Our Information
Security

NEW LEGAL COUNSEL S.L.U. (hereinafter, NLC or the Firm) establishes a comprehensive framework for information protection within the organization. Information security is essential to maintain the confidentiality, integrity, and availability of data, ensuring client trust, compliance with applicable laws, and the protection of the information assets we manage in our daily practice.

NLC acknowledges that information and the processes managing it are essential to safeguard the data it works with. The actions and awareness of the individuals within the organization are fundamental in this regard. Therefore, these policies focus on establishing clear principles, defined responsibilities, and specific measures to be adopted by all staff and third parties

Objective and Mission

• Define acceptable standards and practices for the use of information and communication technologies within the Firm.
• Protect our clients’ confidential information, preventing leaks and unauthorized access.
• Ensure data integrity, making sure information is accurate and reliable.
• Maintain information availability, ensuring data and systems are accessible to those who need them at the right time.
• Comply with applicable regulations on data protection and information security.
• Promote a culture of security among those involved in the Firm through ongoing awareness and training in best security practices.
• Establish continuous improvement measures and update as needed to reflect changes in the threat landscape, technological evolution, and the Firm’s needs, aligning with best practices and international standards such as ISO 27001:2022.

Scope

These guidelines are mandatory for all employees, collaborators, suppliers, and any third party linked to NLC who have access to the Firm’s information systems and data. These policies apply to all devices, systems, and networks owned by or used for the Firm’s activities, including personal devices (BYOD). A Declaration of Compliance (Annex 1: Declaration Sheet) will be provided, which must be signed acknowledging the rules contained in this document.

Responsibility and Commitment

Information security is a shared responsibility among all individuals linked to NLC. Implementing the Security Policy requires all members and collaborators of the Firm to understand their obligations and responsibilities according to their roles. Specifically:

• Senior Management is responsible for ensuring the resources and support necessary to comply with this policy.
• Each user is responsible for protecting the confidentiality, integrity, and availability of the information they access.
• The ISMS Committee is responsible for conducting annual reviews of the Information Security Management System (ISMS), covering planning, implementation, maintenance, and improvements.
• They will receive regular training on the proper use of these policies and the consequences of illegal or inappropriate activities.
• Resources and guides will be provided to help all employees and/or collaborators understand and comply with these policies.
• They must immediately report any security incident, inappropriate use, or unauthorized access to technological and information resources.
• They must know and comply with all information security and data protection policies in this document. To resolve potential conflicts, it is important to emphasize that non-compliance with these policies may result in disciplinary actions such as warnings, suspensions, or termination of the professional agreement.

Information Security

Management System (ISMS) Committee
As part of the Information Security Policy, NLC has created an Information Security Committee responsible for leading, planning, supervising, and managing all aspects related to information protection.

Risk Assessment

Risk assessment under ISO 27001:2022 is a fundamental process within the information security management system (ISMS). At NLC, this process involves identifying, analyzing, and evaluating risks related to information security across all areas and processes of the organization.

The Risk Assessment process under ISO 27001:2022 at NLC includes:

• Identification of critical assets
• Identification of threats and vulnerabilities
• Impact and likelihood analysis
  Risk level assignment
• Ongoing review

Information Security Policies and Procedures

NLC has implemented all necessary measures to comply with general and IT security regulations, covering data protection policies, building and facility security, and appropriate behavior of employees, collaborators, and third parties in system use. These measures, essential to ensure confidentiality, integrity, and availability of information at NLC, include:

Confidential Information and Personal Data Protection

NLC is committed to safeguarding the integrity and confidentiality of its clients’ and collaborators’ data. This involves implementing robust security measures to prevent unauthorized access, improper disclosure, and misuse of sensitive information. Compliance with national and international data protection regulations is also ensured to protect the privacy and confidentiality of personal data managed by the Firm.

Regulatory Compliance

NLC is committed to complying with current legislation applicable to information security, including the National Security Framework (ENS) and ISO 27001, considering its purpose, legal status, and business objectives. Ref. ISO/IEC 27001 Legislation Standards: https://normaiso27001.es/a18-cumplimiento/

Training and Awareness

NLC is committed to providing all personnel and collaborators with optimal training and awareness in information security. This training will be designed to meet the objectives of the Information Security Management System (ISMS), while specifying each individual’s roles and responsibilities within the organization. It will also focus on the necessary security measures to mitigate risks and protect the Firm’s assets.

Audit and Continuous Improvement

At NLC, we believe continuous improvement is essential. Therefore, we undergo periodic external audits to review the effectiveness of our processes. These evaluations help us measure our compliance level and provide suggestions for implementing corrections that foster our ongoing development. All efforts aim to improve the availability, integrity, and reliability of the Firm’s information.

In this regard, NLC reserves the right to randomly and without prior notice monitor and verify any user access to its technological resources and information. All reviews and monitoring activities will be properly documented for audit and compliance purposes.

Non-Compliance

NLC reserves the right to establish technical controls deemed appropriate to reinforce compliance with this policy’s guidelines. NLC may request employees and collaborators to justify the use of resources provided to them if usage patterns are detected that are considered abnormal or contrary to this document.

Total or partial non-compliance with these policies, in cases of reasonable suspicion of criminal activities, offenses, administrative violations, or serious breaches of our security policies, will result in warnings determined by Senior Management.

All actions will be carried out in compliance with applicable regulations at all times and with the utmost respect for the worker’s dignity, in accordance with the monitoring and control powers established in Article 20.3 of the Workers’ Statute.

Validity

This Information Security Policy and each of its supplements will be effective from the moment it is delivered to the employee, collaborator, or third party. Additionally, it will require review at least once a year.