Version: 3.0
Valid until: 2025-04-12
Classification: Low
3.0 | Edward Robinson | Additions/changes as part of the annual review. Added that A.7.2.3 is mandatory reading and that confirmation/agreement has to be given. Added ticket with confirmations/agreements under Administrations. |
anDREa B.V. (hereafter called anDREa) is committed to protecting the security of its business information in the face of incidents and unwanted events and has implemented an Information Security Management System (ISMS) that is compliant with ISO/IEC/27001:2017, the international standard for information security.
The purpose of this document is to describe anDREa’s disciplinary procedure.
This document will be reviewed at least annually and when significant change happens.
The objectives of this control are:
Ensure that employees suspected of violation of guidelines and rules in the field of information security are fairly treated.
Ensure that employees are well informed on the consequences of violating guidelines and rules.
The scope of this document corresponds to Clause 4 Context of the organisation.
This document is:
mandatory reading for:
all employees and contractors of anDREa.
all employees have to confirm the reading and agreement.
available for all interested parties as appropriate.
Initiation:
Firstly, the Security Officer will address employees personally (verbally and by e-mail or ticket) when it appears that the information security rules have been violated. If the Security Officer notices that an employee intentionally or unintentionally does not show any improvement in their behaviour, then the Security Officer may advise Management to proceed with the procedure detailed below. The procedure can also be initiated in the event of a very serious offence or negligence with serious consequences for (information) security.
Procedure:
The disciplinary procedure follows the following steps:
Step 1: collecting evidence
The Security Officer will ensure that evidence of the violation is collected and registered. Where necessary, this can be done in cooperation with the asset responsibles or any other employee that possesses evidence of the violation. Examples of evidence include but are not limited to:
Laptops and phones of the employee
Log files
Snapshots of applications
Witnesses
Incident reports
Management will decide whether, in the interest of the investigation, it is necessary to suspend the employee(s) concerned until the investigation has been completed.
Step 2: interview with the employee(s)
An interview is scheduled with the employee(s) concerned together with relevant asset responsibles, the Security Officer and potentially Management. During this interview, the situation is presented and it is discussed how it could have arisen. Evidence is presented and the employee(s) will have a chance to discuss the evidence. If applicable, arrangements and agreements (unique to each situation) are made to ensure it will not happen again. A report of the interview, including agreements, will be communicated to the employee(s) concerned and Management, and included in the personnel file.
Step 3: Consequences
In the following cases, Management may decide to impose consequences on an employee:
An employee has deliberately caused damage or is guilty of gross negligence.
An employee has not complied with the agreements mentioned under Step 2.
Possible consequences may include:
Delay in promotion.
Contractual agreed consequences.
Inactivity; i.e. revoking access to one or more systems/applications.