information stored and in transit.
  • Prevention against other interconnected information systems.
  • Logging of activity.
  • Security incidents.
  • Business continuity.
  • Continuous improvement of the security process.


The documented information on security controls shall be communicated to the personnel working in the entity (internal and external personnel) who shall be obliged to apply it in the performance of their work activities.

Documented information shall be classified as: public, internal, restricted and confidential, and shall be used appropriately according to this classification and in accordance with the criteria set out in the Information Classification and Labelling Procedure.

Audits will be carried out to review and verify compliance of Mercanza’s ISMS/ENS with the requirements of the ISO/IEC 27001 Standard for the ISMS and with Royal Decree 311/2022, of 8 January, which regulates the National Security Scheme, so that the personnel affected by the scope of these audits must be collaborative for the effectiveness of the audits, as well as in the application of the corrective actions that are derived for continuous improvement.

Information security roles and responsibilities

The Information Security Committee shall review and propose the approval of this Information Security Policy to the General Management of Mercanza who shall be the Chief Information Officer.

In addition, the Information Security Committee shall centralise the mechanisms for coordination and conflict resolution between the following persons in charge, which shall be discussed during the meetings of the members of said committee and shall be moderated by the General Management:

  • The Security Committee, representing Mercanza’s General Management, will be the body in charge of approving the policy and will be responsible for authorising its modifications, as well as all the documented information of the entity’s ISMS/ENS.
  • The Head of Information Security shall be responsible for notifying the entity’s staff of this policy and of any changes to it, as well as for coordinating the actions of implementation, maintenance and improvement of the entity’s ISMS/ENS (including the signing of the Declaration of Applicability that formalises the list of applicable security measures derived from the Risk Analysis), and its audits, with the Systems Manager, who will be in charge of managing the technical security requirements of the information systems, and with the Service Manager, whose figure falls to the directors of the areas of the entity, who will be in charge of managing the security requirements of the activities of their area for the provision of the services.
  • The person in charge of each information and/or service affected by the analysis and management of risks shall be indicated in the Mercanza ISMS/ENS Risk Map, which shall include the criteria that will determine the level of security required, within the framework established in article 40 and the general criteria prescribed in Annex I of the Royal Decree of the ENS.
  • The Data Protection Officer will be responsible for ensuring that personal data is processed and protected in accordance with the General Data Protection Regulation (GDPR EU 2016/679), and will therefore work in coordination with the Information Security Officer and the Systems Manager.
  • All staff of the organisation, both internal and external, shall be responsible for complying with this Information Security Policy within their work area, as well as for applying all documented information on Mercanza’s ISMS/ENS security controls and measures in their work activities that affect their information security performance.

Review of the Information Security Policy

This Information Security Policy shall be reviewed in system reviews by the Management, through the Information Security Committee, whenever significant changes occur, at least once a year.

Approval, dissemination and implementation of the Information Security Policy

This Information Security Policy shall be approved by the General Management of Mercanza by means of a signature and disseminated to the interested parties of Mercanza.

Likewise, the General Management of Mercanza will provide the necessary resources for the effective application of this policy, and for its proper development, both in the implementation activities and in the subsequent maintenance and improvement of the entity’s entire ISMS/ENS.