Integrated Management System – Autoritas Consulting, S.A.
Version: 2026
Approval date: 08/12/2025
Approved by: Autoritas Consulting General Management
Responsible: JAVIER LLINARES
Autoritas Consulting, S.A. is a company specialised in strategic consulting and data analytics-based content management. Our purpose is to provide professional, expert advice that helps our clients define and achieve their business goals effectively and efficiently, with customer satisfaction as our primary objective.
We have a multidisciplinary team committed to continuous performance improvement, both in our activities and in respect for the environment and information security management. We constantly evaluate, analyse, and optimise our processes, aiming to increase efficiency, quality, and the value of the services we deliver.
Information is an essential asset for the organisation’s activities and must be protected against internal and external threats, whether accidental or intentional. For this reason, we integrate the requirements for quality, environment, and information security into a single Management System, in accordance with UNE-EN ISO 9001:2015, UNE-EN ISO 14001:2015, and UNE-EN ISO/IEC 27001:2023, as well as Spain’s National Security Framework (ENS) at medium level for services provided to public administrations and other clients who require it.
Autoritas Management assumes its responsibility for quality, environment, and information security, leading the implementation, review, and continuous improvement of the Integrated Management System.
The objective of this Integrated Policy is to establish the principles, commitments, and guidelines governing Autoritas Consulting’s Integrated Management System, ensuring that:
The requirements of customers and other interested parties are met, increasing trust and loyalty.
The performance and efficiency of our processes are continuously improved.
The environment is protected, pollution is prevented, and applicable legal and other environmental requirements are met.
Information assets are protected against any risk that could compromise operations, reputation, or legal compliance.
Autoritas Consulting explicitly commits to meeting all requirements applicable to its activities, including customer requirements, legal and regulatory requirements, as well as other subscribed requirements related to service quality, the environmental management system, and the information security management system.
This Integrated Policy provides the reference framework for establishing, reviewing, and monitoring the objectives of the Integrated Management System.
This Policy integrates and replaces previous individual policies on quality, environment, and information security, and applies to:
All information systems, services, and processes managed by Autoritas Consulting.
All personnel (employees, collaborators, interns, and third parties with access to information or acting on behalf of the company).
All technological and documentary infrastructure, both on-premise and in cloud environments.
It expressly includes:
The provision of strategic consulting and data analytics-based content management services.
The management of information and related systems (Drive, Laravel, Kanboard, AnythingLLM, and other corporate tools).
The protection of personal data, electronic records, digital communications with clients and public bodies, and other assets relevant to business continuity.
Autoritas Consulting bases its Integrated Management System on the following principles and commitments:
Customer focus and satisfaction of needs and expectations.
Project management based on rigorous planning, coordination, and supervision of activities, timelines, and resources.
Pursuit of excellence in every project, exceeding established requirements.
Promotion of continuous learning, innovation, and creativity in digital solutions.
Commitment to environmental protection and pollution prevention.
Compliance with applicable environmental legal requirements and other requirements the organisation subscribes to.
Resource optimisation, impact minimisation, and consideration of service life cycle where feasible.
Risk management: ongoing identification, analysis, and treatment of risks, using a methodology aligned with ISO 27005 and ENS.
Proportionality: security measures are aligned with the level of risk and the criticality of assets.
Security by design and by default in systems and processes, incorporating protection measures from inception.
Business continuity: existence of backup, contingency, and incident recovery plans.
Awareness and training of personnel in information security and ENS.
Compliance with ENS, GDPR, LOPDGDD, LSSI, and other applicable regulations on security and data protection.
Continuous improvement of the Information Security Management System (ISMS) and security controls.
To ensure the effectiveness of the Integrated Management System, the following responsibilities are established:
Approves this Integrated Policy and the annual objectives for quality, environment, and information security.
Ensures the availability of the necessary human, technological, and financial resources.
Oversees audit results, management reviews, and key indicators.
Defines risk acceptance criteria and required security levels.
Coordinates compliance with ISO/IEC 27001 and ENS within the Integrated Management System.
Oversees the implementation and effectiveness of technical and organisational security controls.
Promotes information security awareness and training.
Signs and maintains the Statement of Applicability, as well as applicable ENS documentation.
Implements and maintains the technical measures required for the secure operation of systems.
Oversees infrastructure configuration, monitoring, and maintenance.
Informs Management and the Information Security Manager of detected vulnerabilities and incidents.
Defines information classification levels and access criteria.
Assesses the impact of security incidents on information.
Composed at minimum of Management, the Information Security Manager, the System Manager, the DPO, and, where applicable, quality and environmental representatives.
Meets periodically (at least once a year and whenever significant changes occur) to review the status of the Integrated Management System, ENS adequacy, and opportunities for improvement.
Autoritas Consulting develops its Integrated Management System according to the following lines of action:
Process management: identification, sequence, interaction, and control of key processes, with performance indicators and measurable objectives.
Risk management: ongoing assessment of threats, vulnerabilities, and impacts on service quality, the environment, and information security.
Access management: authentication and authorisation control, segregation of duties, and the principle of least privilege.
Physical and logical protection: security of facilities, equipment, and networks; encryption of data in transit and at rest where appropriate.
Incident management: detection, recording, analysis, response, and lessons learned for security incidents and nonconformities.
Supplier management: inclusion of quality, environmental, and security requirements in contracts, with periodic performance reviews.
Business continuity: backup, contingency, and recovery plans tested regularly.
Verification and audit: periodic verification of compliance with the Integrated Management System, including internal and external audits (ISO and ENS).
This Policy aligns, among others, with the following standards and requirements:
UNE-EN ISO 9001:2015 – Quality management systems.
UNE-EN ISO 14001:2015 – Environmental management systems.
UNE-EN ISO/IEC 27001:2023 – Information security management systems.
Royal Decree 311/2022 regulating the National Security Framework (ENS).
Regulation (EU) 2016/679 (GDPR).
Organic Law 3/2018 (LOPDGDD).
Law 34/2002 (LSSI), as well as other applicable legislation and contractual requirements.
Autoritas Consulting will communicate this Integrated Policy to all personnel and relevant third parties, ensuring it is known, understood, and applied.
The organisation commits to:
Conduct periodic awareness and training actions in quality, environment, information security, and ENS.
Encourage people’s participation in identifying risks, opportunities, and improvement proposals.
This Policy will be reviewed at least once a year or whenever significant changes occur in the organisation, the technological environment, legal requirements, or strategic needs.
As part of the Management Review, the following will be analysed:
Results of internal and external audits.
Level of achievement of quality, environmental, and information security objectives.
Results of risk assessment and ENS compliance.
Complaints, suggestions from customers and interested parties.
Improvement opportunities and resource needs.
The conclusions of the Management Review may result in updates to this Integrated Policy and the redefinition of Integrated Management System objectives, ensuring consistency with this reference framework.
This Integrated Policy on Quality, Environment, and Information Security is mandatory for all personnel of Autoritas Consulting, S.A. and will be made available to relevant interested parties.
Valencia, 22 December 2025
On behalf of Management:
JAVIER LLINARES