Clause 4 Context of the organisation

Clause 4 Context of the organisation

Version: 3.0

Valid until: 2025-04-12

Classification: Low


Version Management


Version

Author(s)

Change(s)

Date approved

1.0

Stefan van Aalst

Edward Robinson

Initiation document

2022-05-23

1.1

Edward Robinson

Additions/changes as part of the periodic review and improvement.


Combined the article Information security context, requirements and scope (4.1, 4.2, 4.3) and information from B01 information security policy.

Renamed to Clause 4 Context of the organisation.

2022-12-07

2.0Edward Robinson
Additions/changes as part of the periodic review and improvement.

Added roles and responsibilities matrix.
2023-05-15
2.1Edward RobinsonChanges to roles and responsibility matrix and organisational chart.2024-01-01
3.0Edward Robinson
Additions/changes as part of the annual review.

Moved NIS2 compliance to good to have. Fixed several outdated links.
2024-04-12

Purpose & background


anDREa B.V. (hereafter called anDREa) is committed to protecting the security of its business information in the face of incidents and unwanted events and  has implemented an Information Security Management System (ISMS) that is compliant with ISO/IEC/27001:2017, the international standard for information security.

The purpose of this document is to describe anDREa’s context, the need of interested parties and the scope of the Information Security Management System (ISMS).

This document will be updated at least annually and when significant change happens.

Objective

The objective is:


  • to understand the organisation and its context (4.1).

  • to understand the needs and requirements of the interested parties (4.2).

  • to determine the scope of the ISMS (4.3).

  • to establish, implement, maintain and continuously improve the ISMS (4.4).


Scope

This scope for this document is the same as the scope of the ISMS. For complete details see section 4.3.


Availability

This document is:


  • required reading for:

    • all employees and contractors of anDREa.

  • available for all interested parties as appropriate.


Norm elements

4.1 Understanding the organisation and its context


“The organisation shall determine external and internal issues that are relevant to its purpose and that affects its ability to achieve the intended outcome(s) of its information security management system.”


The organizational context of anDREa is set out in the following sections. Given the fast-moving nature of the business and the markets in which it operates the context will change over time. This document will be reviewed on an annual basis and any significant changes incorporated. The ISMS will also be updated to cater for the implications of such changes.


Activities


anDREa develops, maintains and valorizes a Digital Research Environment (DRE)-as-a-Service in a Shared Tenant setting, this is called myDRE. myDRE is focused:

  1. Primarily as a solution for organizations employing people that need to ingress, process, analyze, and egress data in a safe, compliant, and possibly collaborative way with people external to their organization, and;
  2. Secondary to individual researchers providing the same basic solution without organizational information and control plane.
Functions

anDREa is a start-up organisation the accountability for the organizational functions as such are divided in the following way:




anDREa embraces a modern way of working and encourages employees to work remotely. anDREa has no IT-infrastructure of its own, it operates on Microsoft Azure primarily, Zoho for customer help sites and exposing public documentation and Google Suite for records and internal documentation.

Internal issues

With regard to the anDREa business itself, there are a number of relevant internal issues. These include:


  • anDREa is a startup with limited resources.

  • anDREa has to provide accountability to its founders: Radboudumc, Erasmus MC and UMC Utrecht. 


External issues


With regards to the external environment in which anDREa operates, there are a number of relevant external issues. These include:


  • Political

    • Not found to be applicable.

  • Economic

    • For the Dutch academic/education market: Availability of myDRE via SURFmarket.

  • Social

    • Not found to be applicable.

  • Technology

    • Microsoft Azure

      • Pace of innovation.

      • Availability of its services.

    • The by the Customers and their users own and ‘inherited’ needs and requirements

  • Legal

    • Must have:

      • GDPR-compliance.

      • ISO 27001-compliance.

    • Good to have:

      • NIS2-compliance.

        • Based on the governmental-launched self-assessment, anDREa is not required to fall under NIS2.

        • Based on the understanding of our clients, it would be good that anDREa will be NIS2-compliant.

      • ISO 9001-compliance.

      • Environmental

        • Not found to be applicable.


These general external issues will be considered in more detail as part of the risk assessment process.

4.2 Understanding the needs and expectations of interested parties


“The organisation shall determine:

a) interested parties that are relevant to the information security management system, and;

b) the requirements of these interested parties relevant to information security.



This section of the document sets out the interested parties that are relevant to the ISMS and their requirements. It also summarises the applicable legal and regulatory requirements to which the organisation subscribes. 


Interested parties


An interested party is defined as ‘a person or organisation that can be affected by, or perceive themselves to be affected by a decision or activity.’


The following are defined as interested parties that are relevant to the ISMS:

  • Advisory Board

    • Radboudumc, Erasmus MC and UMC Utrecht.

  • Suppliers

  • Customers

  • Customer user groups

  • Regulatory bodies

    • Autoriteit Persoonsgegevens

  • Employees of the organisation

  • Natural individuals (patients, study participants).


Requirements


Interested Party

Requirement Summary

Link to supporting documents

Strategic Board

Scalable and cost-effective solution for their employees



Scalable solution for others to reduce the cost per Tenant


Suppliers

The payment schedule must be kept


Customers

Confidentiality of Workspaces

CIA (BIV Classification


Integrity of data in Workspaces

CIA (BIV Classification


Availability of Workspaces

CIA (BIV Classification


Contingency plan

Contingency Procedure (A.17.1.2)


Security measurements

Statement of Applicability


ISO 27001

Privacy Shield
ISO 27001 Statement of Applicability

Regulatory bodies

GDPR-compliant

GDPR Compliance Assessment

Data Breach Procedure

Customer user groups

Workability of Workspaces


Employees of the organisation

Fun place to work, adding value to the users and society


Natural individuals

GDPR-compliant

GDPR Compliance Assessment

Data Breach Procedure



4.3 Determining the scope of the information security management system


“The organisation shall determine the boundaries and applicability of the information security management system to establish its scope. When determining this scope, the organisation shall consider:

a) the external and internal issues referred to in 4.1;

b) the requirements referred to in 4.2; and

c) interfaces and dependencies between activities performed by the organisation, and those that are performed by other organisations.

The scope shall be available as documented information.”



Purpose 

The purpose of the ISMS is to: 

  • Understand the organisation’s need and the necessity for establishing information and security management policy and objectives.

  • Implement and operate controls and measures for managing the organisation’s overall capability to manage information security incidents.

  • Monitor and review the performance and effectiveness of the ISMS.

  • Continually improve the organisation’s information security based on objective measurement.

  • This purpose applies to the scope of the ISMS as defined below.


Scope of the ISMS

The defined scope of anDREa’s ISMS takes into account the internal and external factors are referred to section 4.1 of this document and the requirements referred to in section 4.2. It also reflects the needs of interested parties and the legal and regulatory requirements that are applicable to the organisation. The scope is defined in terms of the parts of the organisation, products and service and related activities. 


Organisational


The ISMS includes the following parts of the anDREa organisation:

  • All of anDREa.


Services


The following services are within the scope of the ISMS:

  • myDRE to organisations.

  • myDRE to the individual user.

  • 24/7/365 monitory & support of subscriptions.

  • Updating and patching of Windows Virtual Machines.

  • User engagement & onboarding consultancy.

  • Standard services 

  • Optional services 

 

Activities


The following activities are within the scope of ISMS:

  • The development, maintenance and valorisation of myDRE.

  • Support to end-users via Tenant-employed Research Support Teams.

  • Troubleshooting and bug fixing.

  • Tenant support for engaging and activating users.

 

Exclusions


The following areas are specifically excluded from the scope of the ISMS:

  • Microsoft Azure since this is part of the ISMS of Microsoft.

  • The activities as performed by the users in the way they handle and treat their data.

    • These are covered by their own security policies.

  • Support or consultancy in processing or analysis of data.

  • Support or consultancy on non-Microsoft Azure resources (such as software installations).

  • Support, consultancy or advice on legal aspects or issues.


4.4 Information security management system


“The organisation shall establish, implement, maintain and continually improve an information security management system, in accordance with the requirements of the International Standard.”


Plan

The basis for controlling information security is to determine goals, the activities and resources are the result. Through a system of risk assessment, the dependencies and risks for anDREa are reassessed annually, and determined by management. Whenever developments occur that (may) have an impact on security, a specific risk assessment is performed. 


Do

This is done by implementing, maintaining and applying an adequate set of procedural, technical and organisational measures. The Security Officer is regularly informed about the proper working by those who are responsible for their implementation. The necessary control measures for this are not isolated but are an integrated part of the general quality assurance. The measures taken are described in policy documents, procedures and/or guidelines.


Study and Act

Here, anDREa ensures that improvements in the ISMS are discovered and studied, and that potential breaches of the desired security level are identified. This allows management to be informed in time and to take adequate action.


Control refers to both internal studies carried out by the organisation itself and periodic testing by an independent third party. The testing focuses on two key business questions:


  1. Can non-authorised people/processes get access to Workspaces or the anDREa Core?

  2. Can an authorised person break out of a Workspace to other Workspaces or to the anDREa Core?


Both questions are the key guidance to all the information policies and measures.


The security verification consists of three parts:

  • Assess effectiveness of measures taken: the asset responsible checks, based on predefined criteria, whether the objectives have been achieved.

  • Internal and external audits: internal and external audits of the ISMS and external technical audits are performed periodically.

    • Employees of anDREa may not fulfill the role of auditor to prevent conflicts of interest.

  • Adequacy assessment: the adequacy of the established policy including all measures, is assessed at least annually (or earlier when changes occur). 

    • The adequacy assessment is based on the results of the audits, risk assessments and reported incidents.

    • The results of these assessments are recorded in the annual Security Management Report.


Evaluation

Evaluation of the above may result in the adjustment or creation of policy documents, which need to be approved by management. By means of monitoring and assessment, anDREa ensures that the results of the internal and external audits, and other controls are translated into adequate, corrective and preventive measures.



    • Related Articles

    • Clause 8 Operation

      Version: 3.0 Valid until: 2025-04-12 Classification: Low Version Management Version Author(s) Change(s) Date approved 1.0 Stefan van Aalst Edward Robinson Initiation document 2022-05-20 1.1 Edward Robinson Additions/changes as part of the periodic ...
    • Clause 10 Improvement

      Version: 3.0 Valid until: 2025-03-11 Classification: Low Version Management Version Author(s) Change(s) Date approved 1.0 Stefan van Aalst Edward Robinson Initiation document 2022-05-20 1.1 Edward Robinson Additions/changes as part of the periodic ...
    • Clause 5 Leadership

      Version: 3.0 Valid until: 2025-03-14 Classification: Low Version Management Version Author(s) Change(s) Date approved 1.0 Stefan van Aalst Edward Robinson Initiation document 2022-05-20 1.1 Edward Robinson Additions/changes as part of the periodic ...
    • A.6 Organisation of information security

      Version: 3.0 Valid until: 2025-03-26 Classification: Low Version Management Version Author(s) Change(s) Date approved 1.0 Stefan van Aalst Edward Robinson Initiation document 2022-05-23 1.1 Edward Robinson Additions/changes as part of the periodic ...
    • Clause 6 Planning

      Version: 3.0 Valid until: 2025-04-16 Classification: Low Version Management Version Author(s) Change(s) Date approved 1.0 Stefan van Aalst Edward Robinson Initiation document 2022-05-20 1.1 Edward Robinson Additions/changes as part of the periodic ...