Clause 7 Support

Clause 7 Support

Version: 3.0
Valid until: 2025-03-11

Classification: Low

Version Management


Version

Author(s)

Change(s)

Date approved

1.0

Stefan van Aalst

Edward Robinson

Initiation document

2022-05-20

1.1

Edward Robinson

Additions/changes as part of the periodic review and improvement.


Renamed this document to Clause 7 Support from B02 Control of documents and registrations.

2022-12-13

2.0Edward RobinsonAdditions/changes as part of annual review.

Added the anDREa's Roles and Responsibilities matrix.
2023-05-15
3.0
Edward Robinson
Additions/changes as part of the annual review.

Added links to folders on the new anDREa Google Workspace.

Added link to HR Manual under 7.2.

Added 'objectives' under 7.5.2.

Purpose & background


anDREa B.V. (hereafter called anDREa) is committed to protecting the security of its business information in the face of incidents and unwanted events and  has implemented an Information Security Management System (ISMS) that is compliant with ISO/IEC/27001:2017, the international standard for information security.


The purpose of this document is to describe anDREa’s commitment to support the ISMS.


This document will be updated at least annually and when significant change happens.

Objective


The objective of this control is:


  • To determine and provide the resources needed for the establishment, implementation, maintenance and continual improvement of the ISMS (7.1).

  • To assess competence of the employees (7.2).

  • To increase and maintain information security awareness (7.3).

  • To determine the need for internal and external communications relevant to the ISMS (7.4).

  • To control documented information (7.5).

Scope

The scope of this document is described in Clause 4 Context of the organisation.


Availability

This document is:


  • required reading for:

    • all employees and contractors of anDREa.

  • available for all interested parties as appropriate.

Norm elements

7.1 Resources

“The organisation shall determine and provide the resources needed for the establishment, implementation, maintenance and continual improvement of the information security management system.”


anDREa is committed to continuously improve the ISMS and management is committed to provide the necessary resources. 

7.2 Competence

“The organisation shall:

a) determine the necessary competence of person(s) doing work under its control that affects its information security performance;

b) ensure that these persons are competent on the basis of appropriate education, training, or experience;

c) where applicable, take actions to acquire the necessary competence, and evaluate the effectiveness

of the actions taken; and

d) retain appropriate documented information as evidence of competence.”


anDREa has defined (security) roles and responsibilities per job function which is embedded in the HR Manual. Attitude and eagerness to learn is a very important feature for anDREa employees. Therefore, employees that are not C-level do not necessarily need certain certifications upon onboarding. However, they are required to obtain specified certifications during their employment at anDREa. To this extent, anDREa has created the anDREa People - Competence Overview list and the anDREa's Roles and Responsibilities matrix. The Security Officer will maintain this list and will at least biannually check the correctness of the list or when changes occur.

7.3 Awareness

“Persons doing work under the organisation’s control shall be aware of:

a) the information security policy;

b) their contribution to the effectiveness of the information security management

system, including the benefits of improved information security performance; and

c) the implications of not conforming with the information security management

system requirements.”


Information security awareness is described in A.7.2.2 Information security awareness, education and training. The implications of not conforming with the ISMS requirements is described in A.7.2.3 Disciplinary procedure

7.4 Communication

“The organisation shall determine the need for internal and external communications relevant to the information security management system including:

a) on what to communicate;

b) when to communicate;

c) with whom to communicate;

d) who shall communicate; and

e) the processes by which communication shall be effected.”


What

When

To

By

Frequency

Process

Sharing documentation






Statement of applicability

Always

Requester

Security Officer


Statement of Applicability

Information security policy

Always

Requester

Security Officer


Clause 5 Leadership

Other policy documents

Always

Requester

Security Officer


ISO27001

ISMS-documentation

Within the context of an internal/external audit

Auditors/ Consultants

Security Officer


ISO27001

ISMS-records

Within the context of an internal/external audit

Auditors/ Consultants

Security Officer

At request

Contact Security Officer

Incidents & deviations






Reporting incidents (to external parties)

After incidents, as agreed upon in agreements, SLA’s or data processing agreements.

Customer

Security Officer

When necessary, after an incident

Dependent on the nature of the incident: in agreement with management

Reporting incidents and deviations (internal)

Always

Security Officer

All employees anDREa B.V.

After an incident

A.16 Information security incident management

Internal communication






Implemented policy changes

After issuing a new version

Employees

Security Officer

Ad hoc

Contact Security Officer

Communicating points of interest with regards to awareness of information security

4x a year

Employees

Security Officer

4x a year

A.7.2.2 Information security awareness, education and training


7.5 Documented information

7.5.1 General

“The organisation’s information security management system shall include:

a) documented information required by this International Standard; and

b) documented information determined by the organisation as being necessary for the effectiveness of the information security management system.”


Documented information required by this International Standard (ISO 27001) and other necessary supporting documentation is stored and maintained in a folder on anDREa’s Google Workspace. This folder is managed by the Security Officer, access and editing rights are role-based.

7.5.2 Creating and updating

“When creating and updating documented information the organisation shall ensure appropriate:

a) identification and description (e.g. a title, date, author, or reference number);

b) format (e.g. language, software version, graphics) and media (e.g. paper, electronic); and

c) review and approval for suitability and adequacy.”


The documented information will adapt the following guidelines:

The front page will at least have:

  • The title of the document.

  • Version number.

  • Review date of the document.

  • Classification.

  • Version management table with authors, changes and approval date.

    • Approval date will be linked to a ticket or article, where explicit approval by management has been given.


Rules of version change:

  • Prior to changes, a copy is made with a timestamp after the file name in the format: <title>_YYYY-MM-DD. The time stamp is the date at which the copy was made and implies that the document was valid until that day.

  • A version number is incremented to a whole number when the document is periodically revised (annual review).

  • The version number is raised by 0.1 if changes are made in between the periodically revision periods. 


The following elements are (at least) present in policies:

  • Purpose & background.

  • Scope.

  • Objectives.

  • Availability.

  • Description of the norm elements.

  • If applicable, administrations.


7.5.3 Control of documented information

“Documented information required by the information security management system and by this International Standard shall be controlled to ensure:

a) it is available and suitable for use, where and when it is needed; and

b) it is adequately protected (e.g. from loss of confidentiality, improper use, or

loss of integrity)

For the control of documented information, the organisation shall address the

following activities, as applicable:

c) distribution, access, retrieval and use;

d) storage and preservation, including the preservation of legibility;

e) control of changes (e.g. version control); and

f) retention and disposition.

Documented information of external origin, determined by the organisation to be necessary for the planning and operation of the information security management system, shall be identified as appropriate, and controlled.”


Documented information required by this International Standard (ISO 27001) and other necessary supporting documentation is stored and maintained in a Policies folder on anDREa’s Google Drive. This folder is managed by the Security Officer, access and editing rights are role-based. Google Drive has the backup functionality enabled. Moreover, as described in 7.5.2, older versions are not deleted but stored in an archive folder with a timestamp. The most recent and by management approved versions will be made publicly available on anDREa’s Knowledge Base for all users and anDREa employees to read, edit rights are role-based. Employees will be informed if impactful changes are made.

    • Related Articles

    • Support Team Onboarding

      Introduction Onboarding new organizations to anDREa; including for a proof of concept (PoC) generally takes three days. The first two days are needed to associate the tenant’s Azure subscription to anDREa. The third day is usually scheduled to ...

    • Clause 5 Leadership

      Version: 3.0 Valid until: 2025-03-14 Classification: Low Version Management Version Author(s) Change(s) Date approved 1.0 Stefan van Aalst Edward Robinson Initiation document 2022-05-20 1.1 Edward Robinson Additions/changes as part of the periodic ...

    • Clause 9 Performance evaluation

      Version: 3.0 Valid until: 2025-03-11 Classification: Low Version Management Version Author(s) Change(s) Date approved 1.0 Stefan van Aalst Edward Robinson Initiation document 2022-05-20 1.1 Edward Robinson Additions/changes as part of the periodic ...

    • Clause 4 Context of the organisation

      Version: 3.0 Valid until: 2025-04-12 Classification: Low Version Management Version Author(s) Change(s) Date approved 1.0 Stefan van Aalst Edward Robinson Initiation document 2022-05-23 1.1 Edward Robinson Additions/changes as part of the periodic ...

    • Clause 8 Operation

      Version: 3.0 Valid until: 2025-04-12 Classification: Low Version Management Version Author(s) Change(s) Date approved 1.0 Stefan van Aalst Edward Robinson Initiation document 2022-05-20 1.1 Edward Robinson Additions/changes as part of the periodic ...