A.5 Information security policies

A.5 Information security policies

Version: 3.0

Valid until: 2025-03-26

Classification: Low

Version Management


Version

Author(s)

Change(s)

Date approved

1.0

Stefan van Aalst

Edward Robinson

Initiation document

2022-05-20

1.1

Edward Robinson

Additions/changes as part of the periodic review and improvement.


Renamed this document to A.5 Information security policies from B01 Information security policy.

2022-12-13

2.0Edward RobinsonAdditions/changes as part of the annual review.

Replaced the Statement of Applicability link for the correct one.
2023-05-15
3.0
Edward Robinson
Additions/changes as part of the annual review.

No changes have been made.

Purpose & background


anDREa B.V. (hereafter called anDREa) is committed to protecting the security of its business information in the face of incidents and unwanted events and  has implemented an Information Security Management System (ISMS) that is compliant with ISO/IEC/27001:2017, the international standard for information security.


The purpose of this document is to describe the management direction for information security.


This document will be updated at least annually and when significant change happens.

Objective


The objective of this control is:


  • To provide management direction and support for information security in accordance with business requirements and relevant laws and regulations (A.5.1).

Scope


The scope of this document is described in Clause 4 Context of the organisation.

Availability


This document is:

  • required reading for:

    • all employees and contractors of anDREa.

  • available for all interested parties as appropriate.

Norm elements

A.5.1 Management direction for information security

A.5.1.1 Policies for information security


“A set of policies for information security shall be defined, approved by management, published and communicated to employees and relevant external parties.”


anDREa has defined a set of policies for information security in accordance with the Statement of Applicability. After creating or updating a document (according to Clause 7 Support), the document is reviewed and approved by management. After adoption, the new version of the document is published publicly on anDREa’s Knowledge Base, and it will be communicated to employees and relevant external parties when important changes have been made.

A.5.1.2 Review of the policies for information security


“The policies for information security shall be reviewed at planned intervals or if significant changes occur to ensure their continuing suitability, adequacy and effectiveness.”


All policies have been registered in anDREa’s ticketing system with one ticket per policy. Each ticket has a task with a due date and notification alert for the Security Officer to review the policy. Each policy is at least annually reviewed or when significant changes occur or when discussions during the Information Security Management Board (ISMB) meetings lead to new insights. After review, a task is generated for management to approve the new version after which the newest version is published on anDREa’s Knowledge Base.

Administrations


    • Related Articles

    • 20220607 Security Management Report

      As part of anDREa's commitment to maintaining an Information Security Management System (ISMS) based on ISO 27001 please feel free to download and read the attached anDRE's 20220607 Security Management Report.
    • 20220713 Report Azure White Box Security Audit

      Version: 2022-07-14 Introduction anDREa has a Pentest Program program as part of the commitment to protect the security of its business information. At least once a year we request an external party to do the pentest and a white box security audit. ...
    • 20210224 Pentest 2021-Q1 Report & 20210301 White Box Security Audit 2021-Q1 Report

      In accordance with our Pentest Program, anDREa engaged nSEC/Resilience for the anDREa White Box Security and the Pentesting 2021-Q1. The core questions being: Can non-authorized people or services access Workspaces or affect anDREa’s core services? ...
    • 20220714 Security Management Report Addendum

      As part of anDREa's commitment to maintaining an Information Security Management System (ISMS) based on ISO 27001. This document is an addendum to the 20220607 Security Management Report and addresses the on 2022-07-14 reported findings of the ISO ...
    • Cookie Policies

      Introduction The purpose of this document is to describe anDREa’s Cookie Policies.  This document will be updated at least annually and when significant change happens to the relevant areas covered. Cookie Policy Cookies are temporary text files that ...