FREMAP undertakes, in accordance with its Purpose, Mission, Vision and Values, to maintain and improve information security and the continuity of its activity as a mutual, within the current legislative framework.

The FREMAP Information Security Policy is aimed at ensuring the protection of all information assets and the technology used to process them, from internal and external threats, deliberate or accidental, in order to ensure their integrity, availability and confidentiality, promoting the efficient fulfilment of the company's strategic objectives.

To support this Policy, FREMAP has a management-led Information Security Management System (ISMS), which provides a systematic approach to risk management. As a reference for establishing, implementing, maintaining and improving said ISMS, the international standard for information security management UNE-ISO/IEC 27001 is followed, and the National Security Scheme, developed in Royal Decree 311/2022, of May 3.

Scope of application

FREMAP Mutual society, in partnership with the Social Security Institute, carries out the following activities:

Management of financial assistance and healthcare, including rehabilitation, within the scope of protection against work-related accidents and work-related illnesses of the Social Security Institute, as well as activities to prevent the same contingencies covered by the protective action.

Management of cash benefits for temporary disability resulting from non work-related injuries and diseases.

Management of the benefits for risk during pregnancy and risk during breastfeeding.

Management of the financial assistance for cessation of activity of self-employed workers.

Management of benefits for caring for minors suffering from cancer or other serious diseases.

The policy is applicable to the entire scope of the Mutual Society, to its resources and all internal processes.

This Security Policy is applicable to all FREMAP staff and external partners linked to the company via service contracts or third-party agreements.

Principles of the policy

Strategic orientation.

Information security culture, training and awareness.

Unique security.

Comprehensive security by default.

Promote means and practices that ensure the continuity of FREMAP's activity.

Risk management.

Prevention, detection, response and conservation.

Existence of lines of defence.

Continuity of information systems.

Supply chain safety.

Continuous improvement.

Policy compliance assessment

The Information Security Management System (ISMS) includes an internal audit programme for reviewing compliance with the security policy. This internal audit is carried out by a specialized provider who reviews the management system and implementation of security policies and measures in accordance with the ISO 27001 framework and the National Security Scheme.

Furthermore, to ensure proper information security implementation and management, FREMAP complies with certification processes for its two security frameworks:

UNE-ISO/IEC 27001 standard: initial accreditation obtained in April 2018 and renewed in 2024 for a period of three years. The scope of the certification covers all the corporate information systems used in all its workplaces. For this certification, FREMAP also undertakes the compulsory annual follow-up audit carried out by the accreditation body.

National Security Scheme: accreditation obtained in January 2025 in the HIGH category for all corporate information systems deployed in all FREMAP centres.

FREMAP has implemented a structure for managing risk, consisting of the Information Security Department and the Information Security Committee.

Implementation and dissemination

There are processes and technical documents derived from the policy, available to all employees, that clarify the obligations and security measures for processing information.

This Policy will be promoted by the Management of FREMAP, and will be available to all employees of the organisation, as well as other interested parties and will be understood to enter into force and be kept up to date from today, in all levels of Management, with the full commitment of the Management.