E-commerce

Information Security Policy

Version 1
Revision Date 25/11/2025
Owner CEO
SOR CISO

Change history

Version Date Change Editor
1 25/11/2025 Initial version CPAD

Objective and purpose

The objective of FACIL’s Information Security Policy is to establish a robust framework for safeguarding FACIL’s information assets—whether digital, physical, or intellectual—and to protect their confidentiality, integrity, and availability. This supports FACIL’s overarching purpose: “Fastening Future Mobility”.

The purpose of this policy is to:

  • Demonstrate FACIL’s commitment to information security as an integral part of enabling sustainable and digitally-driven mobility.
  • Align information security objectives with FACIL’s business strategy and goals, supporting operational excellence, customer satisfaction, and supply-chain resilience.
  • Provide direction for the development, implementation, maintenance and continual improvement of the Information Security Management System (ISMS).
  • Ensure that legal, regulatory and contractual information security requirements — including those applicable to the automotive industry — are addressed.
  • Foster a culture of security awareness, responsibility and accountability across FACIL’s global locations, employees, contractors and external partners.

By implementing this policy, FACIL aims to manage information security related risks, maintain the satisfaction of customers and partners, and ensure business continuity in a fast-moving automotive environment.

Scope of application and responsibility

This Information Security Policy applies to all FACIL entities and locations worldwide, including offices and operational warehouses. It covers all activities, processes and systems involved in the delivery of fastener products and related services to the automotive industry.

The policy applies to:

  • All employees, temporary staff and contractors working under the direction of FACIL;
  • All external partners, suppliers and service providers who have access to FACIL information or IT systems;
  • All forms of information, whether electronic, printed, verbal or physical;
  • All IT assets and communication systems, including servers, networks, cloud services, mobile devices and removable media.

This policy also extends to the handling of customer and supplier data processed or stored within FACIL’s systems or facilities.

ISMS Scope Statement

The Information Security Management System (ISMS) of FACIL covers all processes, systems and personnel involved in the delivery of fastener products and related services to the automotive industry.

It applies to all FACIL locations, employees, contractors and IT systems that process or store company, customer or partner information. External service providers and partners handling FACIL data are also included within the ISMS through contractual and security requirements.

Information Security Objectives

FACIL’s primary information security objectives are to:

  • Protect Confidentiality – Prevent unauthorized access to sensitive information belonging to FACIL, its customers and partners.
  • Ensure Integrity – Safeguard the accuracy, completeness and consistency of information and data throughout their lifecycle.
  • Maintain Availability – Ensure that critical business processes, systems and data remain accessible to authorized users when required.
  • Comply with Requirements – Fulfil all relevant legal, regulatory and contractual obligations, including VDA ISA (TISAX®) and GDPR requirements.
  • Protect Personal Data – Ensure that personal data is processed lawfully, securely and transparently, respecting privacy rights and complying with applicable data protection laws worldwide. Access is restricted to authorized personnel, and all employees are responsible for handling data with care and confidentiality. Any suspected data breaches must be reported immediately and will be managed in accordance with applicable legal requirements.
  • Increase Awareness – Promote a culture where all employees understand their role in maintaining information security.
  • Continually Improve – Monitor performance and enhance the effectiveness of the Information Security Management System (ISMS) through audits, reviews and corrective actions.

Significance within the Organization

Information security is integrated into FACIL’s overall management and risk framework and is considered a shared responsibility across all levels of the organization.

By ensuring secure handling of information, FACIL aims to:

  • Protect the confidentiality of customer and supplier data;
  • Enable reliable and efficient collaboration within the automotive supply chain;
  • Support the company’s purpose “Fastening Future Mobility” through secure digital transformation;
  • Strengthen stakeholder confidence and compliance with industry expectations.

The Facil ExCo endorses this policy and provides the necessary resources to achieve its objectives. Every employee and business partner is expected to actively support and uphold these principles in their daily work.

Responsibilities

  • The Facil Executive Committee (ExCo) bears overall responsibility for the establishment, approval and continual improvement of the Information Security Management System (ISMS) and this policy.
  • The Chief Information Security Officer (CISO) is responsible for coordinating all ISMS activities, maintaining the information security framework, conducting risk assessments and ensuring compliance with the VDA ISA (TISAX®) requirements.
  • Local Information Security Officers (LISOs) are responsible for implementing and monitoring ISMS measures at their respective sites, ensuring that local processes conform to this policy.
  • The Technical Information Security Officer (TISO) is responsible for implementing the technical components of the Information Security Management System (ISMS) at the regional level.
  • Department Heads and Process Owners must integrate information security controls into their operational processes and ensure that employees follow the applicable procedures.
  • All Employees and Contractors are required to comply with this policy, participate in information security awareness programs and report any security incidents or suspected breaches immediately.
  • External Partners and Suppliers are contractually required to adhere to FACIL’s information security expectations and protect any shared or processed data in accordance with this policy.

The specific assignments for each role and further responsibilities can be found here.

Exception

Exceptions to this Policy must be submitted to the document owner in writing for authorisation and approved by the document owner.

Consequences of non-compliance

All known instances of non-compliance with this policy must be reported to the CISO, who will review and assess each case. If a sanction is deemed necessary, the CISO will inform the Human Capital team. Violations of this policy may result in the immediate suspension or revocation of system or network privileges and/or disciplinary action in accordance with company procedures, up to and including termination of employment.

Evaluation and review

This Policy is reviewed at regular intervals by the document owner and adapted if necessary.

CEO
Luc De Munck