Organization of information and data security

Introduction

We safeguard policy, objectives, and document management within the Information Security Management System (ISMS) and embed information security and privacy as a business risk in our organization and working methods. We work on a risk-based approach (with annual reassessment) and translate policy into concrete guidelines and procedures. In addition, the organization, roles, and responsibilities for information security and privacy are clearly defined to ensure effective implementation, monitoring, and continuous improvement of the ISMS.

Detailed explanation

Policy framework (Information Security and Privacy Policy)

We maintain a formally established "Information Security and Privacy Policy". This policy defines how we protect the availability, integrity, and confidentiality of information and systems, and safeguard privacy. Measures are selected based on a risk-based approach. The risk profile is updated at least annually, and a defined risk appetite is applied.

Embedding in ISMS and compliance with standards

The policy and additional guidelines/procedures are embedded in the ISMS and available to employees. The ISMS supports ongoing compliance with relevant standards (including ISO/IEC 27001, ISO/IEC 27701, and NEN 7510) and applicable legislation. The Statement of Applicability (SoA) describes which controls apply, including any justified exclusions.

Organization, roles, and governance

The organization of information and privacy security is formally defined, including governance structures, roles, responsibilities, and reporting lines. Management (CEO/CTO/COO) holds overall accountability for implementation, compliance, and decision-making on improvement plans. Operational and tactical responsibilities are assigned to roles. Independent oversight is ensured through the Data Protection Officers (DPO), who monitor compliance with (local) privacy laws, and through internal audit and security advisory functions that assess the effectiveness of controls and the ISMS.

Security responsibilities are distributed across strategic, tactical, and operational levels, ensuring that risk management, compliance monitoring, incident handling, and supplier assessments are consistently executed throughout the organization. Employees are responsible for adhering to policies and proactively reporting incidents or risks.

Management, communication, and evaluation

The organization has established structured governance and decision-making processes. Regular meetings (such as management reviews, security and GDPR meetings, and technical meetings) are used to monitor risks, evaluate controls, track improvement actions, and discuss regulatory developments. This supports alignment between business objectives and security requirements and ensures periodic evaluation of ISMS performance and effectiveness.

Annual management reviews assess the ISMS, including risks, incidents, audit results, and opportunities for improvement. Security awareness is reinforced through recurring staff sessions and training programs.

Security and privacy objectives

The primary objective is to maintain compliance with the relevant standards; other security and privacy objectives are determined annually and recorded in ISMS documentation. In addition, “security by design” and “privacy by design/default” are the starting points for design, development, and management.

External communication and continuous improvement

Information security and privacy are embedded in external communication and stakeholder management. Where relevant, updates to policies or security measures are communicated to customers and stakeholders. The organization maintains regular contact with external advisors (e.g. legal advisors and auditors) and monitors external sources such as regulatory bodies and security-related sources to remain informed about emerging threats and regulatory changes. This input is used to update internal practices and improve the ISMS on an ongoing basis.

Document management (ISMS documentation)

A document management procedure is in place to control ISMS documentation. This includes defining document types, specifying central storage (in an intranet environment), storing HR files in a separate system, applying naming conventions, controlling access, managing changes through a controlled process, and ensuring version management. 

Published documents that comply with the naming conventions are considered the current “single source of truth.” This prevents confusion about which version is authoritative and supports auditability.