Information Security in Almirall

Almirall maintains an Information Security Program that aims at protecting strategic information and critical business processes in line with market standards such as NIST Cyber-Security Framework and the NIST 800-53 series.

The Information Security function in our Organization covers from strategy to operations, and has the necessary organizational independence, empowerment and sponsorship. The oversight of risk management is integrated into the Corporate Governance mechanisms, with regular briefings to the Executive Board and, at least twice a year to the Audit Commission of the Board of Directors. This oversight is based on the monitoring of Information Security processes maturity and a selected set of key risk indicators. This regular review also orients the annual update of the Information Security Program.

The approach Almirall applies to the Information Security Program is risk-oriented and holistic, covering the triad Processes, Technology and People, and all the NIST CSF Functions: Identify, Protect, Detect, Respond and Recover, with special emphasis on becoming a cyber-resilient organization.

The company places a constant focus as well on personnel awareness at all levels, with specific plans that are redesigned every year to ensure high impact, growing education amongst employees, and a strong first line of defence. The other projects and initiatives aim at achieving and maintaining the target maturity levels and keeping risks at acceptable levels, in line with the Company’s risk profile. A cyber-security insurance policy is in place as last line-of-defence strategy.

At Almirall, our Information Security Program is integrated with Data Privacy, is guided by the principles of security-by-design and security-by-default, and covers third party risk management with a risk-oriented approach.