Information Security Policy

1. APPROVAL AND ENTRY INTO FORCE

Policy approved on 16 October 2025 by a resolution of the Managing Director of ROGERS ABOGADOS S.L.P., hereinafter ROGERS ABOGADOS. This “Information Security Policy”, hereinafter the Policy, shall take effect from the date of its approval and shall remain in force until it is replaced by a new Policy.

2. INTRODUCTION

ROGERS ABOGADOS S.L.P. relies heavily on ICT (Information and Communications Technology) systems to achieve its objectives, and is aware that digital transformation has led to an increase in the risks associated with the information systems underpinning public services, and that, as a supplier to the public sector, it must manage these risks appropriately.

The aim of this risk management is to protect Information and Communications Technology systems against accidental or deliberate damage that may affect the availability, integrity, confidentiality, authenticity or traceability of the information processed by ROGERS ABOGADOS within the framework of the services provided to the public sector, and more specifically to care homes and social and healthcare centres.

ICT systems must be protected against rapidly evolving threats with the potential to impact the confidentiality, integrity, availability, intended use and value of information and services. To defend against these threats, a strategy is required that adapts to changes in environmental conditions to ensure the continuous provision of services. This means that departments must implement the minimum security measures required by the ISO 27001 standard, as well as continuously monitor service delivery levels, track and analyse reported vulnerabilities, and prepare an effective incident response to ensure the continuity of the services provided.

The various departments at ROGERS ABOGADOS must ensure that ICT security is an integral part of every stage of the system lifecycle, from conception through to decommissioning, including development or procurement decisions and operational activities. Security requirements and funding needs must be identified and included in planning, in calls for tenders, and in the contracting of ICT projects.

Departments must be prepared to prevent, detect, respond to and recover from incidents, in accordance with Article 8 of the ENS.

3. SCOPE
5. Subjective Scope

The parties bound by this Policy are all staff of ROGERS ABOGADOS, and all those persons or entities, both internal and external, who provide services to ROGERS ABOGADOS, whether on-site or remotely.

2. Objective Scope

This Policy shall apply to the information management systems of ROGERS ABOGADOS that support legal services specialising in insurance and reinsurance, maritime law, transport and logistics, aviation law, tourism law, and litigation and arbitration.

The identification and maintenance of the regulatory framework shall be the responsibility of the ROGERS ABOGADOS Security Officer and shall be governed by the procedure relating to the identification and assessment of legal requirements. 

4. MINIMUM SECURITY REQUIREMENTS

The ROGERS ABOGADOS Security Policy governs the ongoing management of the security process. This Policy has been established in accordance with the following basic principles:

a) Organisation and implementation of the security process 

b) Risk analysis and management 

c) Staff management

d) Professionalism

e) Authorisation and control of access 

f) Protection of premises 

g) Procurement of security products and contracting of security services (Art. 19).

h) Least privilege 

i) System integrity and updating 

j) Protection of information at rest and in transit 

k) Prevention in relation to other interconnected information systems 

l) Activity logging and detection of malicious code 

m) Security incidents 

n) Business continuity 

ñ) Continuous improvement of the security process 

In order to comply with these minimum requirements, ROGERS ABOGADOS will implement the security measures described in Annex A of the ISO 27001 standard, taking into account:

• The assets that constitute ROGERS ABOGADOS’ information system.
• The decisions taken to manage the identified risks.

5. BASIC PRINCIPLES

ROGERS ABOGADOS’ Information Security Policy establishes the following basic principles that must be borne in mind when using information systems:

• Security as a comprehensive process: security is a process that encompasses all human, material, technical, legal and organisational elements related to information systems.

• Comprehensive risk-based management: risk analysis and management is an essential part of the security process and must be a continuous and constantly updated activity. Risk management will enable the maintenance of a controlled environment, minimising acceptable risks.

• Prevention, detection, response and preservation: Information system security must encompass actions relating to prevention, detection and response.

• Existence of lines of defence: The ROGERS ABOGADOS information system must have a protection strategy comprising multiple layers of security.

• Continuous monitoring and periodic reassessment: Continuous monitoring will enable the detection of anomalous activities or behaviour and a timely response. Ongoing assessment will allow us to measure progress, and security measures will be periodically reassessed and updated to ensure their effectiveness remains aligned with evolving risks and protection systems.

6. INFORMATION SECURITY OBJECTIVES

ROGERS ABOGADOS has established the following security objectives:

• To guarantee the protection of information.

• Physical security: ROGERS ABOGADOS locates information systems in secure areas, protected by physical access controls appropriate to their level of criticality.

• Access control: ROGERS ABOGADOS restricts access to information assets by users, processes and other information systems through the implementation of identification, authentication and authorisation mechanisms tailored to the criticality of each asset.

• Acquisition, development and maintenance of information systems: ROGERS ABOGADOS takes security aspects into account at all stages of the information systems’ lifecycle.

• Ensuring the continuous provision of services: ROGERS ABOGADOS implements appropriate procedures to ensure the availability of information systems and maintain the continuity of business processes.

• Data protection: ROGERS ABOGADOS adopts the necessary technical and organisational measures to manage the risks arising from the processing of personal data.

• Compliance: ROGERS ABOGADOS adopts the necessary technical and organisational measures to comply with current legal regulations regarding information security.

7. MISSION

ROGERS ABOGADOS’ mission is to offer specialised and effective legal solutions in highly complex matters, rigorously defending its clients’ interests in both advisory and litigation contexts. Since its foundation in 2007, the firm has operated with technical excellence, commitment and a client-focused approach, providing bespoke legal strategies based on experience and teamwork. Thanks to its knowledge of other legal systems and a solid international network of collaborators, it handles matters of global scope with competence. Its practice is guided by professional ethics, confidentiality and the constant pursuit of results. The firm is recognised by prestigious international legal directories such as The Legal 500 and Chambers & Partners for the quality of its service and its dedication to the client.

8. DEVELOPMENT OF THE POLICY

The Information Security Committee of ROGERS ABOGADOS has approved the development of an information security management system which will be established, implemented, maintained and improved in accordance with security standards. This system will be adapted to and will serve as the management framework for the controls set out in the ISO 27001 standard. The system will be documented and will enable the generation of evidence regarding the controls and compliance with the objectives set by the Committee. There will be a document management procedure setting out guidelines for the structuring, management and access to the system’s security documentation. 

The Information Security Committee is responsible for the annual review of this Policy, proposing, where necessary, improvements to it for approval by the Managing Director of ROGERS ABOGADOS.

This Security Policy is mandatory and is structured, in terms of documentation, into the following hierarchical levels:

• Level 1: Information Security Policy.
• Second level: Security Regulations.
• Third level: Security Procedures.

Staff at ROGERS ABOGADOS and third-party companies must be familiar not only with this Security Policy, but also with all regulations, procedures, technical instructions, or other documentation that may affect the performance of their duties. 

1. First regulatory level: ICT Security Policy.

The ICT Security Policy constitutes the highest-level regulatory instrument within ROGERS ABOGADOS’ security regulatory framework. It must be approved by the Managing Director of ROGERS ABOGADOS.

2. Second regulatory level: Information Security Standards.

The ICT Security Standards are mid-level instruments covering a specific area of security. The body responsible for their approval is the ROGERS ABOGADOS Security Committee.

3. Third regulatory level: ICT Security Procedures.

ICT Security Procedures are lower-level instruments, drafted in greater detail, applicable to a specific area. The person responsible for their approval is the Security Officer.

9. SECURITY ORGANISATION

1. Security roles or profiles

To ensure compliance with and adaptation to the measures required by regulation, security roles or profiles have been created, and the positions or bodies that will fill them have been designated as follows:

• Security Officer: Marie Rogers
• System Manager: Mark Rogers

2. Information Security Committee

ROGERS ABOGADOS has established an Information Security Committee as a collegiate body, comprising the following members:

• Managing Director: Managing Director of ROGERS ABOGADOS.

• Members: 

• System Manager.
• Security Officer
• Data Protection Officer

On an optional basis, other members of ROGERS ABOGADOS may join the Committee’s work, including specialised working groups, whether internal, external or mixed.

The Information Security Committee shall hold its meetings at the offices of ROGERS ABOGADOS or remotely on a half-yearly basis, following a call to that effect by the Committee’s General Manager. In any event, the Committee may hold extraordinary meetings when circumstances so require.

3.  Responsibilities 

The functions and responsibilities of each of the ENS security roles are detailed and set out below:

Functions of the Chief Information Security Officer (CISO/RSF)

• To maintain and verify the appropriate level of security for the information handled and the electronic services provided by the information systems.

• To manage, supervise and maintain the physical security of ROGERS ABOGADOS’ premises.

• Promote training and awareness in the field of security.

• Appoint personnel responsible for carrying out risk analysis, preparing the statement of applicability, identifying security measures, determining necessary configurations and preparing system documentation.

• Provide advice on determining the system category, in collaboration with the System Manager and/or the Information Security Committee.

• Participate in the development and implementation of security improvement plans and, where applicable, business continuity plans, and validate them.

• Manage external or internal system audits.

• Manage certification processes.

• Submit changes and other system requirements to the Security Committee for approval.

Duties of the System Manager

• To block or suspend access to information or the provision of services if they become aware that these present serious security deficiencies.

• Implement and manage ROGERS ABOGADOS’ Information Systems throughout their entire lifecycle, including the implementation of cybersecurity controls, as well as their operation and verification of their correct functioning.

• Define the topology and management of the Information System by establishing the criteria for its use and the services available within it.

• Ensure that specific security measures are properly integrated into the overall security framework.

• Collaborate with the Security Officer to investigate and resolve cyber incidents affecting ROGERS ABOGADOS’ Information Systems and apply the knowledge gained from analysing past cyber incidents to reduce the likelihood or impact of future incidents.

• Carry out the duties of the system security administrator:

• The management, configuration and updating, where necessary, of the hardware and software on which security mechanisms and services are based.
• The management of authorisations granted to system users, in particular the privileges granted, including the monitoring of activity carried out on the system and its compliance with what has been authorised.
• Approving changes to the current configuration of the Information System.
• Ensuring that established security controls are strictly adhered to.
• Ensuring that the approved procedures for managing the Information System are applied.
• Overseeing hardware and software installations, modifications and upgrades to ensure that security is not compromised and that they comply with the relevant authorisations at all times.
• Monitor the security status provided by security event management tools and technical audit mechanisms.
• Where the complexity of the system so warrants, the System Manager may appoint such delegated system managers as they deem necessary, who shall report directly to them and shall be responsible within their remit for all actions delegated to them by the System Manager. Similarly, they may also delegate specific functions of the responsibilities assigned to them to one or more other persons.

Functions of the Information Security Committee

The Security Committee shall have the following functions:

• To respond to requests regarding Information Security from the Administration and the various security roles and/or areas, reporting regularly on the status of Information Security.

• To provide advice on matters of Information Security.

• Resolving conflicts of responsibility that may arise between the various administrative units.

• To promote the continuous improvement of the Information Security management system. To this end, it shall be responsible for:

• Coordinating the efforts of the various departments in the field of Information Security to ensure that these are consistent, aligned with the agreed strategy in this area, and to avoid duplication.
• Proposing plans to improve Information Security, with the corresponding budgetary allocation, prioritising security measures when resources are limited.
• Ensuring that Information Security is taken into account in all projects from their initial specification through to their implementation. In particular, it must ensure the creation and use of horizontal services that reduce duplication and support the consistent operation of all ICT systems.
• Monitor the main residual risks assumed by the Administration and recommend possible actions to address them.
• Monitor the management of security incidents and recommend possible actions in relation to them.
• Draft and regularly review the Information Security Policy for approval by the competent body.
• Draft the Information Security Regulations for approval in coordination with the Directorate-General.
• Verify information security procedures and other documentation for approval.
• Develop training programmes aimed at training and raising staff awareness regarding Information Security, and in particular regarding the protection of personal data.
• Draw up and approve training and qualification requirements for administrators, operators and users from an Information Security perspective.
• Promote the conduct of periodic ENS and data protection audits to verify compliance with the Administration’s obligations regarding information security.

4. Appointment procedures

The establishment of the Information Security Committee, the appointment of its members and the designation of the Data Protection Officers identified in this Policy have been carried out by the Managing Director of ROGERS ABOGADOS and communicated to the relevant parties.

The members of the Committee, as well as the security roles, will be reviewed every three years or when a vacancy arises.

5. RACI matrix: responsibility assignment matrix 

Task	DG	IR	RS	CISO/RSF	CIO
Security Policy	A	C	C	R	C
Risk Analysis		I	R	A/R	R
Statement of Applicability (SOA)		I	R	A/R	R
IT policies and procedures		I		A/R	R
Security incident response	I	I	C	Re:	R
Security of the lifecycle of information services and systems				C	A/R
A: Accountable (makes the decision, authorises and approves.R: Responsible (is responsible for carrying out the work		C: Consulted (is consulted before the decision is made).I: Informed (is informed of the decisions taken)

10. CONFLICT RESOLUTION

The Information Security Committee at ROGERS ABOGADOS will be responsible for resolving any conflicts and/or differences of opinion that may arise between security roles. 

11.  PERSONAL DATA

ROGERS ABOGADOS will only process personal data where such processing is appropriate, relevant and not excessive, and where the data relates to the scope and purposes for which it was obtained. Similarly, it shall adopt the necessary technical and organisational measures to comply with the Data Protection regulations in force in each case, in accordance with the Personal Data Protection Policy approved by the Presidency of ROGERS ABOGADOS.

In accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) and Organic Law 3/2018 of 5 December on the Protection of Personal Data and the Guarantee of Digital Rights, appropriate measures have been implemented, such as the analysis of the legal legitimacy of each data processing operation carried out, risk analysis, impact assessment where the risk is high, the recording of activities and the appointment of the person who will perform the duties of Data Protection Officer.

12. THIRD PARTIES

When providing services to other organisations, or handling information from other organisations, they will be made aware of this Information Security Policy. ROGERS ABOGADOS will define and approve the channels for the coordination of information and the procedures for responding to security incidents, as well as all other actions that ROGERS ABOGADOS carries out in relation to security in conjunction with other organisations.

Where ROGERS ABOGADOS uses third-party services or discloses information to third parties, it shall make them aware of this Security Policy and the existing Security Regulations applicable to such services or information.

 Such third parties shall be subject to the obligations set out in the aforementioned regulations and may develop their own operational procedures to comply with them. Specific procedures for communication and incident resolution shall be established. It shall be ensured that third-party personnel are adequately aware of security matters, at least to the same standard as that established in this Security Policy.  

Where any aspect of this Security Policy cannot be met by a third party as required in the preceding paragraphs, a report shall be required from the ENS Security Officer detailing the risks incurred and how to address them. Approval of this report by the managers of the information and services concerned shall be required before proceeding.

13. CONTINUOUS IMPROVEMENT

Information security management is a process subject to ongoing updating. Therefore, ROGERS ABOGADOS must implement a process of continuous improvement which will involve, amongst other actions:

• Review of the Information Security Policy.
• Review of services and information and their categorisation.
• Conducting risk analyses on an annual basis.
• Conducting internal and external audits.
• Review of security measures.
• Review and update of policies and procedures.

For ROGERS ABOGADOS, the proper management of information security is an ongoing and collective challenge, essential to the firm’s continuity.