
In line with our policies, we adopted the Comprehensive Risk Management model of our parent company, which provides a focus for continuous improvement and effective risk management in a systematic and transversal manner for TGI. Based on the ISO 31000:2018 standard, this model establishes the reference frameworks to identify and assess the risks related to the activities of our business and to be able to implement the necessary actions to mitigate them.
We have an Information Security Model
This Information Security Model (MSPI) seeks to protect the Confidentiality, Integrity and Availability of information assets, for its Administrative Headquarters located at Carrera 9 No. 73-44 in Bogotá, and all other headquarters nationwide. , which has the support of Senior Management to guarantee the necessary resources for the continuous improvement of the model, and to demand compliance with the guidelines, policies and other security guidelines that are defined, which must be known, understood and accepted by all interested parties of the Information Security and Privacy Model (MSPI).
As a fundamental part of the Information Security and Privacy Model (MSPI), there is an internal regulation that provides TGI S.A. ESP., the guidelines, guidelines and guidance regarding information security and the proper use of information assets, seeking to preserve the confidentiality, integrity, availability and privacy of information.
In reference to the possible anomalous event that may occur, TGI S.A ESP has the management of information security incidents duly documented and socialized to the organization in the different data for awareness.
M-ADI-006 Modelo de Seguridad y Privacidad de la Información (MSPI).pdf
At TGI, we have a robust system in place to monitor and control our information systems and cybersecurity management. We conduct internal audits at least once a year, following a risk-based approach and aligned with international best practices such as the ISO/IEC 27001 and NIST standard. These assessments cover key areas including access control, data protection, incident management, and network security. Findings are reported to the technology committee and addressed through corrective action plans.
In addition, we undergo at least one external audit per year conducted by Grupo Energía Bogotá, as part of the group-wide cybersecurity management system assessments. Our statutory auditor also performs periodic reviews that include the verification of IT controls, and additional audits may be conducted based on emerging risks or regulatory requirements. Both internal and external audits are carried out in accordance with recognized standards such as ISO/IEC 27001, NIST and frameworks such as COBIT.
We have also established internal procedures that enable our employees to report and escalate any incidents or suspicious activities detected in our information systems, thereby strengthening our ability to respond effectively to potential threats.
Information Security and Cybersecurity Training: Commitment to Organizational Awareness
As part of the institutional commitment to information protection and in compliance with the guidelines on information security training and awareness, the company has established a School of Information Security and Cybersecurity, as part of its training strategy and endorsed by the Human Talent area. The main purpose of this school is to implement a comprehensive training and awareness program aimed at strengthening the culture of information security and cybersecurity at all levels of TGI S.A.ESP.
Throughout the year, various activities are carried out to promote employees’ knowledge and responsibility regarding the protection of information assets, both in physical and digital environments. These activities include training sessions, interactive modules, educational videos, and simulated attacks such as phishing and ransomware, among other training resources.
This program not only aims to ensure regulatory compliance but also seeks to raise awareness of the risks associated with the use of emerging technologies and the constant evolution of threats. Through knowledge and active participation, employees are expected to understand the importance of their role in protecting the confidentiality, integrity, and availability of TGI S.A.ESP's information.
Below are some statistics that demonstrate the program’s reach and the level of employee participation during 2024.
Training statistics.pdf