Icon Isotype

Information Security

Confidentiality, integrity, and availability secured under the ISO 27001 standard.

Information Security

For Indra Group, information is one of its most critical assets. For that reason, it considers it necessary to establish the appropriate measures in all locations where information may be stored or transmitted to ensure:

  • Confidentiality, ensuring that only those who are authorized and genuinely need the information for their job ("need-to-know" principle) can access the relevant data, therefore avoiding problems of unintended leaks or deletions of sensitive information.
  • Integrity, ensuring that the information and its processing methods are accurate and complete, therefore preventing possible unauthorized alterations.
  • Availability, ensuring that authorized users can access the information and its associated assets when they need to, guaranteeing access to the company's critical systems at all times through the preparation of business continuity plans.

Information Security is an essential part of Indra's business strategy due to the impact it has on its own business and its customers' business. The company has therefore developed an Information Security Management System, certified under standard ISO 27001, to define, implement and improve the most effective controls and procedures to minimize and manage risks in its internal processes, daily operations, the development and execution of programs and services from the commercial phase to the operation, and in its customer management processes.

Information Security is an essential part of Indra Group's business strategy due to the impact it has on its own activities and those of its clients.

Security Strategy

Key Pillars

Information security governance

Information security governance, which ensures correct coordination and organization of information security across all levels. At its helm is the CISO (Chief Information Security Officer), who reports directly to the Audit and Compliance Committee (ACC) and the Risk Coordination Unit (RCU) and is responsible for coordinating information in the company. The CISO's main function is to develop Indra's information security strategy, objectives and plans. This area also includes the security and market LISOs (Local Information Security Officers), whose main function is to ensure information security in the markets and subsidiaries under their jurisdiction.

Information security regulatory framework

An information security regulatory framework, applicable to all markets and areas of the company, as well as to all Indra companies, offices and subsidiaries. Compliance with this regulatory framework is mandatory for the entire Indra group and at its core is the information security policy, which establishes the basic security principles underpinning the framework. The current version of the Information Security Policy was approved by the Board of Directors on March 27, 2023.

Awareness and continuous training

Awareness and continuous training in Information Security during all phases of employment, which aims to raise understanding and learn all users of the company, so that everyone in the company is aware of their responsibility in the field of Information Security and the criticality of protecting the confidentiality, integrity and availability of the information handled, both ours and our customers.

Technology and security controls

Technology and security controls as an end-to-end solution encompassing physical and environmental security controls to prevent unauthorized physical access, damage and interference in the organization's facilities and information, as well as logical security controls to preserve the confidentiality, integrity and availability of information and the resources for processing it.

Audit and compliance monitoring processes

The audit and compliance monitoring processes, as verification and control mechanisms, internally through continuous supervision and monitoring processes, which are permanently active, such as:

  • Security and network monitoring processes to ensure compliance with security regulations in networks and information systems.
  • Audits of platform and application technical vulnerabilities to discover and assess the security risks from these vulnerabilities.
  • Validation processes before the connection of platforms to the Indra network to guarantee compliance with information security regulations in relation to patching, critical updates, antiviruses, etc.

Additionally, the annual sustainability report includes indicators that provide evidence of compliance with the security policy.

And externally, since Indra is subject to a variety of external verification audits, such as: audits of standard ISO 27001 by AENOR, an internationally renowned certification body, financial audits, and FIICS and ICT audits.

In order to guarantee security in the supply chain, Indra has established an Information Security Policy for suppliers, which is mandatory, and which is included in the approval and contracting processes of our suppliers.

Likewise, in order to guarantee the prompt detection and effective management of security incidents. Indra has formalized an Computer Security Incident Response Team "Indra CSIRT", which provides its services in accordance with those stipulated in document RFC2350. In the event of any suspicious event or vulnerability that may affect Indra's information systems, contact Indra CSIRT

Information Security | Indra Group