A.18 Compliance

A.18 Compliance

Version: 3.0

Valid until: 2025-04-10

Classification: Low

Version Management


Version

Author(s)

Change(s)

Date approved

1.0

Stefan van Aalst

Theo Koster

Edward Robinson

Initiation document.


2022-05-20

1.1

Edward Robinson

Additions/changes as part of the periodic review and improvement.


Renamed to A.18 Compliance from B08 Compliance to agreements and regulations.

2022-12-21

2.0Edward RobinsonAdditions/changes as part of the annual review.

Substituted A.18a Legislation for the Legislation-Controls Matrix. Added employee contract template. Replaced link for Clients directory.
2023-05-19
3.0
Edward Robinson
Additions/changes as part of the annual review.

Updated broken links for the customer directory, employee contracts, commercial license agreements, internal and external audits (mostly under Administrations).

Purpose & background


In the interest of all the stakeholders, the top management of anDREa B.V. (hereafter called anDREa) is actively committed to demonstrably maintain and continually improve an information management system in accordance with the requirements of the ISO 27001:2017.


The purpose of this document is to describe the compliance policy of anDREa and the associated controls, checks and administrations.


This document will be reviewed at least annually and when significant change happens.

Objectives


The objectives of this control are:


  • To avoid breaches of legal, statutory, regulatory or contractual obligations related to information security and of any security requirements (A.18.1).

  • To ensure that information security is implemented and operated in accordance with the organisational policies and procedures (A.18.2).

Scope


The scope of this document corresponds to Clause 4 Context of the organisation.

Availability

This document is:


  • required reading for:

    • all employees and contractors of anDREa.

  • available for all interested parties as appropriate.

Norm elements

A.18.1 Compliance with legal and contractual requirements

A.18.1.1 Identification of applicable legislation and contractual requirements


“All relevant legislative statutory, regulatory, contractual requirements and the organisation’s approach to meet these requirements shall be explicitly identified, documented and kept up to date for each information system and the organisation.”


anDREa maintains a list with relevant legislation in relation to the controls. The Security Officer and Business Manager stays up-to-date by periodically reviewing new legislation in the ‘Nieuwe Wetten’ phone application. 

In addition, anDREa has signed contracts and a service level agreement for their customers. The service level agreement is publicly accessible on anDREa’s Knowledge Base and the Availability is periodically (at least monthly) updated. It is the responsibility of the Business Manager to ensure that customer agreements are adhered to. anDREa maintains a directory with customers, including the contracts and work agreements.


In case anDREa has overlooked or is not aware of relevant obligations, this will be reported as an information security incident. Information security incidents are reported and registered according to guidelines described in A.16 Information security incident management.


A.18.1.2 Intellectual property rights


“Appropriate procedures shall be implemented to ensure compliance with legislative, regulatory and contractual requirements related to intellectual property rights and use of proprietary software.”


Relevant intellectual property rights are described in employee contracts and commercial licence agreements.

A.18.1.3 Protection of records


“Records shall be protected from loss, destruction, falsification, unauthorised access and unauthorised release, in accordance with legislatory, regulatory, contractual and business requirements.”


anDREa maintains a Record of processing activities which also states the retention period and the necessary security measures per information system. All SaaS applications developed by anDREa and containing records are protected according to Clause 7 Support, A.9 Access control and A.10 Cryptography.

A.18.1.4 Privacy and protection of personally identifiable information


“Privacy and protection of personally identifiable information shall be ensured as required in relevant legislation and regulation where applicable.”


anDREa maintains a Record of processing activities which includes at least the following categories: data subject categories, data categories, lawful basis and purpose per information system. The primary legal obligation for anDREa is the GDPR. More information can be found in:


A.18.1.5 Regulation of cryptographic controls


“Cryptographic controls shall be used in compliance with all relevant agreements legislation and regulations.”


anDREa has defined the use of cryptographic controls in A.10 Cryptography. In addition, cryptographic controls such as validity of certificates (per information system) are tracked in a ticket and regularly reviewed by the Security Officer.

A.18.2 Information security reviews

A.18.2.1 Independent review of information security


“The organisation’s approach to managing information security and its implementation (i.e. control objectives, controls, policies, processes and procedures for information security) shall be reviewed independently at planned intervals or when significant changes occur.”


anDREa’s ISMS is independently reviewed at planned intervals, in two ways:
  • Internal audit carried out by an independent third party, as described in Clause 9 Performance evaluation.

  • External audit carried out by an independent certifying body.


A.18.2.2 Compliance with security policies and standards


“Managers shall regularly review the compliance of information processing and procedures within their area of responsibility with the appropriate security policies, standards and any other security requirements.”


Asset responsibles will periodically perform checks on access to the asset in accordance with A.8 Asset management and A.9 Access control. Moreover, the Security Officer will annually draw up the Security Management Report, which assesses compliance across all areas and this report must be signed off with an appropriate management response. The management response is an integral part of the published Security Management Report.

A.18.2.3 Technical compliance review


“Information systems shall be regularly reviewed for compliance with the organisation’s information security policies and standards.”


myDRE is annually penetration tested by an external and independent third party in accordance with A.12.7.1 Information systems audit controls. Management summaries of the pentests are publicly available on anDREa’s Knowledge Base. Security Officers can request an online screen sharing session to view the unredacted pentest reports.

Administrations


    • Related Articles

    • Cookie Policies

      Introduction The purpose of this document is to describe anDREa’s Cookie Policies.  This document will be updated at least annually and when significant change happens to the relevant areas covered. Cookie Policy Cookies are temporary text files that ...
    • GDPR Compliance Assessment

      First version: 2021-05-16 Last updated: 2024-03-12 Last change: Fixed links to GDPR articles to refer to the official EC website. Introduction The purpose of this document is to describe anDREa’s compliance with the GDPR. This document also describes ...
    • EU Data Protection Code of Conduct for Microsoft Azure

      Trust in cloud computing is essential (copied from euroc.cloud) It has never been more true than today to assert that without user trust, technology will not be able to advance to reach its full potential. At the core of building trust is robust data ...
    • Privacy Shield / Schrems II

      Introduction The EU–US Privacy Shield was a framework for regulating transatlantic exchanges of personal data for commercial purposes between the European Union and the United States. One of its purposes was to enable US companies to more easily ...
    • Public Cloud and Compliance

      Introduction Some organisations struggle with bringing (personal) (sensitive) data to the cloud. The purpose of the article is to provide some of my, Stefan van Aalst, personal observations and insights.  My opinions are driven by the generic key ...