ES

Global Management System

Global Integrated Management System

Cellnex has developed a Global Integrated Management System (Global IMS) that integrates Quality, Environment, and Health and Safety. In addition, Cellnex also has a Global Information Security Management System (Global ISMS), which has been incorporated into the Global IMS. This incorporation takes advantage of the common structure of ISO management systems, which facilitates integration among standards. Global IMS is based on processes and risk-based thinking.

In 2023, Cellnex worked on planning the implementation of the energy management system in several countries for subsequent certification.

The Global Integrated Management System serves as a framework for adopting a systematic approach to process implementation and obtaining ISO standard certifications. It establishes procedures to ensure the quality of the services provided, ensuring that business is conducted in accordance with the requirements set out in the reference standards on quality, environment, health and safety at work, and information security, as well as with any current legislation.

In this way, the Global IMS enables new business opportunities, facilitates the implementation of the Cellnex Industrial Model, and enables continuous improvement and stakeholder engagement. It is currently implemented and certified in seven Cellnex business units and at the corporate level. More specifically, the geographical scope of the Global IMS currently includes France, Ireland, Portugal, Switzerland, the Netherlands, the United Kingdom, and Poland and, as of 2023, new companies in France and the United Kingdom.

Moreover, Italy and Spain also have certified management systems which, owing to their maturity, they run locally. The incorporation of these local certifications from Spain and Italy into the Global IMS is planned for the coming years.

The Global Information Security Management System was the first system to be certified globally at Cellnex in 2019, and since then the company has been working to encompass all of the business units within the system’s scope. Cellnex currently has 11 certified countries, plus the corporate level: Spain, Italy, Switzerland, the Netherlands, France, United Kingdom, Ireland, Portugal, Austria, Denmark, and Sweden.

"ISO 9001 Quality Management is the framework of the Global Integrated Management System. Implementing and maintaining Quality is a strategic decision that will help us to improve our performance as a company and is a solid basis for the development of sustainable initiatives."

Brunela Nardi
Senior EHS-Q Project Manager - Cellnex Corporate

Quality and certifications

Quality

Cellnex Group has a Global Quality Policy, with the basic principle of providing high availability and high-quality services as a neutral operator of wireless telecommunications infrastructures. Accordingly, the Board of Directors has established the Quality and Certifications strategy and is committed to the application of best practices in the countries in which the Company operates, based on international reference standards.

Quality enhances Cellnex's brand and reputation, protects it against risks, increases its efficiency, boosts its profits, and enables the company to continue consolidating its reputation and positioning in a strong and sustainable way – all the while maintaining a focus on customer experience and opinions and suggestions of Cellnex's stakeholders. This is all made possible through the Quality Management System, which leads, deploys and integrates the rest of Cellnex's existing systems by unifying the common requirements of the following aspects:

  • Environment
  • Health & Safety
  • Information Security
  • Energy
  • Service Management

Cellnex's quality objectives aim to instil a culture of quality by embedding Cellnex values, raising awareness, and providing training at every level

Through Quality, Cellnex contributes to its sustainable development and is consistent with the Company's purpose, values, objectives and strategy.

Cellnex's quality objectives aim to instil a culture of quality by embedding Cellnex values, raising awareness, and providing training at every level. The primary goals are to attain the utmost levels of quality and customer commitment, enhance stakeholder perception through product and service innovation and improvement, ensure quality across the value and supply chains, and foster a culture of ongoing enhancement by implementing methodologies and procedures to manage emerging improvement opportunities effectively. Additionally, Cellnex prioritises exemplary practices by aligning its activities with the Sustainable Development Goals. Operating within this framework, Cellnex focuses on meeting stakeholder needs and expectations, delivering high-quality services, satisfying customers, and continually refining its services and management through the Plan-Do-Check-Act model.

In accordance with the Global Quality Policy, Cellnex devised a two-year Quality Master Plan in 2021 (2021-2022) applicable to the whole company. During 2023, deadlines for certain actions were extended.

Certifications

Implementing a Global IMS that encompasses all Cellnex's business units makes the maintenance and renewal of certifications more efficient because it involves a single certification process. Additionally, it takes advantage of synergies and eliminates redundancies. Accordingly, the Quality Department has focused its work on implementing global certifications in non-certified countries. To do so, Cellnex has a Certification Catalogue that is used as a tool that indicates the exact certification status of all business units and their expiration year.

During 2023, the Quality and Certifications Department worked jointly with the business units on the maintenance of the certifications of the countries included within the scope of the Global Integrated Management System, which as already mentioned are: France, Ireland, Portugal, Switzerland, the Netherlands, United Kingdom, Poland and Corporate. In addition, new companies have been included in the scope in France and the UK.

In addition to global certifications, Cellnex is certified locally under other international standards such as energy efficiency (ISO 50001), service management (ISO 20000-1), National Security Scheme for the Smart Brain service in Spain, and SA 8000 Social Accountability, Gender Equality, and EASI Sustainability Governance in Italy.

Standard

Expiry date

ISO 9001 Quality Management System

     

2025

2025

2027

2025

2025

2025

2025

2025

2025

2025

     

ISO 14001 Environmental Management System

     

2025

2025

2026

2025

2025

2025

2025

2025

2025

2025

     

ISO 45001 Occupational Health & Safety Management System

     

2025

2025

2025

2025

2025

2025

2025

2025

2025

2025

     

ISO 27001 Information Security Management System

2026

2026

2026

2026

2026

2026

2026

2026

2026

 

2026

2026

2026

ISO 14064 Carbon Footprint (*)

ISO 14046 Water Footprint (*)

SA 8000 Social Accountability

                       
   

2024

                   

UNI/PdR 125:2022 Gender equality

                       
   

2025

                   

Modello EASI

                       
   

2026

                   

ISO 50001 Energy

                       
 

2026

                     

ISO 20000-1 Service Management

                       
 

2024

                     

National Security Scheme

                       
 

2026

                     

(*) No expiry date for ISO 14064 and ISO 14046, since both are verified annually.

“Achieving certification on the ISO27001 Management System was very important for Portugal, since we wanted to reassure our clients and landlords that we follow the best practices in Information Security, Cybersecurity and Privacy Protection.”

Ruí Castro

Country Head of Engineering - Cellnex Portugal

In 2023, Cellnex has deployed the initiatives foreseen in the Global Security Master Plan for Cybersecurity and Physical Security which identified the main security risks for the period 2022 - 2025.

Information security

In 2019, Cellnex reviewed and approved a new global Information Security Policy, which aims to establish the guidelines and lines of action in Information Security that govern the way in which Cellnex Group manages and protects its information and services, as well as its communication to stakeholders and implementation in all companies and functional areas of the Group.

The basic principle of the policy is that information is a very important asset for Cellnex, and it is necessary to guarantee the confidentiality, integrity, and availability of information in accordance with recognised standards of Information Security management in the provision of services as a Telecommunications infrastructure operator to Operators, Broadcasters, Public Administrations, and Corporations. Therefore, steps are taken to identify and protect Information assets from unauthorised access, modification, communication, or destruction, whether intentional or accidental, ensuring that they are used only for purposes approved by Management.

Moreover, continuous improvement is pursued within the framework of a Management System, which Management undertakes to lead in accordance with the ISO 27001 standard, and which applies to all the Group’s Business Units. All of this is based on people management, process management and continuous improvement; guaranteeing its effectiveness and efficiency. In 2023, the scope of ISO 27001 certification has been maintained for the following Cellnex business units: Spain, Portugal, Italy, France, Switzerland, Ireland, United Kingdom, Netherlands, Austria, Denmark, Sweden, and at corporate level. 

The Global Security Master Plan for Cybersecurity and Physical Security, which covers the period 2022-2025, was designed to identify and manage the main security risks at Cellnex. In 2023, the security initiatives outlined in this plan were carried out successfully. Some of the key initiatives that enhanced Cellnex's security posture in 2023 were:

  • New platforms for better access control of privileged users.
  • Forensic analysis tools to quickly locate entry points in case of an attack.
  • Advanced protection measures in the OT network that serves the customers.
  • Automation of incident response processes when security incidents are detected.
  • Improvement of cyber crisis management procedures with technical and process drills.

The Cyber Crisis Management Plan has been revised in line with the Cellnex Group's Global Crisis Management Plan.The Global Crisis Management Plan outlines a five-phase approach to crisis management, encompassing Alert, Impact Evaluation, Declaration of crisis situation, Crisis situation management and monitoring, and Declaration of the end of the Crisis and return to normality.

In Cellnex, a distinction is made between local and global crises: local crises entail critical effects on a specific Business Unit, while global crises involve highly critical impacts on a business unit or critical impacts on more than one business unit. All cyber crises are considered global in scope owing to their ability to spread rapidly across geographies. Furthermore, the three identified disaster scenarios have been reviewed: ransomware, data breach, and denial of service, each accompanied by a Disaster Recovery Plan (DRP).

In terms of Cybersecurity Governance, it is noteworthy that regular updates on the top risks, including cybersecurity breaches, are communicated to the Board of Directors at least twice a year. Furthermore, dedicated Board sessions are conducted to enhance awareness and monitor progress related to the Cybersecurity Master Plan.

During 2023, no data breaches or incidents involving theft or loss of information or affecting the business were detected in any of Cellnex's business units.

Automation of security processes

Cellnex is committed to the automation of security processes, for example through the development of tools that allow the automatic execution of actions when certain events are detected to block sophisticated attacks suffered. This has made it possible to gain detection, prevention, and protection capacity, thereby increasing response capacity and therefore the level of security and mitigating the associated risks. The security incidents detected and blocked have increased in complexity owing to the evolution of increasingly targeted attacks.

Awareness

During 2023, several awareness-raising and training campaigns were carried out for employees on information security. Here are some specific examples:

  • Four awareness campaigns using "Phishing" simulations (where an attacker sends a fraudulent message designed to trick an employee into revealing confidential information or to implement malicious software in the victim's infrastructure).
  • Campaigns in which all Cellnex users must explicitly agree to the security policies.

In addition, information security advice has been provided and alerts have been given on virus and phishing campaigns aimed at Cellnex staff. This has contributed to a 9% drop in the rate of phishing campaigns from the first campaign in 2023 to the latest one this year, despite the increased sophistication of the attacks. In addition, the same campaign launched in July 2021 was conducted during 2023, and all countries have seen a decrease in the failure rate of 11% overall (from 16% in 2021 to 5% in 2023).

Before starting...

We use our own and third-party cookies for analytical purposes and to show you personalized advertising based on a profile prepared from your browsing habits (for example, pages visited). Click HERE for more information. You can accept all cookies by pressing the "Accept" button or configure or reject their use by pressing the "Configure" button.

ACCEPT AND CONTINUE Configure cookies