Logo Lener
ES • EN • CA
  • The Firm

    Who we are

    CSR

    Partnerships
  • Practice areas

    Restructuring

    Legal and Tax

    Corporate and M&A

    Labor and LRP

    Tax

    Litigation and Arbitration

    Real Estate and Urban Planning

    Public law

    Compliance and Corporate Governance

    Insolvency Adm.
  • Sectors

    Healthcare

    Hotel

    Real Estate

    Agri-food

    Foundations and NGOs

    Private Wealth

    Transport

    Construction and Public Works
  • Corp.Finance
  • Professionals
  • Current Events
  • Talent
  • Contact

Information Security Policy

1. Approval and Entry into Force

This Information Security Policy has been prepared and approved by the Security Committee of LENER ASESORAMIENTO EMPRESARIAL, hereinafter GRUPO LENER, and shall be effective and applicable from the date of its publication through the organisation’s Intranet and the consequent communication to users.

2. Introduction

GRUPO LENER has developed this Security Policy to define the principles and foundations necessary for the proper management of the information handled by the organisation, as well as to comply with the requirements of the ISO 27001 reference standard.

To carry out its activities, GRUPO LENER depends on ICT systems (Information and Communications Technologies) to achieve its objectives. These systems must be managed diligently, taking appropriate measures to protect them from accidental or deliberate harm that may affect the availability, integrity or confidentiality of the information handled or the services provided.

The objective of information security is to ensure information quality and the continuity of services, acting preventively, supervising daily activity, and reacting promptly to incidents.

ICT systems must be protected against rapidly evolving threats capable of affecting the confidentiality, integrity, availability, intended use and value of information and services. To protect against such threats, a strategy must be implemented that adapts to changes in environmental conditions to guarantee the uninterrupted provision of services. This implies that departments must apply the minimum security measures required by the relevant standards, continuously monitor service levels, follow and analyse reported vulnerabilities, and prepare an effective incident response to ensure service continuity.

The different departments must ensure that ICT security is an integral part of each stage of the system life cycle, from its conception to its retirement, including development or acquisition decisions and operational activities. Security requirements and funding needs must be identified and included in the planning and development of the organisation’s internal or external projects.

2.1 Company Presentation

GRUPO LENER is a Spanish firm, founded in 1982 and oriented towards business advisory services. Our commitment to providing legal and economic solutions to the business industrial sector has led us to evolve and expand our services in all fields of Business Law, forming a Group that covers all the needs of the business world in insolvency matters, debt recovery, financial advisory services, and tax, labour, and accounting consultancy, without losing our founding focus as experts in corporate restructuring.

GRUPO LENER is currently composed of more than 300 lawyers and economists, offering integrated legal and economic services nationwide and internationally through its six offices in Madrid, Barcelona, Oviedo, Valladolid, Vigo and Seville, ensuring close support to our clients’ interests.

First-hand knowledge of the economic sectors in which we operate. We know that creating opportunities for our clients arises from perspectives that are difficult to gain without the skills derived from extensive sector experience.

High specialisation in different legal areas. This is a necessary but not sufficient condition to be part of our organisation.

We are organised into multidisciplinary teams, aiming to offer the most enriching visions and solutions with maximum added value for our clients.

Our communication is agile and direct. Our structure is very flat. Participation of senior partners and associates is common. This is highly valued by our clients.

As part of GRUPO LENER, we also have the company TAX MASTER GESTIÓN, a tax, labour, and accounting consultancy that supports companies in complying with recurring obligations related to tax settlement and filing, personnel management, bookkeeping, and all related matters.

Their activity spans a wide variety of fields: working across all industry sectors, family businesses, foundations, high-net-worth individuals, and institutions of diverse nature.

2.2 Organisational Values

Knowledge
First-rate financial and legal expertise in the economic sectors in which we operate, resulting in the creation of new opportunities for our clients.

Experience
Our activity has taken place across all fields of business law for more than 35 years, operating nationwide and internationally.

Values
Commitment to results, honesty and determination in executing alternatives, creativity in generating solutions, proactivity in delicate processes, and accompanying clients throughout their entire journey.

3. Scope

This Policy applies to the information systems of GRUPO LENER that support the services provided by the different organisations of the Group.

In particular, GRUPO LENER has decided to certify its information security management according to ISO 27001 for the following scope:

ISO 27001:
"Information Security Management System supporting the services provided by the different companies offering business legal, financial, tax and insolvency advisory services, delivered to clients via Cloud services."

4. Regulatory Framework

For the development of this Security Policy and the associated management system, the regulatory framework applicable to the organisation and the main reference standards have been considered, mainly:

  • UNE-EN ISO/IEC 27001:2023 Information Security, Cybersecurity and Privacy Protection. Information Security Management Systems. Requirements.
  • UNE-EN ISO/IEC 27002:2023 Information Security, Cybersecurity and Privacy Protection. Information Security Controls.
  • Royal Decree 311/2022, of January 8 (BOE of January 29), regulating the National Security Framework in the field of electronic administration.

Additionally, any regulations or standards related to information security that may apply or be relevant to the organisation are considered, identified through the Legal Compliance Procedure and its associated register. Among these reference standards, the following may be considered:

  • ISO 27017:2021 Security Controls for Cloud Services.
  • Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (GDPR).
  • Organic Law 3/2018, of December 5, on Personal Data Protection and guarantee of digital rights.

Maintenance of the regulatory framework shall be the responsibility of GRUPO LENER and kept as an annex to the Legal Compliance Procedure.

5. Compliance with Minimum Security Requirements

GRUPO LENER, to meet the requirements of the aforementioned standards and security regulations, has implemented several security processes and measures proportional to the nature of the information and services to be protected.

5.1 Security as an Integral Process and Principle of Least Privilege

Security is understood as an integral process consisting of all technical, human, material, legal and organisational elements related to the system. Information security management at GRUPO LENER shall be governed by this principle, which excludes any isolated or temporary action.

Maximum attention shall be paid to raising awareness among people involved in the process and their hierarchical managers to prevent ignorance, lack of organisation and coordination, or inadequate instructions from becoming sources of risk.

Information systems must be designed and configured granting the minimum privileges required for their proper operation, which implies incorporating the following aspects:

  • The system shall provide only the essential functionality for the organisation to fulfil its competencies or contractual objectives.
  • Operation, administration and activity logging functions shall be limited to the necessary minimum, and only authorised individuals shall perform them from authorised locations or equipment; time or access point restrictions may be applied if necessary.
  • In a production system, unnecessary or inappropriate functions must be removed or disabled through configuration control. Normal system use must be simple and secure, so insecure usage requires a conscious act by the user.
  • Security hardening guides for different technologies, adapted to the organisation, shall be applied to eliminate or disable unnecessary or inappropriate features.

5.2 Continuous Monitoring, Periodic Reassessment, Integrity, System Updating and Continuous Improvement

Continuous monitoring by GRUPO LENER will allow the detection of anomalous activities or behaviours and an appropriate response.

Ongoing evaluation of asset security status will enable tracking its evolution, detecting vulnerabilities and identifying configuration deficiencies.

Security measures shall be reassessed and updated periodically, adapting their effectiveness to evolving risks and protection systems, which may require reconsidering security if necessary.

The inclusion or modification of any physical or logical element in the updated asset inventory requires prior formal authorisation.

Permanent evaluation and monitoring will allow adjusting system security based on configuration deficiencies, identified vulnerabilities, updates, and early detection of any incident.

The implemented integral security process must be continuously updated and improved, applying recognised national and international methods and criteria in information technology security management.

5.3 Personnel Management and Professionalism

All personnel, internal or external, related to GRUPO LENER’s information systems within the scope of the Information Security Management System (ISMS) shall be trained and informed of their duties, obligations and responsibilities in security. Their actions shall be supervised to verify compliance with established procedures.

Acceptable use policies for corporate assets, email, storage media, etc., shall be created and approved by the Security Committee. Likewise, training and experience requirements for staff shall be defined.

Information system security shall be attended, reviewed and audited by qualified, dedicated and well-trained personnel across all stages of the system life cycle: planning, design, acquisition, construction, deployment, operation, maintenance, incident management and decommissioning.

Organisations providing services must have competent professionals and adequate maturity levels in the services provided.

5.4 Risk-Based Security Management, Risk Analysis and Risk Management

Risk analysis and management shall be an essential part of the security process and a continuous and constantly updated activity.

Risk management will allow the maintenance of a controlled environment, minimising risks to acceptable levels through the appropriate and proportionate application of security measures.

Risk analysis and treatment shall use a recognised methodology. Measures adopted must be justified and proportionate to risks.

5.5 Security Incidents: Prevention, Detection, Response and Recovery

GRUPO LENER has defined security incident management procedures aligned with ISO 27001 and applicable regulations (e.g., data protection legislation), including detection mechanisms, classification criteria, analysis and resolution procedures, and communication channels with interested parties.

System security shall include actions for prevention, detection and response to minimise vulnerabilities and ensure threats do not materialise or cause significant harm to information or services.

Preventive measures may incorporate deterrent components or exposure reduction.

Detection measures aim to identify the presence of a cyber incident.

Response measures shall be managed promptly and oriented to the restoration of information and services affected by a security incident.

The information system shall guarantee the preservation of data and information in electronic format.

Likewise, the system shall ensure service availability during the entire digital information lifecycle through procedures designed to preserve digital assets.

5.6 Existence of Defence Layers and Prevention in Interconnected Information Systems

GRUPO LENER has implemented a multilayer protection strategy, composed of organisational, physical and logical measures, allowing adequate response even when one layer is compromised, thereby reducing the probability of full system compromise.

The organisation’s system perimeter shall be protected, particularly when connected to public networks, reinforcing prevention, detection and response activities.

Risks arising from system interconnection shall be analysed and controlled.

5.7 Differentiation of Responsibilities, Organisation and Implementation of the Security Process

GRUPO LENER has organised its security by assigning clearly differentiated security roles with specific responsibilities, as detailed in the “Security Organisation” section of this document.

5.8 Access Authorisation and Control

GRUPO LENER has implemented access control mechanisms to limit system access to authorised users, processes, devices and information systems, and only to allowed functionalities.

5.9 Facility Protection

GRUPO LENER has implemented physical access control mechanisms to prevent unauthorised physical access and damage to information and resources through security perimeters, physical controls and general protections.

5.10 Acquisition of Security Products and Contracting Security Services

For acquiring security products or contracting security services, GRUPO LENER will prioritise providers certified under recognised security standards such as ISO 27001, ISO 27017, ISO 27018, ISO 22301, among others.

5.11 Protection of Stored and Transmitted Information and Continuity of Activity

GRUPO LENER will pay special attention to information stored or transmitted through portable or mobile devices, peripherals, storage media and communications over open networks, which require particular analysis to ensure adequate protection.

Systems shall have backup copies, and mechanisms to ensure operational continuity in case of loss of usual means shall be established.

5.12 Activity Logging and Detection of Malicious Code

GRUPO LENER, to comply with applicable regulations, fully guaranteeing the right to honour, personal and family privacy and image rights, and in accordance with data protection regulations, shall log user activities, retaining only the information strictly necessary to monitor, analyse, investigate and document unauthorised or improper activities, identifying the acting individual at all times.

To preserve information system security and in compliance with GDPR principles of purpose limitation, data minimisation and storage limitation, GRUPO LENER may, to the strictly necessary and proportionate extent, analyse incoming or outgoing communications exclusively for security purposes, preventing unauthorised access, denial of service attacks, distribution of malicious code or other system harm.

To correct or assign responsibilities, each user accessing the system must be uniquely identified so that, at all times, it is known who receives access rights, their type, and who performed a given activity.

6. Security Organisation

6.1 Information Security Roles and Responsibilities

To ensure compliance and adaptation to the requirements set by Royal Decree 311/2022 of May 3, regulating the National Security Framework, security roles forming the Security Committee have been defined, assigning positions as follows:

  • Information and Services Manager: Central Services Manager.
  • ENS Information Security Manager: IT Director.
  • ENS System Manager: Development Manager.

The remaining roles and responsibilities regarding information security shall be defined in GRUPO LENER’s ISMS Management Manual.

Below are the functions and responsibilities of each defined role, which will be formally communicated to designated persons for acceptance.

Functions of the Information and Services Manager

  • Establish and approve security requirements applicable to services and information in accordance with Annex I of Royal Decree 311/2022 and GDPR, with input from the ENS Security Manager and considering the ENS System Manager and Data Protection Officer.
  • Inform about access rights to the Service and Information.
  • Accept residual risk levels affecting the Service and Information.
  • Notify the Security Manager and Data Protection Officer of any change regarding Information or Services under their responsibility.
  • Ensure proper performance of assigned functions within an appropriate security framework.
  • Collaborate in defining and approving personal data processing activities in their area.
  • Define security requirements for information processed and services provided.
  • Receive information about incidents and actions taken to resolve them.
  • Perform assessments referred to in article 40 of the ENS (security categories).
  • Define criteria for assigning and modifying information security levels and formalise their documentation.

Functions of the ENS Security Manager

  • Maintain and verify an adequate level of security for the information managed and electronic services provided.
  • Determine decisions to meet information and service security requirements.
  • Determine applicable security measures according to valuations made by Information and Service Managers.
  • Supervise implementation of necessary security measures and report on security matters.
  • Formalise the Statement of Applicability, including compensatory or monitoring measures mapping to Royal Decree Annex II.
  • Verify adequate implementation of security measures by the System Manager.
  • Determine system security category based on valuations of Information and Service Managers.
  • Promote training and awareness in information security.
  • Promote risk analysis.
  • Designate responsible staff for risk analysis execution and system documentation tasks.
  • Provide support for determining system category in collaboration with relevant roles.
  • Participate in improvement and continuity planning.
  • Manage external and internal reviews and certification processes.
  • Analyse audit reports and present conclusions to responsible roles.
  • Submit system changes for approval by the Security Committee.
  • Approve security-impacting changes involving HIGH risk prior to implementation.
  • Assess risks before deploying artificial intelligence systems and supervise their deployment.
  • Participate in preparing the Security Policy and ENS procedures.
  • Draft and propose security policies, procedures and guidelines for approval.
  • Draft and approve the Statement of Applicability in line with requirements.

Regarding security incidents, in coordination with organisation management and responsible roles:

  • Act as the specialist point of contact with reference CSIRTs (CCN-CERT or INCIBE).
  • Notify the competent authority, through the CSIRT, of incidents with disruptive effects.
  • Interpret and apply instructions from the Competent Authority.
  • Prepare and supply requested information or documentation.

Coordinate with the Data Protection Officer to determine possible data exfiltration and personal data breach impacts.

When systems process personal data, the Security Manager shall document and implement data protection requirements defined by the controller or processor, assisted by the DPO, aligned with GDPR articles 24 and 32 and any required Data Protection Impact Assessment.

Functions of the ENS System Manager

  • Develop, operate and maintain the information system throughout its life cycle.
  • Implement system security and supervise daily operations, delegating where necessary.
  • Define system topology and management, establishing usage criteria.
  • Ensure security measures are correctly integrated into the system framework.
  • Provide support for determining system category.
  • Participate in improvement and continuity planning.
  • Propose suspension of information processing or services in case of severe security deficiencies.
  • Temporarily suspend processing or services, in coordination with the Security Manager, during cyber incidents.
  • Adopt corrective measures derived from audit reports.
  • For HIGH category systems, suspend operations if required based on audit findings.
  • Adopt corrective measures proposed by the Security Manager.

Carry out security administration functions including:

  • Implement, manage and maintain system security measures.
  • Manage and update hardware and software supporting security mechanisms.
  • Apply Operational Security Procedures (POS).
  • Report anomalies or vulnerabilities.
  • Assist in incident investigation and resolution.
  • Manage user authorisations and privileges.
  • Verify proper operation of security controls.
  • Ensure approved procedures are observed.
  • Review hardware/software installations to ensure security.
  • Monitor security events and audit mechanisms.

6.2 Security Committee

To ensure compliance with ISO 27001 and the National Security Framework, a Security Committee has been formed with responsibilities including:

  • Report regularly on the state of information security.
  • Promote continuous improvement of the ISMS.
  • Define organisational security strategy.
  • Coordinate security efforts across areas.
  • Draft and review the Information Security Policy.
  • Draft and propose Information Security Regulations.
  • Define training and qualification requirements.
  • Develop training and awareness programmes.
  • Monitor residual risks and propose actions.
  • Monitor incident management processes.
  • Promote periodic audits.
  • Draft security improvement plans.
  • Prioritise security actions when resources are limited.
  • Ensure information security is considered in all ICT projects.
  • Verify development of procedures and documentation.
  • Resolve conflicts between responsible units.
  • Respond to security-related requests from public administration.
  • Advise on information security matters.

6.3 Composition of the Information Security Committee

The Security Committee consists of the roles defined above, including the Data Protection Officer, Legal Compliance Officer and other managers as necessary.

As the Committee is not a technical body, it will regularly seek technical advice from internal or external experts through:

  • Specialised working groups.
  • External consultancy.
  • Training events or knowledge exchange sessions.

The Committee shall meet quarterly at GRUPO LENER premises, generating meeting minutes with decisions taken.

The Committee will also resolve conflicts and differences of opinion between security roles.

7. Personal Data

GRUPO LENER shall only collect personal data when adequate, relevant and not excessive, and only for purposes for which they are obtained. Technical and organisational measures will be adopted to ensure compliance with applicable data protection laws.

Following the application of GDPR on 25 May 2018 and its transposition to Spanish law via Organic Law 3/2018, appropriate measures have been implemented such as legal basis analysis, risk analysis, impact assessments for high-risk activities, activity records and the appointment of a Data Protection Officer.

The organisation has defined necessary procedures, policies and security measures to ensure effective compliance.

8. Development of the Information Security Policy

Compliance with this Security Policy is achieved through the development of documentation forming the security standards and procedures required by ISO 27001 and other applicable regulations. A documentation management procedure has been defined to establish organisation, management and access guidelines.

The Security Committee is responsible for the annual review and approval of this Policy and may propose improvements where necessary.

9. Staff Obligations

All members of GRUPO LENER within the scope of the ENS shall be subject to this Security Policy and must consider it during their work activities. All staff shall receive appropriate security awareness through training, communications and best practices. A continuous awareness programme will be established, especially for new staff.

Personnel responsible for using, operating or administering ICT systems in the ICT Department shall receive training necessary for secure system operation. Training is mandatory before assuming responsibilities or when changing roles.

10. Third Parties

When GRUPO LENER provides services to or handles information from other entities, those entities shall be informed of this Security Policy.

GRUPO LENER will define and approve channels for coordination, security incident procedures and actions taken in relation to information security with other entities.

When GRUPO LENER uses third-party services or shares information, the third party shall be informed of this Policy and applicable security requirements. Third parties must comply and may develop their own operational procedures.

Third-party personnel must be appropriately trained to at least the level established in this Policy.

If any aspect of this Policy cannot be met by a third party, a report from the ISMS Manager will be required to assess resulting risks and necessary treatment.

11. Modifications and Version Control

Edition Date Prepared by Approved by Changes from previous edition
1.0 27/09/2022 Jorge Domingos Security Committee Initial version
2.0 10/04/2025 Jorge Domingos Security Committee Minor format changes. Labelling. Minor corrections. Replacement of LENER ASESORAMIENTO EMPRESARIAL with GRUPO LENER.
3.0 17/11/2025 Jorge Domingos Security Committee Security Policy updated to ensure compliance with ENS requirements and assignment of derived responsibilities.

Subscribe to the newsletter

See our latest news

Join
Suscribirse a la newsletter
* indicates required

Los datos personales recabados a través de este formulario serán tratados por LENER ASESORAMIENTO EMPRESARIAL, S.L.P. como responsable del tratamiento, con la única finalidad de gestionar el envío de comunicaciones comerciales. Podrá ejercer sus derechos de acceso, rectificación, supresión, oposición, limitación del tratamiento y portabilidad, así como cualesquiera otros reconocidos por la normativa vigente, dirigiendo su solicitud al Delegado de Protección de Datos en: privacidad@grupolener.es. Dispone de información completa sobre el tratamiento de sus datos en el siguiente enlace: https://www.lener.es/politica-de-privacidad.

Logo Lener
ISO
Madrid•
Barcelona•
Oviedo•
Valladolid•
Vigo•
Sevilla
Paseo de la Castellana, 23 | 28046 - Madrid | +34 913 912 066
Lener © All rights reserved  |     |   Privacy Policy  |   Security Policy  |   Cookies Policy  |   Legal Notice
Web design: Social Lex & Fontventa