Version: 3.0
Valid until: 2025-04-10
Classification: Low
3.0 | Edward Robinson | Additions/changes as part of the annual review. Changed CTO to CEO giving the current organisational structure. Updated links under Administrations. |
In the interest of all the stakeholders, the top management of anDREa B.V. (hereafter called anDREa) is actively committed to demonstrably maintain and continually improve an information management system in accordance with the requirements of the ISO 27001:2017.
The purpose of this document is to describe the technical audits policy of anDREa and the associated controls, checks and administrations.
This document will be reviewed at least annually and when significant change happens.
The objectives of this control are:
To minimise the impact of audit activities on operational systems (A.12.7).
The scope of this document corresponds to Clause 4 Context of the organisation.
This document is:
required reading for:
all employees and contractors of anDREa.
available for all interested parties as appropriate.
The CEO decides in consultation with the Product Owner, appointed developers and the Security Officer which type of technical audit has to be carried out, based on:
The importance of information, in combination with relevant risks.
Incident reports requiring a technical audit.
Requirements made by clients.
If a technical audit procedure needs to be carried out, the CEO and the Security Officer must ensure that the following criteria are addressed:
Before the audit:
Establish the way in which confidentiality, integrity, availability, and auditability (CIA-A) of the information is guaranteed.
The scope is clearly defined.
A test plan is present.
During the audit:
If the CIA-A of information is compromised, this has to be reported as an incident.
After the audit:
The CEO registers, based on information provided by the Security Officer:
Whether the CIA-A of information was compromised.
Suggestions for improvement in future audits if the above was the case.
If not included in the report, the Security Officer draws up a management summary reflecting on the findings.
Findings are discussed with management and relevant stakeholders during the ISMB meeting. The severity of the findings are reassessed and product backlog items (PBIs) are created accordingly.
The management summary is published publicly on anDREa’s Knowledge Base.
Technical audit plans (authorised personnel only).
Agreements with pentesters/technical auditors (authorised personnel only).
Pentest reports (authorised personnel only).