Valid until: 2025-03-14

Classification: Low

Version Management

Purpose & background

anDREa B.V. (hereafter called anDREa) is committed to protecting the security of its business information in the face of incidents and unwanted events and  has implemented an Information Security Management System (ISMS) that is compliant with ISO/IEC/27001:2017, the international standard for information security.

The purpose of this document is to describe how anDREa’s management will demonstrate leadership and commitment regarding the ISMS; the information security policy and objectives and the organisational roles regarding the ISMS.

This document will be updated at least annually and when significant change happens.

Objective

The objective of this control is:

• To demonstrate leadership and commitment with respect to the ISMS (5.1).

• To establish an information security policy (5.2).

• To ensure that the responsibilities and authorities for roles relevant to information security are assigned and communicated (5.3).

Scope

The scope of this document is according to Clause 4 Context of the organisation.

Availability

This document is:

• required reading for:

• all employees and contractors of anDREa.

• available for all interested parties as appropriate.

Norm elements

5.1 Leadership and commitment

a) ensuring the information security policy and the information security objectives are established and are compatible with the strategic direction of the organisation;

b) ensuring the integration of the information security management system requirements into the organisation’s processes;

c) ensuring that the resources needed for the information security management system are available;

d) communicating the importance of effective information security management and of conforming to the information security management system requirements;

e) ensuring that the information security management system achieves its intended outcome(s);

f) directing and supporting persons to contribute to the effectiveness of the information security management system;

g) promoting continual improvement; and

h) supporting other relevant management roles to demonstrate their leadership as it applies to their areas of responsibility.”

Finally, with the approval of management, awareness articles are published on the anDREa’s Knowledge Base and LinkedIn to highlight the importance of information security.

5.2 Policy

a) is appropriate to the purpose of the organisation;

b) includes information security objectives (see 6.2) or provides the framework for setting information security objectives;

c) includes a commitment to satisfy applicable requirements related to information security; and

d) includes a commitment to continual improvement of the information security management system.

The information security policy shall:

e) be available as documented information;

f) be communicated within the organisation; and

g) be available to interested parties, as appropriate.”

• Information should be classified according to an appropriate level of confidentiality, integrity and availability (A.8.2 Information classification) and in accordance with relevant legislative, regulatory and contractual requirements (A.18 Compliance).

• Staff, developers, and support with particular responsibilities for information (Definition of (security) roles and responsibilities & anDREa's Roles and Responsibilities) must:

• ensure the classification of that information is established;

• must handle that information in accordance with its classification level;

• must abide by any contractual requirements, policies, procedures or systems for meeting those responsibilities.

• All people covered by the scope of this policy must handle information appropriately and in accordance with its classification level.

• Information should be both secure and available to those with a legitimate need for access in accordance with its classification level.

• Access to information will be on the basis of least privilege and need to know (A.9 Access control).

• Information will be protected against unauthorised access and processing in accordance with its classification level (Clause 7 Support & A.9 Access control).

• Breaches of this policy must be reported (A.16 Information security incident management & A.18 Compliance).

• Information security provision and the policies that guide it will be regularly reviewed including through the use of annual internal audits and penetration testing (Clause 9 Performance evaluation, A.12.7.1 Information systems audit controls & A.18 Compliance).

• Any explicit Information Security Management Systems (ISMSs) run within anDREa will be appraised and adjusted through the principles of continuous improvement (Clause 10 Improvement).

Supporting policies

• Supporting policies have been developed to strengthen and reinforce this policy statement. These are published together and are available on https://support.mydre.org/portal/en/kb/andrea-organization

• Anyone can see the documents they are authorised to. Generally speaking, only records and registers require authorization, all other documents are publicly available.

• An additional policy may be created to cover specific areas.

• MT will request input from internal experts on relevant parts. It shall oversee the creation of information security and subsidiary policies.

• The CTO will determine the appropriate levels of security measures applied to all new information systems and services.

Information security objectives: 

anDREa maintains and reports on the information security objectives in the annual Security Management Report. 

5.3 Organisational roles, responsibilities and authorities

Top management shall assign the responsibility and authority for:

a) ensuring that the information security management system conforms to the requirements of this International Standard; and

b) reporting on the performance of the information security management system to top management.”

Explanation of RACI

The CTO of anDREa is accountable for the policies and the ISMS. This means that management:

• Is regularly informed, by means of Security Management Reports and ISMB meetings, about the effectiveness of the ISMS.

• Reviews, approves and adopts updated policy documents.

• Periodically evaluates all policies.

• Where necessary take decisions on actions in response to major incidents or calamities in accordance with A.17 Information security aspects of business continuity management. 

The Security Officer is responsible for the effective and efficient application of the policy and all parts of the ISMS. As much as possible, the Security Officer will fulfil this responsibility by supervising, coordinating and checking activities performed by, or falling under the responsibility of line managers.

The daily responsibility rests with the line managers, who supervise compliance with the established procedures and guidelines.

Every employee (whether permanent or not, internal or external) of anDREa is obliged to work with information security in mind. This applies in particular, but not exclusively, to employees who handle commercially confidential or other vulnerable data. All employees are individually responsible for effective security of data entrusted to them.

Administrations

• All policies publicly available on anDREa’s Knowledge Base

• Security Management Reports

• ISMB meetings (authorised personnel only)

• List of information security objectives and KPIs (authorised personnel only; will be used for Security Management Reports

  and the SLA which are publicly available)

• Tickets with review comments and approval by management (authorised personnel only)