COMEXI GROUP INDUSTRIES, SAU INFORMATION SECURITY POLICY
1. Purpose
Establish the framework that regulates the protection of information and assets associates of COMEXI GROUP INDUSTRIES, SAU (hereinafter , COMEXI ) , guaranteeing his confidentiality , integrity and availability , as well as compliance with requirements legal , regulatory and contractual , in particular ISO/IEC 27001:2022 and Directive (EU) 2022/2555 (NIS2) , to support the achievement of the company ‘s objectives .
2. Reach
This Policy applies to all internal staff and collaborators external parties and third parties that use or manage COMEXI information and/or assets , regardless of their support or location . Includes all processes , systems , infrastructures and work centers
3. Framework for establishing information security objectives
COMEXI maintains a process systematic to define, review and update information security objectives , ensuring
- Alignment criteria : the objectives will be aligned with the information security principles , the requirements of ISO 27001, the NIS2 obligations and the business context ( machinery manufacturing ).
- SMART Features : Every Goal will be specific , measurable , achievable , relevant and time – bound .
- Documentation and monitoring : the objectives will be kept as documented information of the ISMS ( responsible, metric , baseline , target, timeframe and evaluation frequency ).
- Revision periodic : at least once a year or before changes significant in the context , risks or regulations.
4. Management Commitment and Responsibility
Senior Management
- Provide the resources necessary ( human , technological and financial ) for the implementation , maintenance and continuous improvement of the ISMS.
- Support security initiatives and periodically review the effectiveness of controls .
- Integrate security into the corporate strategy of innovation , sustainability and operational excellence .
5. Principles of Information Security
- Confidentiality : access to information only for authorized individuals authorized .
- Integrity : information and processes accurate and complete .
- Availability : information accessible when be necessary .
- Legality and Compliance : compliance with all applicable regulations: ISO 27001, NIS2 and GDPR.
- Continuous Improvement : Review permanently adjusted to changes organizational and technological .
6. Specific regulatory compliance (ISO 27001:2022 & NIS2)
COMEXI will implement controls and measures to ensure :
- Compliance with the controls of Annex A of ISO/IEC 27001:2022.
- Risk management
according to ISO/IEC 27005 and art. 21 NIS2 , with risk registration and treatment . - Report serious incidents to the competent CSIRT within 24 hours, in accordance with Article 23 NIS2.
- Evaluate and require security of the supply chain (art. 21.2 d) NIS2).
- Ensure continuity and operational resilience plans (art. 21.2 c) NIS2).
7. Roles and responsibilities
| Role | Responsibilities clue |
|---|---|
| Information Security and Business Continuity Committee | Govern the ISMS, approve policies and resources, assess risks and approve treatment plans |
| Information Security Officer | Develop , implement and monitor the ISMS, coordinate incidents and NIS2 compliance |
| Information Owners | Classify assets , approve access controls , review risks |
| Privacy Officer | Ensuring alignment between security and data protection |
| IT & OT Manager | Implement technical and network controls , ensure the security of IT ( computer ) and OT ( industrial ) systems |
| Users | Comply with policies , protect information , and report incidents |
8. Appetite and risk criteria
COMEXI adopts a risk appetite tolerating risks residuals and establishing the risk criteria in the Risk Analysis and Treatment Methodology of the ISMS .
9. Review and continuous improvement
The Policy will be reviewed annually or after changes substantial changes in the environment, technology , processes , or regulations. All reviews will be recorded and required Approval from Senior Management .
10. Awareness , training and communication
- Politics will be communicated to all staff and external parties relevant .
- It will be taught training and awareness campaigns
periodic to reinforce the safety culture . - Security documents
They will be available on the internal portal of the management system. integrated and ISMS .
11. Penalties for non-compliance
The breach will be able to carry measures disciplinary according to the Convention COMEXI collective , legal action or termination of contracts with third parties, without to the detriment of others responsibilities civil or criminal .
12. Approval and validity
This Policy has been approved by the Board of Directors of COMEXI GROUP INDUSTRIES, SAU on September 19 , 2025 and enters into force on the same date .
