The purpose of this Information Security Policy, part of the Information Security Management System (ISMS), is to define Travel Compositor’s security management guidelines. These guidelines ensure that access, use and protection of all information assets are carried out in accordance with business requirements, while guaranteeing integrity, availability, and confidentiality of information.
Travel Compositor commits to complying with applicable legislation, internal security rules, and established procedures.
This policy applies to all individuals — internal or external — who access Travel Compositor’s information assets within the ISMS scope.
The protection requirements cover all information stored or processed in any format (digital or paper) as well as related information systems owned or managed by Travel Compositor.
Details of the ISMS scope are defined in the internal Context Document.
This policy is based on the following core security and privacy principles:
• Effectiveness: Information must be relevant and useful for business operations.
• Efficiency: Information must be processed using optimal human and material resources.
• Integrity: Information must be complete, consistent, and protected against unauthorized alterations.
• Accuracy: Information must be free of errors or irregularities.
• Availability: Information and processing systems must remain accessible when needed to ensure service continuity.
• Legality: All information handling activities must comply with applicable legal regulations.
• Confidentiality: Information must be protected from unauthorized access, use, or disclosure.
• Privacy: Personal data must be collected, processed, stored, shared, and disposed of securely.
• Authorization: Access must be granted based on defined authorization levels.
• Physical Protection: All information-processing equipment must be safeguarded against unauthorized physical access.
• Accountability: All stakeholders are responsible for protecting information systems and applying security best practices.
• Maintain and continually improve Information Security and Privacy across the organization.
• Ensure that all personnel contribute to the protection of information assets.
• Establish a management framework aligned with ISO 27001, using ISO 27002 as a set of best practices.
• Guarantee compliance with data protection legislation, especially for personal and sensitive data.
• Protect Travel Compositor’s information against internal and external threats (intentional or accidental) to ensure service continuity.
All Travel Compositor employees and collaborators are required to comply with this policy, as well as all related security standards, processes and documented procedures.
Security awareness and proactive protection are integral responsibilities of every team member.
Travel Compositor defines and documents security roles and responsibilities in the internal Roles and Responsibilities for Information Security document.
An Information Security Committee acts as the highest authority, defining objectives, strategies and overseeing compliance.
All information assets within the ISMS scope are subject to risk analysis to identify threats, vulnerabilities and impacts.
Risk assessment must be conducted:
• At least annually
• After significant changes in services or information
• Following major security incidents or newly discovered vulnerabilities
The Security Manager leads the risk analysis process and reports findings to the Information Security Committee, which ensures necessary resources and selects proportional security measures.
Information security management is a continuous and evolving process. Improvements may arise due to changes in business, technology, legal requirements, or newly identified risks. Actions include:
a) Reviewing the Information Security Policy
b) Reviewing services, processes and information categorization
c) Conducting annual risk analyses
d) Performing internal and external audits
e) Updating security measures
f) Updating procedures and standards
The Information Security Committee is responsible for enforcing and monitoring compliance with this policy and may propose corrective or preventive actions.
All departments and employees must comply with the policy, and suppliers may be required to adhere to specific security requirements.
The policy will be reviewed periodically, at least annually, and whenever relevant regulatory, operational, or strategic changes arise.
In case of misuse, violation of this policy, or regulatory non-compliance — especially related to data protection — disciplinary or legal actions may be taken, following applicable law, including employee rights under Article 18 of the Workers’ Statute.
