Version: 3.0
Valid until: 2025-03-26
Classification: Low
3.0 | Edward Robinson | Additions/changes as part of the annual review. Updated the link for the Record of Processing Activities under 10.1.1 and Administrations. | 2024-03-26 |
In the interest of all the stakeholders, the top management of anDREa B.V. (hereafter called anDREa) is actively committed to demonstrably maintain and continually improve an information management system in accordance with the requirements of the ISO 27001:2017.
The purpose of this document is to describe the cryptography policy of anDREa and the associated controls, checks and administrations.
This document will be reviewed at least annually and when significant change happens.
The objectives of this control are:
To ensure proper and effective use of cryptography to protect the confidentiality, authenticity and/or integrity of information (A.10.1).
The scope of this document corresponds to Clause 4 Context of the organisation.
This document is:
required reading for:
all employees and contractors of anDREa.
available for all interested parties as appropriate.
Data on myDRE is encrypted in rest and in transit. The certificate of mydre.org is auto-renewed and monitoring is in place to verify this in a timely manner. By default, a Virtual Machine's Operating System (OS) and data disks are encrypted-at-rest using platform-managed keys (PMKs). Local Support Team members can verify the encryption of VMs and data by assessing the recommendations of the Azure Security Score.
An overview of encryption and certificates per asset used by anDREa can be found in the Record of Processing Activities. The status of the certificates of the SaaS applications that are used by anDREa are periodically monitored and the results are registered in a ticket.
Record of Processing Activities (authorised personnel only)
Ticket for reviewing status of certificates (authorised personnel only)