Alsea Logo

Delivering…
happiness and experiences full of flavor

Information Security Policy

Share icon

Objective

Establish Alsea’s commitment to the comprehensive protection of its information and that of its stakeholders, ensuring the confidentiality, integrity and availability of information assets across all business activities


Scope

This Global Information Security and Cybersecurity Policy (also referred to as the “Information Security Policy” or the “Security Statement”) applies to all Alsea business processes, as well as to any person who, directly or indirectly, accesses or handles Alsea information or the information of its clients, or provides services to Alsea. This includes employees, collaborators, suppliers and related third parties, regardless of the nature of their contractual relationship. All of them must be familiar with and comply with this Policy and related policies, as well as with all complementary information security documentation


Authorized areas to consult this document

It applies to the entire organization and to the general public


Definitions

Information security: The preservation of the confidentiality, integrity and availability of information. Other properties may also be involved, such as authenticity, accountability, non-repudiation and reliability (source: ISO/IEC 27000)

Stakeholder: An individual, group or organization that has a right, claim, interest or concern in a system or in a set of characteristics that satisfy their needs and expectations (source: ISO/IEC/IEEE 15288)

For more definitions, see the ISMS Terminology Manual.
Note: this manual is an Alsea-internal document and is not publicly accessible. The definitions included in this policy are those relevant for external disclosure


Information Security Statement

Alsea establishes as its purpose to safeguard information security in each and every one of its activities. This allows us to differentiate ourselves competitively, ensuring the availability and proper functioning of systems and services, and compliance with any legal, regulatory or contractual requirement related to information security and cybersecurity, including applicable regulations on data protection and privacy

It is particularly relevant to ensure effective Information Security management for our services, given the sensitivity and the volume of personal information processed. Effective management is a key control to protect people, systems and information assets, ensuring a secure and trustworthy environment. This management is led by Alsea’s Executive Management through the Global CISO Office

In conclusion, the integrity, confidentiality and availability of information and systems are critical to the security and continuity of our business, as well as to that of our clients

This Information Security Policy applies to all Alsea business processes and to all persons who have access to Alsea information or to the information of its clients, and/or who provide services to Alsea, even if their relationship is not of an employment nature. Employees, suppliers and related third parties must be familiar with and comply with this Policy and with related policies regarding the processing of information

Therefore, we commit to protecting the information of customers, employees, partners and stakeholders, reasonably considering and addressing their information security needs and expectations. This policy sets out the following key principles to guarantee the confidentiality, integrity and availability of information


Guidelines and commitments

Protection of information: we protect confidential, sensitive, personal and financial information

Availability and reliability: we ensure the proper functioning of and access to our systems and services

Compliance and continuous improvement: we comply with applicable laws, regulations and standards, and we promote better security practices

Risk management: we identify, assess and treat security risks to our information assets with appropriate treatment plans

Adherence and awareness: we promote a culture of security and individual responsibility in the protection of information

Supply-chain security: we consider information security in our relationships with suppliers and partners

The specific expected user behaviors are detailed in complementary operational policies available internally


Commitments of management and governance

Alsea demonstrates its leadership in information security by establishing and ensuring that this policy and its objectives are consistent with the organizational strategy. Management commits to assigning resources and clear responsibilities. The Global CISO reviews this policy annually and it is updated in the event of significant changes. Reviews are documented and changes will be communicated to the relevant stakeholders


General provisions

This Information Security Policy is the main framework and will be complemented by other policies, standards, procedures and specific guidelines that develop and detail the requirements and controls necessary to ensure information security, in compliance with applicable legal, regulatory, contractual and internal obligations

To facilitate access, unsigned copies of this policy and related documents may be generated for consultation purposes. The organization will manage the availability and scope of such copies. Translations will be valid for informational purposes, with the original Spanish version being the official reference. Acceptance of this policy may be formalized by handwritten, electronic or digital signature