Discover the entire online offer
Degrees
Master’s degrees
FP

UAX GROUP Information Security Policy

 

 

INFORMATION SECURITY POLICY  

VERSION: 1.0  APPROVED BY: Board of Directors 
DATE OF APPROVAL: 03/03/2026  ISSUING DEPARTMENT: Technology & Transformation Department 

SCOPE: UAX Group employees, suppliers and third parties handling the Group’s information 

VERSION CONTROL  

APPROVAL DATE   VERSION   REASON AND SUMMARY OF CHANGES  
03/03/2026 1.0 Document created 

 

1. Introduction and Purpose  

To ensure the protection and appropriate use of information, the UAX Group has established a policy requiring each of its constituent entities to implement an Information Security Management System (ISMS) based on the ISO 27001 standard. 

The ISMS provides a framework to ensure the appropriate use of information and the secure management of processes, promoting continuous improvement and ensuring compliance with applicable legal, regulatory and contractual requirements.  

This Policy forms the basis of the ISMS and defines the essential principles, standards and procedures for information security within the UAX Group, with the aim of preserving the confidentiality, integrity, availability and traceability of information.

The requirements set out in this Policy represent the minimum standard; however, each entity within the UAX Group may develop a more detailed or advanced policy, depending on its needs and level of maturity in information security. 

 

2. Objective  

The purpose of this Policy is to establish the basic principles and rules for information security management, ensuring: 

  • Confidentiality: Exclusive access to systems and assets containing corporate information is restricted to authorised persons only, with appropriate control mechanisms in place. 
  • Integrity: Accuracy and reliability of information, preventing unauthorised alterations through controls, as well as audit trails that enable the correct management of information to be verified and monitored. 
  • Availability: Information accessible to authorised users when required. 
  • Legal compliance: Alignment with the regulations in force at any given time, including the protection of personal data. 
  • Continuous improvement: Periodic review and updating of policies, procedures and controls to adapt to new threats, organisational, technological or regulatory changes. 

The UAX Group Management is committed to supporting the implementation of the organisational, technical and control measures necessary to comply with this policy. 

 

3. Scope  

 This policy applies to: 

  • All UAX Group employees, suppliers and third parties who handle UAX Group information. 
  • All systems, devices and information assets, whether owned by the Group or external, that process UAX Group data. 

For the purposes of this Policy, “UAX Group” refers to all those entities which form part, under the terms of Article 42 of the Commercial Code, of the group of companies whose parent company is Guadarrama Proyectos Educativos, S.L. 

 

4. Information Security Principles  

  • Organisational commitment: The entire UAX Group community must be committed to information security. 
  • Integrated security: Security must be taken into account in all the UAX Group’s processes, systems and activities, including suppliers and outsourced services. 
  • Risk management: Continuous risk assessment using recognised methodologies (ISO 31000, Magerit or COBIT), applying appropriate controls and ensuring that these are recorded, processed and monitored in a documented manner. 
  • Proportionality: Implementation of security measures commensurate with the risk to assets. 
  • Continuous improvement: Regular review and updating of security measures and procedures. 
  • Security by design and by default: Security is taken into account from the very conception of systems and processes. 
  • Shared responsibility: All users must ensure information security through awareness programmes and incident reporting. 

 

5. Roles and Responsibilities  

  • Executive Committee: Provides support and leadership in the implementation of information security. 
  • Chief Information Security Officer (CISO): Coordinates, verifies and documents compliance with the Information Security Management System (ISMS) and with legal and regulatory obligations. 
  • Data Protection Officer (DPO): Ensures regulatory compliance regarding the protection of personal data. 
  • Users: Comply with the policy and report incidents. 
  • Suppliers and third parties: Ensure compliance with security requirements and applicable regulations through contracts, confidentiality clauses and specific agreements, guaranteeing that they meet the UAX Group’s security standards. 
  • Information Security Committee: To lead, supervise and coordinate all activities relating to the ISMS within the organisation. 

 

 6. Risk Management  

Risk analysis and management is a fundamental pillar of the ISMS. To this end, methodologies of recognised standing or those widely accepted in the market, such as ISO 31000, Magerit and COBIT, shall be adopted.  

All risks must be recorded, assessed, addressed and documented, including acceptance criteria, responsible parties and evidence of follow-up. 

The risk analysis shall be reviewed at least once a year or in the event of serious incidents or significant changes to the information systems.  

 

7. Training and Awareness  

The UAX Group will implement an ongoing programme of training and awareness-raising on information security aimed at employees and third parties with access to critical information. 

Records of attendance, course content and assessments will be maintained to ensure evidence of compliance and effectiveness. 

 

8. Maintenance and Review of the Policy  

The policy will be reviewed annually by the CISO, and whenever there are regulatory or technological changes, or relevant incidents. 

All reviews will be documented, stating the date, those responsible and the changes made, to maintain audit evidence. 

 

9. Compliance and Sanctions  

Failure to comply with this policy may result in disciplinary, contractual or legal sanctions, depending on the severity of the breach. 

Sanctions will be applied in accordance with documented procedures, ensuring proportionality and providing evidence for external and internal audits. 

 

10. Approval, Distribution and Updating  

This Policy was approved by the Board of Directors of Guadarrama Proyectos Educativos at its meeting on 3 March 2026 and came into force upon approval. 

This Policy is a document easily accessible to all members of the UAX Group, available at all times via the staff portal, in the corporate documentation section. Furthermore, it will be sent by email at least once a year, and whenever updates are made. 

The CISO will ensure the correct implementation of the Policy, monitoring it annually and carrying out any necessary revisions and updates.