The Information Security Policy of Statistics Portugal establishes the general principles that guide the protection and management of assets under the responsibility of Statistics Portugal, within the scope of its Information Security Management (ISMS). This policy is part of the Integrated Management System (IMS) and is aligned with the following standards and requirements:

• ISO/IEC 27001:2022 – Information Security, Cybersecurity, and Privacy Protection – Information Security Management Systems (Requirements);
• ISO/IEC 27701:2019 – Extension to Privacy Information Management;
• ISO 9001:2015 – Quality Management Systems (Requirements);
• Applicable legislation and regulations on information security, cybersecurity and data protection;
• Recommendations of the ESS (European Statistical System) and EUROSTAT on Information Security, Cybersecurity, and Privacy Protection.

By integrating the principles of quality and security, Statistics Portugal ensures a systematic and effective approach to guaranteeing the confidentiality, integrity, availability, and quality of the data and systems under its management. By establishing the Integrated Management System (IMS) and the Information Security Management System (ISMS), the Board of Directors of Statistics Portugal assumes the commitments defined in this policy. This commitment includes integrating ISMS requirements into the organisation's processes and ensuring that the resources needed to implement them are properly secured. In addition, the Board of Directors recognises its responsibility towards its stakeholders1), committing to:

• Adopt appropriate management practices in the areas of Information Security, Cybersecurity and Privacy Protection;
• Continuously monitor and assess the implementation of ISMS as an integral part of the IMS at Statistics Portugal.

This policy is aligned with the following strategic and regulatory documents:

• Quality Charter of Statistics Portugal;
• General Guidelines for Official Statistical Activity;
• European Statistics Code of Practice (principles 2, 5 and 9);
• Other related documents.

Within the context of Statistics Portugal’s ISMS, the Information Security Management, Cybersecurity and Privacy Protection also include the management of private information, in accordance with the requirements of ISO/IEC 27701:2019 2019 (Privacy Information Management).

Statistics Portugal undertakes to:

• Comply with regulatory and legal requirements: Ensure compliance with applicable national, European (especially within the scope of the European Statistical System – ESS) and international standards applicable to information security;
• Protect information: Ensure the confidentiality, integrity and availability of information across all organisational processes;
• Promote effective communication: Establish and maintain clear and efficient communication of information security policies and procedures, ensuring that all stakeholders understand their responsibilities;
• Continuously raise awareness and provide training: Implement a continuous programme of training and awareness to reinforce the culture of information security among staff and other stakeholders;
• Demonstrate organisational security: Consistently demonstrate that Statistics Portugal is a reliable and secure organisation in terms of information security, adopting internationally recognised best practices and standards.

A Statistics Portugal’s Information Security Policy applies to all stakeholders, including employees, suppliers, partners and other entities interacting with the organisation’s information assets.
It is the responsibility of all stakeholders to:

• Know and comply with this Policy and related Information Security documents, according to their applicability and context;
• Adopt behaviours that comply with good practices and standards, contributing to the information protection and risk mitigation.

Any deliberate breach of this Policy or other associated documents will subject offenders to disciplinary or contractual measures, which may include:

• Termination of contract;
• Reporting to the police or judicial authorities in cases of evidence of criminal offences.

This commitment reinforces Statistics Portugal’s information security culture, promoting a secure environment in line with legal and regulatory requirements.

Information is a critical asset for Statistics Portugal and may take various forms, such as physical documents, electronic records or communications transmitted through digital means. Regardless of the medium, use or format, it is essential to ensure the adequate protection of the information based on its relevance and value.

The availability of the information and the technological infrastructures that support it is vital for the efficient functioning of Statistics Portugal, and security in the processing and transmission of data is fundamental to the process of producing official statistics.

Incidents such as service disruptions, information leaks, or unauthorised modifications can compromise the trust of citizens and businesses and breach legal and contractual obligations. It is, therefore, the responsibility of all stakeholders to actively collaborate in protecting information.

Furthermore, EUROSTAT depends on the correct and expected functioning of the information and communication systems of the Statistical Authorities of the Member States. Such collaboration is only possible through the continuous identification of risks associated with the assets managed by Statistics Portugal and the implementation of effective controls to ensure their secure and controlled use.

The data managed by Statistics Portugal, together with the processes, systems, applications and networks that support them, are fundamental assets for society.
Protecting the confidentiality, integrity, and availability of information is crucial to maintaining credibility and trust in the services provided by the institution.

Information security must be ensured at all stages of the data lifecycle, from insertion/collection to processing, storage, transmission, search and eventual destruction. Controlling security in these operations is just as critical as the functionality of the systems that support them.

To mitigate the associated risks, Statistics Portugal is committed to maintaining a high and balanced level of quality and security, preventing vulnerabilities and incidents that could compromise the organisation.

As threats to information security are constantly evolving, it is necessary to constantly adapt protective measures, bringing them into line with technological advances and legislative or regulatory changes. These measures must be:

• Technically effective;
• Economically feasible;
• Not detrimental to the productivity and efficiency of Statistics Portugal.

The Information Security Policy applies to all users of Statistics Portugal and must be implemented across all organisational units. Specific responsibilities must be defined for critical functions, ensuring everyone's involvement and collaboration in protecting information.

All systems, existing or planned, must ensure a level of information security that is proportional to the risks identified and assumed by by Statistics Portugal.

Statistics Portugal is responsible for the quality, access control, use and protection of the information stored in its systems. The organisation is responsible for:

• Defining policies and procedures that ensure adequate levels of information security;
• Monitoring their implementation and effectiveness.

Detailed information security policies must be established and maintained, applicable to all systems, regardless of their environment or infrastructure.

Procedures must be clear and detailed, specifying: 

• What to do and how to do it to achieve the desired levels of information security;
• The degree of human involvement required for system maintenance.

Operations carried out on information systems must be thoroughly documented, making it possible to identify, at any time, who carried out an action, when it was done and what was done.

The effectiveness of the controls implemented to mitigate risks depends on continuous monitoring. This includes:

• Assessing whether the controls are aligned with organisational objectives;
• Defining immediate corrective actions in the event of failure or non-operationalisation of controls.

The Information Security Management (ISM) model of Statistics Portugal is based on three fundamental pillars, known as the principles of confidentiality, integrity and availability of information:

• Confidentiality: Ensuring that information is accessible only to authorised users and duly accredited external entities, in accordance with the organisation’s needs;
• Integrity: Ensuring the accuracy and reliability of information by protecting it against unauthorised modifications and ensuring that processing methods are correct and consistent;
• Availability: Ensuring that information is accessible to authorised users whenever needed, avoiding disruptions that may impact the organisation’s operations.

All the information security mechanisms implemented at Statistics Portugal are aimed at protecting the confidentiality, integrity and availability of information. These mechanisms are governed by a normative framework composed of:

• Detailed information security policies
• Specific processes and procedures to ensure compliance and protection of information;
• Other policies and procedures integrated into the Integrated Management System (SGI).

This model is structured to ensure an effective and continuous approach to information security management throughout the organisation, and is organised as follows:


The detailed Information Security Management (ISM) policies and procedures of Statistics Portugal are structured in accordance with the requirements of ISO/IEC 27001:2022 and cover the following areas:

Detailed Information Security Policies

1. Access Control
2. Statistical Confidentiality (public)
3. Information Confidentiality Classification
4. Physical and Environmental Security
5. Backups
6. Information Transfer
7. Malware Protection
8. Web Filtering
9. Zero Trust
10. Cryptographic Control
11. Communications Security
12. Privacy and Personal Data Protection (public)
13. Security in Software Development
14. Software Management
15. Modification and Configuration Management
16. Supplier Management
17. Management and Security of Removable Data Devices
18. Use of Removable Data Devices
19. Clear Desk and Screen
20. Management of Mobile Devices and Remote Working
21. Information Security Management in Projects
22. Acceptable Use of Communication and Collaboration Platforms
23. Legal and Regulatory Compliance
24. Information Security Awareness and Training

Procedures

25. User Management
26. Reviewing and testing passwords
27. Access via VPN
28. Security Incident Management
29. Change Control
30. Risk Management
31. Capacity Management
32. Business Continuity Management
33. Non-Compliances and Corrective Actions
34. Document Management
35. Internal Audits
36. ESS MDE and CDE Operations
37. Management Review
38. Secure Disposal and Reuse of Data Carriers and Equipment
39. Monitoring

These policies and procedures are defined and implemented to ensure that information security controls comply with the requirements of ISO/IEC 27001:2022, ensuring that all information assets of Statistics Portugal are protected against threats and vulnerabilities, and that business continuity is maintained with the highest level of security.

The organisation of information security at Statistics Portugal aims to establish, implement, maintain, and continuously improve the Information Security Management (ISM), in accordance with the organisation’s needs. This process includes defining clear requirements for assessing and dealing with risks related to information security.

The management of ISM is supported by a clearly defined organisational structure, composed of the following elements:

• Board of Directors - Responsible for supervising, controlling, and evaluating the implementation of ISM, ensuring alignment with Statistics Portugal’s strategic objectives.
• Information Security Officer (ISO) - Responsible for the operational management of ISM, including the development, implementation and continuous monitoring of information security policies and controls.
• Quality Management Officer - Manages the Integrated Management System (IMS), ensuring the effective integration of information security with quality processes and other management systems.
• Data Protection Officer (DPO) - Actively participates in the development and management of ISM, with a special focus on the Privacy Policy and the Protection of Personal Data, ensuring compliance with the General Data Protection Regulation (GDPR) and other applicable regulations.
• Information Security Team - Part of the Technological Infrastructure and Information Security Service of the Department of Methodology and Information Systems. Responsible for implementing, monitoring and continuously improving information security mechanisms.
• Heads of Organisational Units and Employees - Collaborate as facilitators across all organisational units of Statistics Portugal, ensuring the implementation of information security policies and compliance with established standards and procedures.

Information security policies and procedures must be properly communicated to all relevant stakeholders, in accordance with their responsibilities and areas of application. The organisation must ensure clear and effective communication, guaranteeing that all parties understand their individual obligations regarding information security.
To ensure their effectiveness, information security policies and procedures are regularly reviewed and updated to ensure that they remain relevant, appropriate and aligned with:

• Organisational requirements;
• The evolution of information security threats;
• Changes in legal and regulatory requirements.

The Information Security Management (ISM) is regularly assessed through both internal e external, carried out by:
 1. Independent auditing entities, within the scope of the ESS IT Security Framework, covering international trade statistics processes, including:

• MDE (Micro-Data Exchange Intra-EU);
• CDE (Customs Data Exchange Extra-EU).

 2. . ISO/IEC 27006-accredited entities, which certify Statistics Portugal’s ISM, ensuring compliance with the NP ISO/IEC 27001:2022 standard in the context of international statistics processes (both intra- and extra-EU).

This continuous process of communication, review and auditing ensures that Statistics Portugal’s Information Security Management (ISM) maintains high standards of information security, protecting critical assets and fostering stakeholder trust.

¹⁾ Stakeholders refer to all parties (e.g., citizens, businesses, public and private entities) that in some way affect or are affected by the organisation.
²⁾ European Statistical System

Statistics Portugal's Information Security Policy, last updated: 2025/02/21