Menu

Information and Cybersecurity Policy

Home / Information and Cybersecurity Policy

Information and Cybersecurity Policy

Document code: SGSI-DOC-05-01 | Version: 3.0 | Valid until: 05/19/2026

Objective

This policy guides Compass in managing information and cybersecurity, demonstrating the organization’s commitment to protecting corporate information and other information assets. It is part of the set of policies associated with the Information Security Management System as required by ISO/IEC 27001.

Scope and Target Audience

This policy guides the behavior of all Compass-affiliated agents with respect to Information and Cybersecurity. It applies to all Compass data and information users, including any individual or organization that currently has or previously had a relationship with Compass, such as employees, former employees, service providers, former service providers, collaborators, former collaborators, who have had, currently have, or will have access to Compass information and/or have used, currently use, or will use computing resources within Compass’s infrastructure.

Information and Cybersecurity Policy

The Compass Information and Cybersecurity Policy has the following main commitments:

• Establish guidelines that enable Compass employees and service providers to gain knowledge and awareness related to Information and Cybersecurity;

• Ensure the availability, confidentiality, and integrity of data, information, and information systems used;

• Prevent, identify, and reduce vulnerabilities in the company’s cyber environment and promptly address incidents to avoid negative impacts on operations and the quality of services provided to our clients;

• Comply with the requirements of legal, regulatory, contractual, and other obligations;

• Promote the continuous improvement of the Information Security Management System by reviewing any flaws or weaknesses and adapting it to changes in internal and external environments.

Below are the main guidelines that Compass must follow to protect its information.

Guidelines

D1 – We consider information to be an essential asset for all organizational business processes and it must be protected against various types of threats.

D2 – We align information and cybersecurity management with our business.

D3 – We handle information throughout its lifecycle ethically and responsibly.

D4 – We ensure the confidentiality, integrity, and availability of information throughout its lifecycle: production, handling, reproduction, transportation, transmission, storage, and disposal.

D5 – We apply protection to information assets in a manner compatible with their criticality to our activities, covering all processes, whether computerized or not, including when using cloud computing.

D6 – We identify, analyze, assess, and address the risks involving information assets through periodic assessments at regular intervals.

D7 – We adopt protection mechanisms against misuse, fraud, damage, loss, errors, sabotage, theft, and cyberattacks throughout the lifecycle of information.

D8 – We continuously monitor information assets and use processes, controls, and technologies for the prevention of and response to cyberattacks.

D9 – We comply with the principle of segregation of development and use of information assets in the management of information and cybersecurity.

D10 – We identify and define at least one information manager and assign them responsibility for the information throughout its lifecycle.

D11 – We promote a culture of information and cybersecurity through a permanent awareness, training, and education program.

D12 – We preserve our information and cybersecurity requirements when contracting services or people and in relationships with collaborators, suppliers, third parties, partners, contractors, and interns.

D13 – We grant employees and third parties access only to the information necessary for the performance of their functions and assignments, as provided in contracts or by legal requirement.

D14 – We individually identify each user through access control and, in proven cases of improper handling of corporate information, hold them accountable along with the administrator who granted access.

D15 – We analyze incidents of improper handling of corporate information from legal and disciplinary perspectives, assigning accountability, and from a technical perspective, correcting vulnerabilities.

D16 – We critically analyze changes that may affect information security prior to their implementation and take actions to mitigate any adverse effects through change planning and management.