Information Security Management System Policy

SERMES is a CRO, dedicated to providing clinical research services to its main clients: pharmaceutical companies, biotech companies and independent investigators.

Our Information Security Management System, through established processes based on continuous improvement, guarantees the continuity of the information systems, minimizing risks and ensuring compliance with the objectives set, in order to ensure the confidentiality, integrity and availability of the information at all times.

We therefore assume our commitment to information security, in accordance with the ISO/IEC 27001:2022 reference standard, for which the Directorate establishes the following principles:

  • Competence and leadership on the part of the Directorate
  • Meet the requirements of our internal and external interested parties
  • Understand the organizational context and identify organizational opportunities and risks as a basis for planning actions to address, assume or deal with them
  • Establish objectives and targets focused on safety performance assessment as well as continuous improvement.
  • Comply with the requirements of the legislation applicable to our activity, the commitments acquired with clients and interested parties, and all internal regulations or guidelines to which SERMES is subject.
  • Security in the management of Human Resources, before, during and at the end of employment.
  • To train all personnel working at SERMES, both for the correct performance of their job position and to act according to the requirements of the reference standards; providing a suitable environment to develop the processes.
  • To guarantee the integrity and confidentiality of our clients and users data.
  • To protect the availability of work equipment so that virus infections, intrusions or other events do not prevent normal work operations.
  • Ensure the optimum state of the company’s own telecommunications systems and servers.
  • Protection of facilities and the physical environment, through the design of secure work areas and the security of equipment
  • Having a business continuity plan that protects the availability of services during a crisis or disaster
  • Ensure proper handling of assets, involving the classification of information and handling of media, and the establishment of robust logical access control to information systems, managing user permissions and privileges.
  • Establish the appropriate measures for the treatment of risks derived from the identification and assessment of assets.
  • Manage technical vulnerabilities and choose the appropriate techniques for auditing systems.
  • Carry out the management of security incidents, establishing the appropriate channels for their notification, response and timely learning
  • Maintain effective communication both internally and with our clients
  • Control of relations with providers, contractually demanding compliance with the relevant security measures and acceptable levels in their services

All personnel of the organization have the duty to comply with this policy, for which the Directorate has the necessary means and sufficient resources for its fulfilment, and assumes the responsibility of communicating and keeping it accessible to all interested parties.