ISO/IEC 27001:2022⬩
Ensuring the confidentiality, availability, and integrity of your information is a serious commitment at Doxx. Clear. Flexible. Personal. Discover Doxx.
ISO/IEC 27001:2022
Ensuring the confidentiality, availability, and integrity of your information is a serious commitment at Doxx. Clear. Flexible. Personal. Discover Doxx.
Certificate
Statement of Applicability
This page displays the Statement of Applicability (SoA) for the ISO/IEC 27001:2022 Management System Certificate No: C602796 issued by DNV London, 1st of August 2024.
The applicable controls have been identified based on the controls specified in the ISO/IEC 27001 standard Annex A controls of our ISMS.
Statement from Management
The management of Doxx bv hereby confirms the measures listed in this SoA, endorsed in relation to the conducted risk analyses, and accepts the residual risk of any measures not taken.
Rijswijk, August 2024
Pascal GroosSaxwin Brouwer
Scope
Hosting and managing client systems (ICT management & support), software development, and consultancy.
Co-certified locations:
- Doxx HQ, Rijswijk
- BPRC Campus, Rijswijk
Applicable measures
The following measures are applicable at Doxx.
| Control | Relevant | Status |
|---|---|---|
A.5.1 Information Security PoliciesInformation security policies and subject-specific policies must be defined, approved by management, published, communicated to, and acknowledged by relevant personnel and stakeholders, and reviewed at planned intervals and whenever significant changes occur. | Yes | Implemented |
A.5.2 Roles and Responsibilities in Information SecurityRoles and responsibilities in information security must be defined and assigned according to the needs of the organization. | Yes | Implemented |
A.5.3 Separation of DutiesConflicting tasks and conflicting responsibilities must be separated. | Yes | Implemented |
A.5.4 Management ResponsibilitiesManagement must require all personnel to apply information security in accordance with the established information security policies, subject-specific policies, and procedures of the organization. | Yes | Implemented |
A.5.5 Contact with Government AuthoritiesThe organization must establish and maintain contact with the relevant authorities. | Yes | Implemented |
A.5.6 Contact with Special Interest GroupsThe organization must establish and maintain contacts with special interest groups or other specialized security forums and professional associations. | Yes | Implemented |
A.5.7 Threat Intelligence and AnalysisInformation related to information security threats must be collected and analyzed to produce threat intelligence. | Yes | Implemented |
A.5.8 Information Security in Project ManagementInformation security must be integrated into project management. | Yes | Implemented |
A.5.9 Inventory of Information and Other Related AssetsAn inventory of information and other related assets, including their owners, must be created and maintained. | Yes | Implemented |
A.5.10 Acceptable Use of Information and Other Related AssetsRules for the acceptable use of and procedures for handling information and other related assets must be identified, documented, and implemented. | Yes | Implemented |
A.5.11 Return of AssetsPersonnel and other stakeholders, as applicable, must return all organizational assets in their possession upon termination of their employment, contract, or agreement. | Yes | Implemented |
A.5.12 Classification of InformationInformation must be classified according to the information security needs of the organization, based on confidentiality, integrity, availability, and relevant stakeholder requirements. | Yes | Implemented |
A.5.13 Labeling of InformationTo label information, an appropriate set of procedures must be developed and implemented in accordance with the information classification scheme established by the organization. | Yes | Implemented |
A.5.14 Information TransferRules, procedures, or agreements for information transfer must be established for all types of communication facilities within the organization and between the organization and other parties. | Yes | Implemented |
A.5.15 Access SecurityRules based on business and information security requirements must be established and implemented to control physical and logical access to information and other related assets. | Yes | Implemented |
A.5.16 Identity ManagementThe entire lifecycle of identities must be managed. | Yes | Implemented |
A.5.17 Managing Authentication InformationThe allocation and management of authentication information must be controlled through a management process that includes advising personnel on the proper handling of authentication information. | Yes | Implemented |
A.5.18 Access RightsAccess rights to information and other related assets must be granted, reviewed, adjusted, and removed in accordance with the organization’s subject-specific policies and access security rules. | Yes | Implemented |
A.5.19 Information Security in Supplier RelationshipsProcesses and procedures must be established and implemented to manage the information security risks associated with the use of supplier products or services. | Yes | Implemented |
A.5.20 Addressing Information Security in Supplier AgreementsRelevant information security requirements must be established and agreed upon with each supplier based on the type of supplier relationship. | Yes | Implemented |
A.5.21 Managing Information Security in the ICT Supply ChainProcesses and procedures must be defined and implemented to manage information security risks associated with the supply chain of ICT products and services. | Yes | Implemented |
A.5.22 Monitoring, Evaluating, and Managing Changes to Supplier ServicesThe organization must regularly monitor, evaluate, assess, and manage changes to the information security practices and services of suppliers. | Yes | Implemented |
A.5.23 Information Security for the Use of Cloud ServicesProcesses for procuring, using, managing, and terminating cloud services must be established in accordance with the organization's information security requirements. | Yes | Implemented |
A.5.24 Planning and Preparing for Information Security Incident ManagementThe organization must plan and prepare for managing information security incidents by defining, establishing, and communicating processes, roles, and responsibilities for managing information security incidents. | Yes | Implemented |
A.5.25 Assessing and Deciding on Information Security EventsThe organization must assess information security events and decide whether they should be categorized as information security incidents. | Yes | Implemented |
A.5.26 Responding to Information Security IncidentsInformation security incidents must be responded to in accordance with documented procedures. | Yes | Implemented |
A.5.27 Learning from Information Security IncidentsKnowledge gained from information security incidents must be used to strengthen and improve information security controls. | Yes | Implemented |
A.5.28 Collecting EvidenceThe organization must establish and implement procedures for identifying, collecting, obtaining, and preserving evidence related to information security events. | Yes | Implemented |
A.5.29 Information Security During a DisruptionThe organization must plan to ensure information security at an appropriate level during a disruption. | Yes | Implemented |
A.5.30 ICT Readiness for Business ContinuityICT readiness must be planned, implemented, maintained, and tested based on business continuity objectives and ICT continuity requirements. | Yes | Implemented |
A.5.31 Legal, Statutory, Regulatory, and Contractual RequirementsLegal, statutory, regulatory, and contractual requirements relevant to information security, and the organization's approach to meeting these requirements, must be identified, documented, and kept up to date. | Yes | Implemented |
A.5.32 Legal MattersThe organization must implement appropriate procedures to protect intellectual property rights. | Yes | Implemented |
A.5.33 Protection of RecordsRecords must be protected against loss, destruction, forgery, unauthorized access, and unauthorized release. | Yes | Implemented |
A.5.34 Privacy and Protection of Personal DataThe organization must identify and comply with privacy and personal data protection requirements in accordance with applicable laws, regulations, and contractual obligations. | Yes | Implemented |
A.5.35 Independent Review of Information SecurityThe organization's approach to information security management and its implementation, including people, processes, and technologies, must be independently reviewed at planned intervals or whenever significant changes occur. | Yes | Implemented |
A.5.36 Compliance with Information Security Policies, Rules, and StandardsCompliance with the organization's information security policies, topic-specific policies, rules, and standards must be regularly assessed. | Yes | Implemented |
A.5.37 Documented Operating ProceduresOperating procedures for information processing facilities must be documented and made available to the personnel who need them. | Yes | Implemented |
A.6.1 ScreeningThe background of all candidates for employment must be verified before they join the organization and periodically thereafter. This should take into account applicable laws, regulations, and ethical considerations, and should be proportionate to the business requirements, the classification of the information to which access is granted, and the identified risks. | Yes | Implemented |
A.6.2 Employment ContractEmployment contracts must specify the responsibilities of both the employee and the organization regarding information security. | Yes | Implemented |
A.6.3 Information Security Awareness, Education, and TrainingThe organization's personnel and relevant stakeholders must receive appropriate awareness, education, and training in information security and regular updates on the organization's information security policies, topic-specific policies, and procedures, as relevant to their role. | Yes | Implemented |
A.6.4 Disciplinary ProcedureThere must be a formal and communicated disciplinary procedure to take action against staff and other stakeholders who have committed a breach of the information security policy. | Yes | Implemented |
A.6.5 Responsibilities After Termination or Change of EmploymentResponsibilities and tasks related to information security that remain effective after termination or change of employment must be defined, enforced, and communicated to relevant staff and other stakeholders. | Yes | Implemented |
A.6.6 Confidentiality or Non-Disclosure AgreementsConfidentiality or non-disclosure agreements reflecting the organization’s needs for information protection must be identified, documented, regularly reviewed, and signed by staff and other relevant stakeholders. | Yes | Implemented |
A.6.7 Remote WorkingWhen staff work remotely, security measures must be implemented to protect information accessed, processed, or stored outside the organization's building and/or premises. | Yes | Implemented |
A.6.8 Reporting Information Security EventsThe organization must provide a mechanism for staff to report perceived or suspected information security events in a timely manner through appropriate channels. | Yes | Implemented |
A.7.1 Physical Security ZonesZones containing information and other related business assets must be protected by defining and using security zones. | Yes | Implemented |
A.7.2 Physical Access ControlSecure zones must be protected by appropriate access control measures and entry points. | Yes | Implemented |
A.7.3 Securing Offices, Rooms, and FacilitiesPhysical security must be designed and implemented for offices, rooms, and facilities. | Yes | Implemented |
A.7.4 Monitoring Physical SecurityThe building and premises must be continuously monitored for unauthorized physical access. | Yes | Implemented |
A.7.5 Protection Against Physical and Environmental ThreatsProtection against physical and environmental threats, such as natural disasters and other intentional or unintentional physical threats to infrastructure, must be designed and implemented. | Yes | Implemented |
A.7.6 Working in Secure AreasSecurity measures must be developed and implemented for working in secure areas. | Yes | Implemented |
A.7.7 Clear Desk and Clear Screen‘Clear desk’ rules for paper documents and removable storage media and ‘clear screen’ rules for information processing facilities must be defined and enforced appropriately. | Yes | Implemented |
A.7.8 Placement and Protection of EquipmentEquipment must be securely placed and protected. | Yes | Implemented |
A.7.9 Securing Assets Outside the PremisesAssets outside the building and/or premises must be protected. | Yes | Implemented |
A.7.10 Storage MediaStorage media must be managed throughout their entire lifecycle from acquisition, use, transport, and disposal in accordance with the organization’s classification scheme and handling requirements. | Yes | Implemented |
A.7.11 UtilitiesInformation processing facilities must be protected against power failures and other disruptions caused by utility failures. | Yes | Implemented |
A.7.12 Securing CablingPower cables and data cables supporting information services must be protected against interception, interference, or damage. | Yes | Implemented |
A.7.13 Equipment MaintenanceEquipment must be properly maintained to ensure the availability, integrity, and reliability of information. | Yes | Implemented |
A.7.14 Secure Disposal or Reuse of EquipmentParts of equipment that contain storage media must be checked to ensure that sensitive data and licensed software are removed or securely overwritten before disposal or reuse. | Yes | Implemented |
A.8.1 'User Endpoint Devices'Information stored on, processed by, or accessible via 'user endpoint devices' must be protected. | Yes | Implemented |
A.8.2 Special Access RightsThe assignment and use of special access rights must be restricted and managed. | Yes | Implemented |
A.8.3 Access to InformationAccess to information and other related business assets must be restricted in accordance with the established subject-specific access control policy. | Yes | Implemented |
A.8.4 Source Code Access ControlRead and write access to source code, development tools, and software libraries must be appropriately managed. | Yes | Implemented |
A.8.5 Secure AuthenticationSecure authentication technologies and procedures must be implemented based on information access restrictions and the subject-specific access control policy. | Yes | Implemented |
A.8.6 Capacity ManagementResource usage must be monitored and adjusted in accordance with current and expected capacity requirements. | Yes | Implemented |
A.8.7 Protection Against MalwareProtection against malware must be implemented and supported by appropriate user awareness. | Yes | Implemented |
A.8.8 Management of Technical VulnerabilitiesInformation about technical vulnerabilities of operating information systems must be obtained, the organization’s exposure to such vulnerabilities must be assessed, and appropriate measures must be taken. | Yes | Implemented |
A.8.9 Configuration ManagementConfigurations, including security configurations, of hardware, software, services, and networks must be established, documented, implemented, monitored, and reviewed. | Yes | Implemented |
A.8.10 Information DeletionInformation stored in information systems, devices, or other storage media must be deleted when no longer required. | Yes | Implemented |
A.8.11 Data MaskingData must be masked in accordance with the subject-specific access control policy and other related subject-specific policies, and the organization’s business requirements, considering applicable legislation. | Yes | Implemented |
A.8.12 Data Leakage PreventionMeasures to prevent data leakage must be applied in systems, networks, and other devices on which or with which sensitive information is processed, stored, or transported. | Yes | Implemented |
A.8.13 Information Back-upBack-ups of information, software, and systems must be retained and regularly tested in accordance with the agreed subject-specific backup policy. | Yes | Implemented |
A.8.14 Redundancy of Information Processing FacilitiesInformation processing facilities must be implemented with sufficient redundancy to meet availability requirements. | Yes | Implemented |
A.8.15 LoggingLogs recording activities, exceptions, errors, and other relevant events must be produced, stored, protected, and analyzed. | Yes | Implemented |
A.8.16 Activity MonitoringNetworks, systems, and applications must be monitored for abnormal behavior, and appropriate measures must be taken to evaluate potential information security incidents. | Yes | Implemented |
A.8.17 Clock SynchronizationThe clocks of information processing systems used by the organization must be synchronized with approved time sources. | Yes | Implemented |
A.8.18 Use of Special System ToolsThe use of system tools that may bypass system and application controls must be restricted and closely monitored. | Yes | Implemented |
A.8.19 Installing Software on Operational SystemsProcedures and measures must be implemented to manage the secure installation of software on operational systems. | Yes | Implemented |
A.8.20 Securing Network ComponentsNetworks and network devices must be secured, managed, and controlled to protect information in systems and applications. | Yes | Implemented |
A.8.21 Securing Network ServicesSecurity mechanisms, service levels, and service requirements for all network services must be identified, implemented, and monitored. | Yes | Implemented |
A.8.22 Network SegmentationGroups of information services, users, and information systems must be segmented within the organization's networks. | Yes | Implemented |
A.8.23 Application of Web FiltersAccess to external websites must be managed to limit exposure to malicious content. | Yes | Implemented |
A.8.24 Use of CryptographyRules for the effective use of cryptography, including the management of cryptographic keys, must be defined and implemented. | Yes | Implemented |
A.8.25 Securing During the Development LifecycleRules for secure development of software and systems must be established and applied. | Yes | Implemented |
A.8.26 Application Security RequirementsInformation security requirements must be identified, specified, and approved when developing or acquiring applications. | Yes | Implemented |
A.8.27 Secure System Architecture and Technical PrinciplesPrinciples for designing secure systems must be established, documented, maintained, and applied for all activities related to the development of information systems. | Yes | Implemented |
A.8.28 Secure DevelopmentPrinciples for secure coding must be applied to software development. | Yes | Implemented |
A.8.29 Security Testing During Development and AcceptanceProcesses for testing security must be defined and implemented in the development lifecycle. | Yes | Implemented |
A.8.30 Outsourced System DevelopmentThe organization must direct, monitor, and review activities related to outsourced system development. | Yes | Implemented |
A.8.31 Separation of Development, Testing, and Production EnvironmentsDevelopment, testing, and production environments must be separated and secured. | Yes | Implemented |
A.8.32 Change ManagementChanges to information processing facilities and information systems must be subject to change management procedures. | Yes | Implemented |
A.8.33 Test DataTest data must be selected, protected, and managed appropriately. | Yes | Implemented |
A.8.34 Protection of Information Systems During AuditsAudit tests and other audit activities involving operational systems must be planned and agreed upon between the tester and the responsible management. | Yes | Implemented |
