NL | EN

ISO/IEC 27001:2022

Ensuring the confidentiality, availability, and integrity of your information is a serious commitment at Doxx. Clear. Flexible. Personal. Discover Doxx.

ISO/IEC 27001:2022

Ensuring the confidentiality, availability, and integrity of your information is a serious commitment at Doxx. Clear. Flexible. Personal. Discover Doxx.

Certificate

Certificate ISO 27001 in NederlandsCertificate ISO 27001 in English

Statement of Applicability

This page displays the Statement of Applicability (SoA) for the ISO/IEC 27001:2022 Management System Certificate No: C602796 issued by DNV London, 1st of August 2024.

The applicable controls have been identified based on the controls specified in the ISO/IEC 27001 standard Annex A controls of our ISMS.

Statement from Management

The management of Doxx bv hereby confirms the measures listed in this SoA, endorsed in relation to the conducted risk analyses, and accepts the residual risk of any measures not taken.

Rijswijk, August 2024

Pascal GroosSaxwin Brouwer

Scope

Hosting and managing client systems (ICT management & support), software development, and consultancy.

Co-certified locations:

  • Doxx HQ, Rijswijk
  • BPRC Campus, Rijswijk

Applicable measures

The following measures are applicable at Doxx.

ControlRelevantStatus

A.5.1 Information Security Policies

Information security policies and subject-specific policies must be defined, approved by management, published, communicated to, and acknowledged by relevant personnel and stakeholders, and reviewed at planned intervals and whenever significant changes occur.

Yes
Implemented

A.5.2 Roles and Responsibilities in Information Security

Roles and responsibilities in information security must be defined and assigned according to the needs of the organization.

Yes
Implemented

A.5.3 Separation of Duties

Conflicting tasks and conflicting responsibilities must be separated.

Yes
Implemented

A.5.4 Management Responsibilities

Management must require all personnel to apply information security in accordance with the established information security policies, subject-specific policies, and procedures of the organization.

Yes
Implemented

A.5.5 Contact with Government Authorities

The organization must establish and maintain contact with the relevant authorities.

Yes
Implemented

A.5.6 Contact with Special Interest Groups

The organization must establish and maintain contacts with special interest groups or other specialized security forums and professional associations.

Yes
Implemented

A.5.7 Threat Intelligence and Analysis

Information related to information security threats must be collected and analyzed to produce threat intelligence.

Yes
Implemented

A.5.8 Information Security in Project Management

Information security must be integrated into project management.

Yes
Implemented

A.5.9 Inventory of Information and Other Related Assets

An inventory of information and other related assets, including their owners, must be created and maintained.

Yes
Implemented

A.5.10 Acceptable Use of Information and Other Related Assets

Rules for the acceptable use of and procedures for handling information and other related assets must be identified, documented, and implemented.

Yes
Implemented

A.5.11 Return of Assets

Personnel and other stakeholders, as applicable, must return all organizational assets in their possession upon termination of their employment, contract, or agreement.

Yes
Implemented

A.5.12 Classification of Information

Information must be classified according to the information security needs of the organization, based on confidentiality, integrity, availability, and relevant stakeholder requirements.

Yes
Implemented

A.5.13 Labeling of Information

To label information, an appropriate set of procedures must be developed and implemented in accordance with the information classification scheme established by the organization.

Yes
Implemented

A.5.14 Information Transfer

Rules, procedures, or agreements for information transfer must be established for all types of communication facilities within the organization and between the organization and other parties.

Yes
Implemented

A.5.15 Access Security

Rules based on business and information security requirements must be established and implemented to control physical and logical access to information and other related assets.

Yes
Implemented

A.5.16 Identity Management

The entire lifecycle of identities must be managed.

Yes
Implemented

A.5.17 Managing Authentication Information

The allocation and management of authentication information must be controlled through a management process that includes advising personnel on the proper handling of authentication information.

Yes
Implemented

A.5.18 Access Rights

Access rights to information and other related assets must be granted, reviewed, adjusted, and removed in accordance with the organization’s subject-specific policies and access security rules.

Yes
Implemented

A.5.19 Information Security in Supplier Relationships

Processes and procedures must be established and implemented to manage the information security risks associated with the use of supplier products or services.

Yes
Implemented

A.5.20 Addressing Information Security in Supplier Agreements

Relevant information security requirements must be established and agreed upon with each supplier based on the type of supplier relationship.

Yes
Implemented

A.5.21 Managing Information Security in the ICT Supply Chain

Processes and procedures must be defined and implemented to manage information security risks associated with the supply chain of ICT products and services.

Yes
Implemented

A.5.22 Monitoring, Evaluating, and Managing Changes to Supplier Services

The organization must regularly monitor, evaluate, assess, and manage changes to the information security practices and services of suppliers.

Yes
Implemented

A.5.23 Information Security for the Use of Cloud Services

Processes for procuring, using, managing, and terminating cloud services must be established in accordance with the organization's information security requirements.

Yes
Implemented

A.5.24 Planning and Preparing for Information Security Incident Management

The organization must plan and prepare for managing information security incidents by defining, establishing, and communicating processes, roles, and responsibilities for managing information security incidents.

Yes
Implemented

A.5.25 Assessing and Deciding on Information Security Events

The organization must assess information security events and decide whether they should be categorized as information security incidents.

Yes
Implemented

A.5.26 Responding to Information Security Incidents

Information security incidents must be responded to in accordance with documented procedures.

Yes
Implemented

A.5.27 Learning from Information Security Incidents

Knowledge gained from information security incidents must be used to strengthen and improve information security controls.

Yes
Implemented

A.5.28 Collecting Evidence

The organization must establish and implement procedures for identifying, collecting, obtaining, and preserving evidence related to information security events.

Yes
Implemented

A.5.29 Information Security During a Disruption

The organization must plan to ensure information security at an appropriate level during a disruption.

Yes
Implemented

A.5.30 ICT Readiness for Business Continuity

ICT readiness must be planned, implemented, maintained, and tested based on business continuity objectives and ICT continuity requirements.

Yes
Implemented

A.5.31 Legal, Statutory, Regulatory, and Contractual Requirements

Legal, statutory, regulatory, and contractual requirements relevant to information security, and the organization's approach to meeting these requirements, must be identified, documented, and kept up to date.

Yes
Implemented

A.5.32 Legal Matters

The organization must implement appropriate procedures to protect intellectual property rights.

Yes
Implemented

A.5.33 Protection of Records

Records must be protected against loss, destruction, forgery, unauthorized access, and unauthorized release.

Yes
Implemented

A.5.34 Privacy and Protection of Personal Data

The organization must identify and comply with privacy and personal data protection requirements in accordance with applicable laws, regulations, and contractual obligations.

Yes
Implemented

A.5.35 Independent Review of Information Security

The organization's approach to information security management and its implementation, including people, processes, and technologies, must be independently reviewed at planned intervals or whenever significant changes occur.

Yes
Implemented

A.5.36 Compliance with Information Security Policies, Rules, and Standards

Compliance with the organization's information security policies, topic-specific policies, rules, and standards must be regularly assessed.

Yes
Implemented

A.5.37 Documented Operating Procedures

Operating procedures for information processing facilities must be documented and made available to the personnel who need them.

Yes
Implemented

A.6.1 Screening

The background of all candidates for employment must be verified before they join the organization and periodically thereafter. This should take into account applicable laws, regulations, and ethical considerations, and should be proportionate to the business requirements, the classification of the information to which access is granted, and the identified risks.

Yes
Implemented

A.6.2 Employment Contract

Employment contracts must specify the responsibilities of both the employee and the organization regarding information security.

Yes
Implemented

A.6.3 Information Security Awareness, Education, and Training

The organization's personnel and relevant stakeholders must receive appropriate awareness, education, and training in information security and regular updates on the organization's information security policies, topic-specific policies, and procedures, as relevant to their role.

Yes
Implemented

A.6.4 Disciplinary Procedure

There must be a formal and communicated disciplinary procedure to take action against staff and other stakeholders who have committed a breach of the information security policy.

Yes
Implemented

A.6.5 Responsibilities After Termination or Change of Employment

Responsibilities and tasks related to information security that remain effective after termination or change of employment must be defined, enforced, and communicated to relevant staff and other stakeholders.

Yes
Implemented

A.6.6 Confidentiality or Non-Disclosure Agreements

Confidentiality or non-disclosure agreements reflecting the organization’s needs for information protection must be identified, documented, regularly reviewed, and signed by staff and other relevant stakeholders.

Yes
Implemented

A.6.7 Remote Working

When staff work remotely, security measures must be implemented to protect information accessed, processed, or stored outside the organization's building and/or premises.

Yes
Implemented

A.6.8 Reporting Information Security Events

The organization must provide a mechanism for staff to report perceived or suspected information security events in a timely manner through appropriate channels.

Yes
Implemented

A.7.1 Physical Security Zones

Zones containing information and other related business assets must be protected by defining and using security zones.

Yes
Implemented

A.7.2 Physical Access Control

Secure zones must be protected by appropriate access control measures and entry points.

Yes
Implemented

A.7.3 Securing Offices, Rooms, and Facilities

Physical security must be designed and implemented for offices, rooms, and facilities.

Yes
Implemented

A.7.4 Monitoring Physical Security

The building and premises must be continuously monitored for unauthorized physical access.

Yes
Implemented

A.7.5 Protection Against Physical and Environmental Threats

Protection against physical and environmental threats, such as natural disasters and other intentional or unintentional physical threats to infrastructure, must be designed and implemented.

Yes
Implemented

A.7.6 Working in Secure Areas

Security measures must be developed and implemented for working in secure areas.

Yes
Implemented

A.7.7 Clear Desk and Clear Screen

‘Clear desk’ rules for paper documents and removable storage media and ‘clear screen’ rules for information processing facilities must be defined and enforced appropriately.

Yes
Implemented

A.7.8 Placement and Protection of Equipment

Equipment must be securely placed and protected.

Yes
Implemented

A.7.9 Securing Assets Outside the Premises

Assets outside the building and/or premises must be protected.

Yes
Implemented

A.7.10 Storage Media

Storage media must be managed throughout their entire lifecycle from acquisition, use, transport, and disposal in accordance with the organization’s classification scheme and handling requirements.

Yes
Implemented

A.7.11 Utilities

Information processing facilities must be protected against power failures and other disruptions caused by utility failures.

Yes
Implemented

A.7.12 Securing Cabling

Power cables and data cables supporting information services must be protected against interception, interference, or damage.

Yes
Implemented

A.7.13 Equipment Maintenance

Equipment must be properly maintained to ensure the availability, integrity, and reliability of information.

Yes
Implemented

A.7.14 Secure Disposal or Reuse of Equipment

Parts of equipment that contain storage media must be checked to ensure that sensitive data and licensed software are removed or securely overwritten before disposal or reuse.

Yes
Implemented

A.8.1 'User Endpoint Devices'

Information stored on, processed by, or accessible via 'user endpoint devices' must be protected.

Yes
Implemented

A.8.2 Special Access Rights

The assignment and use of special access rights must be restricted and managed.

Yes
Implemented

A.8.3 Access to Information

Access to information and other related business assets must be restricted in accordance with the established subject-specific access control policy.

Yes
Implemented

A.8.4 Source Code Access Control

Read and write access to source code, development tools, and software libraries must be appropriately managed.

Yes
Implemented

A.8.5 Secure Authentication

Secure authentication technologies and procedures must be implemented based on information access restrictions and the subject-specific access control policy.

Yes
Implemented

A.8.6 Capacity Management

Resource usage must be monitored and adjusted in accordance with current and expected capacity requirements.

Yes
Implemented

A.8.7 Protection Against Malware

Protection against malware must be implemented and supported by appropriate user awareness.

Yes
Implemented

A.8.8 Management of Technical Vulnerabilities

Information about technical vulnerabilities of operating information systems must be obtained, the organization’s exposure to such vulnerabilities must be assessed, and appropriate measures must be taken.

Yes
Implemented

A.8.9 Configuration Management

Configurations, including security configurations, of hardware, software, services, and networks must be established, documented, implemented, monitored, and reviewed.

Yes
Implemented

A.8.10 Information Deletion

Information stored in information systems, devices, or other storage media must be deleted when no longer required.

Yes
Implemented

A.8.11 Data Masking

Data must be masked in accordance with the subject-specific access control policy and other related subject-specific policies, and the organization’s business requirements, considering applicable legislation.

Yes
Implemented

A.8.12 Data Leakage Prevention

Measures to prevent data leakage must be applied in systems, networks, and other devices on which or with which sensitive information is processed, stored, or transported.

Yes
Implemented

A.8.13 Information Back-up

Back-ups of information, software, and systems must be retained and regularly tested in accordance with the agreed subject-specific backup policy.

Yes
Implemented

A.8.14 Redundancy of Information Processing Facilities

Information processing facilities must be implemented with sufficient redundancy to meet availability requirements.

Yes
Implemented

A.8.15 Logging

Logs recording activities, exceptions, errors, and other relevant events must be produced, stored, protected, and analyzed.

Yes
Implemented

A.8.16 Activity Monitoring

Networks, systems, and applications must be monitored for abnormal behavior, and appropriate measures must be taken to evaluate potential information security incidents.

Yes
Implemented

A.8.17 Clock Synchronization

The clocks of information processing systems used by the organization must be synchronized with approved time sources.

Yes
Implemented

A.8.18 Use of Special System Tools

The use of system tools that may bypass system and application controls must be restricted and closely monitored.

Yes
Implemented

A.8.19 Installing Software on Operational Systems

Procedures and measures must be implemented to manage the secure installation of software on operational systems.

Yes
Implemented

A.8.20 Securing Network Components

Networks and network devices must be secured, managed, and controlled to protect information in systems and applications.

Yes
Implemented

A.8.21 Securing Network Services

Security mechanisms, service levels, and service requirements for all network services must be identified, implemented, and monitored.

Yes
Implemented

A.8.22 Network Segmentation

Groups of information services, users, and information systems must be segmented within the organization's networks.

Yes
Implemented

A.8.23 Application of Web Filters

Access to external websites must be managed to limit exposure to malicious content.

Yes
Implemented

A.8.24 Use of Cryptography

Rules for the effective use of cryptography, including the management of cryptographic keys, must be defined and implemented.

Yes
Implemented

A.8.25 Securing During the Development Lifecycle

Rules for secure development of software and systems must be established and applied.

Yes
Implemented

A.8.26 Application Security Requirements

Information security requirements must be identified, specified, and approved when developing or acquiring applications.

Yes
Implemented

A.8.27 Secure System Architecture and Technical Principles

Principles for designing secure systems must be established, documented, maintained, and applied for all activities related to the development of information systems.

Yes
Implemented

A.8.28 Secure Development

Principles for secure coding must be applied to software development.

Yes
Implemented

A.8.29 Security Testing During Development and Acceptance

Processes for testing security must be defined and implemented in the development lifecycle.

Yes
Implemented

A.8.30 Outsourced System Development

The organization must direct, monitor, and review activities related to outsourced system development.

Yes
Implemented

A.8.31 Separation of Development, Testing, and Production Environments

Development, testing, and production environments must be separated and secured.

Yes
Implemented

A.8.32 Change Management

Changes to information processing facilities and information systems must be subject to change management procedures.

Yes
Implemented

A.8.33 Test Data

Test data must be selected, protected, and managed appropriately.

Yes
Implemented

A.8.34 Protection of Information Systems During Audits

Audit tests and other audit activities involving operational systems must be planned and agreed upon between the tester and the responsible management.

Yes
Implemented

Ontdek Doxx

Laan van Vredenoord 1
2289 DA, Rijswijk
Nederland
kvk 27153323
btw NL8037.30.330.B01
iban NL73ABNA0421694718