A.6 Organisation of information security

A.6 Organisation of information security

Version: 3.0

Valid until: 2025-03-26

Classification: Low

Version Management


Version

Author(s)

Change(s)

Date approved

1.0

Stefan van Aalst

Edward Robinson

Initiation document

2022-05-23

1.1

Edward Robinson

Additions/changes as part of the periodic review and improvement.


Renamed this document to A.6 Organisation of information security from B01 Information security policy.

2022-12-13
2.0Edward RobinsonAdditions/changes as part of the annual review.

Per recommendation of the internal auditor the link to anDREa's Roles and Responsibilities Matrix including toxic combinations was added. In addition, more special interest groups were added.
2023-05-15
2.1Stefan van Aalst
Updated the link of the responsibility matrix. 
3.0
Edward Robinson
Additions/changes as part of the annual review.

Updated link to the responsibility matrix under A.6.1.2 as it did not match the one under A.6.1.1.

Purpose & background


anDREa B.V. (hereafter called anDREa) is committed to protecting the security of its business information in the face of incidents and unwanted events and  has implemented an Information Security Management System (ISMS) that is compliant with ISO/IEC/27001:2017, the international standard for information security.


The purpose of this document is to describe the organisation of information security.


This document will be updated at least annually and when significant change happens.

Objective


The objective of this control is:


  • To establish a management framework to initiate and control the implementation and operation of information security within the organisation (A.6.1).

  • To ensure the security of teleworking and use of mobile devices (A.6.2)

Scope

The scope of this document is described in Clause 4 Context of the organisation.


Availability

This document is:


  • required reading for:

    • all employees and contractors of anDREa.

  • available for all interested parties as appropriate.

Norm elements

A.6.1 Internal organisation

A.6.1.1 Information security roles and responsibilities 


“All information security responsibilities shall be defined and allocated.”


The (security) roles and responsibilities are described in Definition of (security) roles and responsibilities and anDREa's Roles and Responsibilities Matrix.

A.6.1.2 Segregation of duties 


“Conflicting duties and areas of responsibility shall be segregated to reduce opportunities for unauthorised or unintentional modification or misuse of the organisation's assets.”


The (security) roles and responsibilities are described in Definition of (security) roles and responsibilities to segregate the duties as much as possible. Toxic combinations are documented in anDREa's Roles and Responsibilities MatrixIn addition, anDREa contracted an external party to execute the internal audits. 

A.6.1.3 Contact with authorities


“Appropriate contacts with relevant authorities shall be maintained.”


anDREa will maintain appropriate contact with the Autoriteit Persoonsgegevens in case of a data breach.

A.6.1.4 Contact with special interest groups


“Appropriate contacts with special interest groups or other specialist security forums and professional associations shall be maintained.”


anDREa maintains appropriate contacts with:
  • Microsoft.

  • Subscription to the Nationaal Cyber Security Centrum (NCSC) RSS feeds.

  • User reports.

  • Following websites like bleepingcomputer.com.

  • A51 security newsletter.

  • Security Officers of our customers.


A.6.1.5 Information security in project management 


“Information security shall be addressed in project management, regardless of the type of project.”


anDREa addresses information security according to the procedures described in A.14.2.1 Secure development policy and A.14.2.5 Secure system engineering principles.

A.6.2 Mobile devices and teleworking


Mobile devices and teleworking is described in A.6.2 Mobile devices and teleworking.

    • Related Articles

    • 20220607 Security Management Report

      As part of anDREa's commitment to maintaining an Information Security Management System (ISMS) based on ISO 27001 please feel free to download and read the attached anDRE's 20220607 Security Management Report.
    • 20220714 Security Management Report Addendum

      As part of anDREa's commitment to maintaining an Information Security Management System (ISMS) based on ISO 27001. This document is an addendum to the 20220607 Security Management Report and addresses the on 2022-07-14 reported findings of the ISO ...
    • 20220713 Report Azure White Box Security Audit

      Version: 2022-07-14 Introduction anDREa has a Pentest Program program as part of the commitment to protect the security of its business information. At least once a year we request an external party to do the pentest and a white box security audit. ...
    • 20210224 Pentest 2021-Q1 Report & 20210301 White Box Security Audit 2021-Q1 Report

      In accordance with our Pentest Program, anDREa engaged nSEC/Resilience for the anDREa White Box Security and the Pentesting 2021-Q1. The core questions being: Can non-authorized people or services access Workspaces or affect anDREa’s core services? ...
    • Clause 4 Context of the organisation

      Version: 3.0 Valid until: 2025-04-12 Classification: Low Version Management Version Author(s) Change(s) Date approved 1.0 Stefan van Aalst Edward Robinson Initiation document 2022-05-23 1.1 Edward Robinson Additions/changes as part of the periodic ...