Version: 3.0
Valid until: 2024-04-12
Classification: Low
3.0 | Edward Robinson Pascalle Broer | Additions/changes as part of the annual review. Added the link to the HR Manual under Availability. Updated the link for the competence overview under 7.1.1. Added the link to the Roles & Responsibilities matrix under 7.1.2 and 7.2.1. Updated the link to the Information Security Training under 7.1.2 and 7.2.1 |
In the interest of all the stakeholders, the top management of anDREa B.V. (hereafter called anDREa) is actively committed to demonstrably maintain and continually improve an information management system in accordance with the requirements of the ISO 27001:2017.
The purpose of this document is to describe the human resource security policy of anDREa and the associated controls, checks and administrations.
This document will be reviewed at least annually and when significant change happens.
The objectives of this control are:
To ensure that employees and contractors understand their responsibilities and are suitable for the roles for which they are considered (A.7.1).
To ensure that employees and contractors are aware of and fulfil their information security responsibilities (A.7.2).
To protect the organisation’s interests as part of the process of changing or terminating employment (A.7.3).
The scope of this document corresponds to Clause 4 Context of the organisation.
This document is:
required reading for:
all employees and contractors of anDREa.
For anDREa employees, this is all summarised in the HR Manual.
available for all interested parties as appropriate.
A valid identity document must be checked for validity. The authenticity features of passports are indicated on the website of the central government. The passport must comply with this.
Attitude and eagerness to learn is a very important feature for anDREa employees. Therefore, employees that are not C-level do not necessarily need certain certifications upon onboarding. However, they are required to obtain specified certifications during their employment at anDREa. To this extent, anDREa has created the anDREa People - Competence Overview list. The Security Officer will maintain this list and will at least biannually check the correctness of the list or when changes occur.
Employees with C-level will, in addition to the certifications described in the competence list, also need to leverage a Certificate of Conduct (Verklaring omtrent het Gedrag; VOG) which is stored in the employee’s personnel file.
The Information Security and Data Protection Training is a mandatory and automatically generated task in the onboarding workflow. Verification that the training has been completed is done by the Security Officer.
When an employee switches to another position within anDREa, the Security Officer (together with the relevant asset accountables) will determine whether:
the employee has to hand in company resources and whether access to the network and applications must be adjusted.
tasks / responsibilities in the field of information security need to be transferred.
authorisations need to be adjusted.
whether it is necessary to request a (new) VOG for the employee concerned.
anDREa People - Competence Overview (authorised personnel only).
Proof of certifications.
Personnel files (including contractual agreements and if applicable VOG).
Scores on the Information Security and Data Protection Training (= verification that the training has been completed; authorised personnel only).
Disciplinary procedure responses (authorised personnel only).
Onboarding workflow tickets (authorised personnel only).
Offboarding workflow tickets (authorised personnel only).