Security policy

Updated on 17/02/2026

Introduction

Object

This document constitutes the Information System Security Policy (ISSP) of the BODET SA Group.

Approved by the Chief Executive Officer, the Strategic ISSP defines:

The strategic challenges and objectives in terms of information system security ;
The principles of governance of Information System Security (ISS);
The commitments of senior management to ensure the sustainability, effectiveness and continuous improvement of the security system.

The Strategic ISSP is supplemented by an Operational Information System Security Policy, which covers all thematic requirements relating to the physical, logical, organisational and human security of the information system.

Distribution criteria

The ISSP document corpus is distributed in a controlled manner according to the need-to-know principle..

The Strategic ISSP may be distributed externally in its entirety. It represents BODET Group's commitments relating to ISS.
The Operational ISSP is primarily intended for internal use. Relevant extracts may be communicated to external stakeholders (customers, partners, authorities) concerned by contractual or regulatory requirements.
The associated procedures are distributed internally in a targeted manner.

Each document explicitly specificies its authorised distribution list. When required for confidentiality reasons, only relevant extracts may be communicated.

Scope of application

The Strategic Information Security Policy applies:

To all the entireBODET Group Information System, in all its aspects;
To all employees, managers, temporary staff and interns;
To all service providers, partners and third parties accessing the information system or handling information under the Group's responsibility.

The Information System is defined as all the resources used to create, acquire, process, store, transmit, or destroy information, regardless of display media, technologies, or locations involved.

Security standards

The BODET Group adopts an approach aligned with the following reference frameworks:

ISO/IEC 27001 (2022) standard;
ANSSI Computer Hygiene Guide (42 measures);
GDPR andthe CNIL requirements (French National Commission on Informatics and Liberty);
Applicable regulatory and contractual obligations related to its activities (RED2, CRA, NIS2);
Esquema Nacional de Seguridad (ENS)

Definitions

Authenticity: property or characteristic whereby an entity is what it claims to be or guarantees the source of the data.
Collaborator: any person contributing to the Group's activities and accessing the IS (employee, student/intern, temporary worker, etc.).
Confidentiality: Ensures that information is accessible only to those who have a legitimate need to know within the scope of their activities.
Regulatory compliance: Property that ensures that information is managed in accordance with the ethical, professional and legal principles established by the regulations applicable in each context.
Availability: Ensures that data is accessible and usable by entities when needed and with the desired performance.
Information: Any data belonging to the Group or entrusted by a customer, regardless of its format (paper, digital, oral).
Integrity: Ensures that the data handled is accurate and consistent, both at input and output, but also that this data does not undergo any unwanted changes during processing or storage.
Software: any programme or executable file involved in information processing (operating system, monitoring software, office application, business application, etc.).
Hardware: Any physical equipment supporting the IS (workstations, servers, mobile devices, removable display media, network equipment, etc.).
Information System Security Policy (ISSP): The organisational framework, policies, processes, and controls implemented to manage information security risks.
Network: Any form of interconnection of hardware and software components within the Information System that enables data exchange (dedicated lines, telephone networks, Internet, VPNs, inter-site links).
Site: Any physical location operated or managed by the Group (offices, factories, data centres, etc.).
Information Security Management System (ISMS): The organisational framework, policies, processes, and controls implemented to manage information security risks.
Data Protection Management System (DPMS): Is a set of organisational measures that a company implements to ensure personal data is handled in accordance with data protection regulations. Based on GDPR requirements, it is an internal guideline that helps ensure data protection compliance and provides evidence of this if required. This management system is primarily intended to prevent breaches, but can also rectify or refute them retrospectively.
Traceability / Auditability: The property that ensures the ability to track and verify events, actions, or changes within the Information System, including the identification of responsible individuals or entities.

Bodet Group's activities take place in an environment impacted by cyber threats.

Cybersecurity context

The digitisation of practices brings many benefits, both for citizens and businesses, by promoting innovation and the development of new economic opportunities. However, it also creates increased dependence on critical infrastructure and interconnected complexity exposing society and organisations to increasingly sophisticated cyberattacks.

Cyberspace has become an arena for competition and confrontation, reflecting geopolitical tensions and international rivalries. France, like other countries, faces intense and widespread cyber threats from states, cybercriminals, activists, or combinations of these actors.

These cyberattacks may be motivated by economic, political, military or ideological reasons.. They can disrupt the functioning of society, threaten national security and generate significant economic losses, affecting supply chains and the continuity of organisations' activities.

Cyberattacks take many forms, ranging from espionage to sabotage, extortion and subversion. They manifest themselves in particular through the rise in cybercrime and the proliferation of cyber-intrusive tools. Critical infrastructure, including cloud services hosting sensitive data and strategic applications, is particularly vulnerable.

The emergence of disruptive technologies — artificial intelligence, blockchain, quantum computing—amplifies the risks by rendering certain current protections obsolete and complicating the threat landscape.

The Group's activities

The BODET group designs and manufactures software and equipment for its customers. It delivers and installs them at customer sites and provides repairs and hotline support.

The Group therefore handles sensitive information, such as:

Research and development data;
Industrial production management data;
Personal data of third parties (customers, suppliers, etc.);
Personal data of its employees.

Such information is essential for the proper functioning of the Group.

Security strategies, challenges and objectives

Strategic priorities

The Bodet Group aims to consolidate itsleading position in each of its activities by ensuring customer satisfaction.

In an increasingly interconnected and digitised world,companies are more exposed to cyber threats (ransomware, phishing, website defacement, etc.), and information system security is essential to the Bodet Group in order to guarantee its development.

The Bodet Group is exposed to cyber risks that may affect:

The confidentiality, integrity, availability, authenticity, traceability and regulatory compliance of company data and customer information;
The operational continuity of its critical activities;
Its reputation and position on national/international markets.

Therefore, the Group's success depends on the overall security of its IT system. . Cybersecurity is an essential element, implemented through the information security management system (ISMS) and set out in the ISSP:

Anticipate and reduce cyber risks;
Comply with legal, regulatory and contractual obligations;
Protect information and digital assets;
Ensure business continuity and resilience.

Security challenges

The Bodet Group faces critical security challenges aligned with its strategic objectives:

Competitiveness: Ensure the availability and reliability of Information Systems in a global competitive environment.
Environment: Support ISO 14001-certified initiatives through reliable and controlled systems.
Innovation: Protect R&D activities, trade secrets, and intellectual property.
International: Secure data exchanges with subsidiaries, distributors, and partners in over 110 countries.
Quality: Integrate cybersecurity as an essential component of product and service quality, particularly in 2026.
Responsiveness: Ensure a high level of availability and customer support.

Operational objectives

In response to these challenges, security objectives ensure the confidentiality, integrity, availability, and traceability of data and its processing. In this context, the Bodet Group is committed to:

Maintaining theInformation System in a secure state 24/7;
Protecting the Group’s and its clients’ data
Promoting a shared culture of information security;
Ensuring compliance with legal and regulatory requirements;
Identifying and managing cyber risks ;
Ensuring the resilience of the Information System in the event of an incident;
Defining a security level whenintegrating new interconnections into the Information System;
Preservingthe Group’s overall reputation.

These objectives are further detailed by thematic area in the Operational Security Policy. This policy is based on ISO/IEC 27002:2022, the ANSSI Information Security Hygiene Guide, and recognised best practices in information security.

Information System Security Governance

Executive Management Commitment

Executive Management is aware that the sustainability of the Bodet Group depends on its ability to secure its assets against threats that could impact the organisation’s operations and data.

Management integrates the ISSP into the Group’s overall strategy and provides the necessary resources for the effective operation of the Information Security Management System (ISMS).

A detailed letter of commitment has been signed by Executive Management.

The Cybersecurity Committee

The BODET Group's Cybersecurity Committee is responsible for controlling and coordinating actions relating to information system security, in line with the organisation's strategic priorities. This committee meets at least once a month. Executive management monitors developments in the ISMS and approves important decisions. It is the committee's best sponsor.

Specific cybersecurity committees may also be established to address the security of activities and data in sensitive areas or where necessary.

The composition of these committees may vary depending on the areas concerned and the topics addressed. A review of roles and responsibilities is carried out at least every two years.

The main roles associated with the committee are as follows: The Chief Information Security Officer, the Information Manager, the Service Manager and the System Manager.

Key responsibilities

Executive Management: Bears ultimate responsibility for IS security, approves the ISSP and allocates the necessary resources. 10
Information System Security Manager (ISSM): ciso@kelio.com): Defines, manages and monitors the implementation of the ISSP and ISMS. Ensures the organisation's compliance with ISO/IEC 27001 requirements and applicable information system security regulations (NIS2, CRA, etc.).
Data Protection Officer (DPO): Defines, manages and monitors the implementation of the DPMS. Ensures the organisation's compliance with the requirements of the General Data Protection Regulation (GDPR) and applicable regulations on the protection of personal data. • IT Director: Implements technical security measures in coordination with the CISO.
Team Managers: Ensure that security rules are applied within their teams.
Employees and service providers: Comply with security rules and report any incidents or anomalies.

The ISSP, the cornerstone of ISMS implementation

Documentation structure

The ISMS aims to ensure that risks related to information security and confidentiality are known, accepted, managed or minimised in a documented, systematic, structured, reproducible and acceptable manner, adapting to changes in risks, environment and technologies. The ISMS documentation is divided into four levels:

Strategic Security Policy: This is the reference document that outlines the Group's strategic challenges, governance principles and sets out security fundamentals.
Operational Security Policy: These are the security rules that the company has decided to follow, based on best practice security guidelines (ISO/IEC 27001/2, ANSSI hygiene guide, GDPR, etc.).
Procedures: These are the technical and organisational implementation methods that the organisation has established.
Evidence and indicators: These are the assessment methods used to measure the performance of the ISMS.

Implementation

The information security objectives defined above are translated into security guidelines in theOperational Security Policy. . These guidelines must be implemented by all stakeholders in the Information System.

In general, every change to the Information System incorporates security by considering the requirements of the Operational Security Policy in accordance with the security needs expressed in terms of confidentiality, integrity, availability and traceability of data and processing. This is the Security/Privacy by Design approach..

Key principles

Only the CISO has full rights to manage and structure the ISMS.. Certain profiles may have limited access, which will be adapted on a case-by-case basis according to the need-to-know principle (e.g. provision of evidence by an administrator, review by a validator, signature by management, etc.).

Need-to-know principle: Access to information is strictly limited to individuals who genuinely need to know it in order to perform their duties.
Security requirement principle: Each asset is protected according to a level of security proportional to its criticality and importance to the organisation.
Principle of least privilege: Each user, process or service has only the permissions strictly necessary for its function, and never more.
Principle of relevance of collection: The amount of data collected is limited to the intended purposes. Only data that is strictly useful for processing is retained.
Principle of data control: Processing activities are mapped and data is kept up to date. The proliferation of unnecessary personal data is avoided, and obsolete or redundant data is regularly purged.
Principle of lawfulness of processing: Data processing must be based on an appropriate legal basis: consent, legal obligation, public interest, contract, vital necessity or legitimate interest.
Principle of fair collection: Data must be collected in a transparent and fair manner, without surprising the individuals concerned. The purpose of the collection must be clearly explained and consent reinforced if necessary.
Principle of data processing: Information about individuals may only be recorded and used for a specific purpose. Any use not intended at the time of collection is prohibited.
Principle of storage limitation: Each processing activity must define an appropriate storage period. This must be based on legal obligations and operational needs, and data stored beyond this period must be purged.

Annual review

The ISSP is reviewed annually by the Bodet Group's Cyber Committee and approved by Executive Management. The aim is to verify that it remains aligned with the Group's strategic priorities and challenges, or in the event of significant changes to the company's information system.

Continuous improvement

The entire ISMS life cycle is based on the principle of continuous improvement, illustrated by the Deming wheel (PDCA: Plan, Do, Check, Act) below:

Phase	Action
PLAN	The Commission establishes the ISSP and its operational implementation, which are validated by Executive Management. They then develop an action plan (ISMS), to organise the implementation of the established rules.
DO	The ISSP is monitored by all employees, with support from Executive Management, via the IT Manager and its team.
CHECK	Compliance with the ISSP rules is regularly monitored through audits and tests. Security indicators (KPIs) are obtained and analysed during cyber committee meetings.
ACT	Any discrepancies identified are corrected and/or considered when defining a new cycle. . A new iteration (PDCA) is carried out.

Exemptions

Any deviation from the established security rules is considered a security breach. There may be exceptions. Any exception to the security rules requires a formal exemption, approved by the Chief Information Security Officer and senior management. It is reviewed periodically.

ID	Subject	Applicant/Referent	ISSP exempted rules	Mitigation measures	Duration of exemption granted	Validation date	Validator	Expiry date	Status	Closing date

Penalties

Any breach of the rules defined by the Information Security Policy exposes the employee to disciplinary measures, differentiated according to the seriousness of the offence, as defined in the Rules of procedure.

The topics of Operational Security Policy

Operational Security Policy follows the chapters of ISO/IEC 27002-2013 for clarity, with requirements updated in 2022. Here are the main chapters:

Chapter 5 – Information security governance (ISSP): Governance establishes the framework for managing information security. It defines the policies, guidelines and principles for implementing, controlling and improving information security in line with the organisation's strategy.
Chapter 6 – Information security organisation: (Responsibilities, coordination, mobility, remote working). This chapter defines the organisation of security, the distribution of roles and responsibilities, and the integration of security into internal and external relationships. It also covers security related to mobility and remote working.
Chapter 7 – Human resources security: It seeks to ensure that employees understand their responsibilities in terms of information security. It protects the organisation's interests throughout the employee lifecycle: before hiring, during employment and after departure.
Chapter 8 – Asset Management: This involves identifying, inventorying and classifying the organisation's assets. It allows clear responsibilities to be assigned and ensures that information is protected at a level appropriate to its value, sensitivity and importance.
Chapter 9 – Access Control: This chapter aims to control access to systems and information through appropriate authentication and authorisation mechanisms. It strictly regulates the use of privileged access according to the principles of need-to-know and least privilege, and requires the traceability of sensitive actions.
Chapter 10 – Cryptography: This chapter ensures the correct and effective use of cryptographic mechanisms to protect the confidentiality, integrity and authenticity of information. It also covers the management of cryptographic keys.
Chapter 11 – Physical and Environmental Security: This aims to prevent unauthorised access, damage and business interruptions related to the loss, theft, destruction or compromise of physical assets, premises and critical infrastructure.
Chapter 12 – Operational Security: This ensures the reliability and security of information processing systems. It includes protection against malware, vulnerability management, action logging, data backup and prevention of permanent data loss.
Chapter 13 – Communication Security: This chapter aims to protect information circulating on internal and external networks. It covers the security of communications, remote access, mobile use and exchanges with external entities.
Chapter 14 – System Acquisition, Development and Maintenance: Information security must be integrated into all stages of the system and project lifecycle: design, development, integration, operation, maintenance and end of life.
Chapter 15 – Supplier relations: Supplier security aims to ensure that assets accessible to third parties are protected in accordance with the organisation's requirements. It imposes a contractual framework, security requirements and performance monitoring.
Chapter 16 – Information Security Incident Management: This ensures a consistent and effective response to security events, whatever their human, technical or environmental origin. A security incident is any situation that could impact the confidentiality, integrity or availability of information. The organisation follows a procedure that considers prevention, detection, response and recovery.
Chapter 17 – Business continuity: This aims to ensure that critical assets and essential processes can continue to function in the event of a major disaster, through continuity and recovery plans and degraded operating modes.
Chapter 18 – Compliance: Compliance aims to prevent any breach of legal, regulatory, contractual, and normative obligations. It ensures that information security is implemented, controlled, and enforced in accordance with the organisation's commitments and policies.