Within the framework of the Information Security Management System (ISMS) and in compliance with the requirements of ISO/IEC 27001:2022, the organization VIAMATICA establishes this Information Classification Policy. Its purpose is to ensure that all information assets are identified, classified, protected, and managed according to their value, sensitivity, and criticality to business continuity.

Information is an essential resource for the organization’s operations and must receive an appropriate level of protection against risks of unauthorized disclosure, alteration, loss, or destruction. To that end, a classification scheme is established that will enable the application of controls proportional to the potential impact of mishandling the information.

All information created, received, processed, stored, or transmitted by the organization must be classified at one of the following levels:

• Public: Information that may be disclosed without restrictions and whose exposure does not pose risks to the organization or to third parties.
• Internal: Information intended for internal use by authorized personnel. Its unauthorized external disclosure could affect the organization’s operations to a limited degree.
• Confidential: Information whose access is restricted to strictly authorized personnel. Its disclosure, modification, or loss could cause a significant impact on the organization’s operations, reputation, or legal compliance.

The classification process is the responsibility of the information owners, who must identify the appropriate classification level according to the established criteria and ensure that the information is labeled and protected in accordance with its category. All personnel of the organization must at all times comply with the provisions of this policy, using information only for authorized purposes and ensuring its protection.

Information Security Management will be responsible for periodically reviewing the correct application of this policy, as well as for promoting staff training and awareness regarding information classification and handling.

Non-compliance with this policy will be considered a serious violation and may result in disciplinary measures in accordance with internal regulations and applicable law.

This policy comes into effect upon its approval and will be reviewed at least annually or whenever significant changes occur in the organization, technology, regulatory framework, or associated risks.