Protecting information and information assets is crucial for the strategic success and sustainability of the business of the REN Group (hereinafter referred to as “REN”).
With this purpose, REN operates an Information Security Management System (hereinafter referred to as “ISMS”) that provides all the necessary tools for the secure management of information and systems. Through a risk-based approach and continuous improvement, it ensures the confidentiality, integrity, and availability of data. Safeguarding these three pillars of information security serves as a guarantee for the organisation's image, reputation, and credibility, as well as for its production processes, with both partners and clients.
REN adheres to the principles outlined in the ISO/IEC 27001 information security framework, and commits to:
a) Ensuring the establishment and pursuit of the principles described in this policy, as well as their approval, publication, and communication to all employees and relevant external entities;
b) Providing all the necessary resources for the implementation of information security management processes and activities, namely concerning the awareness and education of both internal and external employees regarding the subject and their roles in the effectiveness of the ISMS;
c) Ensuring the definition, implementation, and review of the information security management strategy, and guaranteeing its proper alignment with REN's business objectives;
d) Ensuring that the ISMS achieves the intended results;
e) Promoting continuous improvement in a structured and systematic manner.
REN sets forth the following information security objectives:
i. Ensure compliance with the legal and regulatory requirements applicable to the business, as stipulated in national and EU legislation;
ii. Ensure the integration of information security requirements and objectives into business functions and processes, as well as operations;
iii. Ensure the availability, integrity, and confidentiality of information, services, and infrastructure, both under normal operating conditions and in exceptional circumstances;
iv. Ensure that the security measures of the ISMS are understandable, effective, and have an appropriate cost-benefit ratio;
v. Establish monitoring and measurement processes that ensure information security controls' proper implementation and performance.
REN's ISMS identifies, establishes, operationalises, monitors, and ensures the continuous improvement of information security requirements, among others, in the following domains:
a) Information security organisation
REN's Management provides guidance and support for information security in accordance with relevant business requirements, laws, and regulations.
b) Mobile devices and remote access
REN ensures security in remote access, telecommuting, and the use of mobile devices.
c) Information security in human resources management
REN ensures that employees and service providers understand their responsibilities in the context of Information Security.
d) Information asset management
REN identifies information assets, and establishes appropriate protection responsibilities. It also ensures that information receives the appropriate level of protection based on its importance to the Organisation, preventing unauthorised disclosure, modification, removal, or deletion of stored information.
e) Access control
REN restricts access to information and information processing resources, ensuring that authorised users have access, while preventing unauthorised access to systems and services.
f) Cryptography
REN ensures the appropriate and effective use of cryptography to protect the confidentiality, authenticity, and/or integrity of information.
g) Physical and environmental security
REN prevents unauthorised physical access, damages, and interference with the Organisation's information and information processing resources.
h) Operations security
REN ensures the correct and secure operation of information processing resources.
i) Communications security
REN ensures the protection of information in networks and their information processing resources, maintaining the security of information transferred within the Organisation and to any external entities.
j) Acquisition, development, and maintenance of systems
REN ensures that information security is an integral part of information systems throughout their entire lifecycle. Information security is designed and implemented within the scope of the systems and information development lifecycle.
k) Information security in supplier relationships
REN ensures the protection of the Organisation's assets that are accessible to suppliers, maintaining the agreed-upon level of information security and service availability, in alignment with supplier agreements.
l) Information security incident management
REN ensures a consistent and effective approach to the management of information security incidents, including the reporting of security events and vulnerabilities.
m) Information security aspects of business continuity management
The continuity of information security is addressed in REN's business continuity management systems, ensuring the availability of information processing resources.
n) Conformity
REN prevents breaches of legal, statutory, regulatory, or contractual obligations related to information security and any security requirements.
The Policies on the Information Security Management System are approved by REN's Executive Committee. The Information Security Manager is responsible for controlling and evaluating the implementation of the ISMS, communicating its performance to top management, and ensuring the system's compliance with the requirements of ISO 27001 and applicable legislation.
Information about the cybersecurity incident response service of Redes Energéticas Nacionais, SGPS, S.A (REN) can be found at: