Scope Information Security Management System (ISMS)

Introduction

The scope of our Information Security Management System (ISMS) describes which parts of our organization, services, processes, systems, and data processing fall under the ISMS. Chain dependencies are explicitly included in the scope. We work according to the PDCA cycle and record the applicability of control measures in a Statement of Applicability (SoA).

Detailed explanation

Scope and entities

Our ISMS has a clearly defined scope for the relevant entities within the group (which are collectively referred to as “Fellow Digitals” in external communications). The scope is aligned with the development and delivery of digital workplace solutions (including social intranet and e-learning software) and associated consultancy. For specific contexts (such as healthcare), an additional NEN 7510 scope has been formulated.

Chain dependencies

Because our services depend in part on chain partners (such as hosting and outsourced IT services), and information may be processed on third-party infrastructure, these dependencies are included within the scope of our ISMS. Suppliers are therefore treated as relevant stakeholders, and associated chain risks are addressed within our risk and control framework.

Standard basis and working method (PDCA)

The ISMS is based on ISO/IEC 27001:2022, ISO/IEC 27701:2019, and NEN 7510:2024. The management system follows a Plan–Do–Check–Act cycle: policy and objectives, risk assessment, selection and implementation of measures, monitoring, and continuous improvement together form a continuous process.

Statement of Applicability (SoA)

We have a procedure for drawing up and maintaining the SoA. The SoA is formally established and periodically reassessed (at least annually) within the management cycle.