Valid until: 2025-04-10
Classification: Low
3.0 | Edward Robinson | Additions/changes as part of the annual review. Updated broken links for the customer directory, employee contracts, commercial license agreements, internal and external audits (mostly under Administrations). |
In the interest of all the stakeholders, the top management of anDREa B.V. (hereafter called anDREa) is actively committed to demonstrably maintain and continually improve an information management system in accordance with the requirements of the ISO 27001:2017.
The purpose of this document is to describe the compliance policy of anDREa and the associated controls, checks and administrations.
This document will be reviewed at least annually and when significant change happens.
The objectives of this control are:
To avoid breaches of legal, statutory, regulatory or contractual obligations related to information security and of any security requirements (A.18.1).
To ensure that information security is implemented and operated in accordance with the organisational policies and procedures (A.18.2).
The scope of this document corresponds to Clause 4 Context of the organisation.
This document is:
required reading for:
all employees and contractors of anDREa.
available for all interested parties as appropriate.
In addition, anDREa has signed contracts and a service level agreement for their customers. The service level agreement is publicly accessible on anDREa’s Knowledge Base and the Availability is periodically (at least monthly) updated. It is the responsibility of the Business Manager to ensure that customer agreements are adhered to. anDREa maintains a directory with customers, including the contracts and work agreements.
In case anDREa has overlooked or is not aware of relevant obligations, this will be reported as an information security incident. Information security incidents are reported and registered according to guidelines described in A.16 Information security incident management.
Internal audit carried out by an independent third party, as described in Clause 9 Performance evaluation.
External audit carried out by an independent certifying body.
Overview of suppliers (authorised personnel only)
Employee contracts (authorised personnel only)
Commercial licence agreements (authorised personnel only)
Record of processing activities (authorised personnel only)
Internal audit reports (authorised personnel only)
External audit reports (authorised personnel only)