NormNest logo

NormNest

Visit our website

Trust & Compliance Center

Welcome to the NormNest Trust & Compliance Center. This portal provides transparency into our security, privacy, and compliance practices.

Certifications

View our industry certifications and compliance status

Learn more →

Compliance

Explore our regulatory compliance and standards

Learn more →

Cybersecurity

Learn about our cybersecurity framework and controls

Learn more →

Trust Policies

Review our trust and security policies

Learn more →

Certifications

Completed Certifications
Certificate Badge
Certificate Badge
Certificate Badge
Certificate Badge
Certificate Badge

Data Protection Officer

Data Protection Officer badge

Data Protection Officer

De Data Protection Officer (DPO)-certificering bevestigt onze diepgaande kennis van de Algemene Verordening Gegevensbescherming (AVG/GDPR) en onze bekwaamheid om organisaties te ondersteunen bij het waarborgen van privacy- en gegevensbeschermingsnormen. Deze certificering onderstreept onze expertise in het adviseren over privacybeleid, het beoordelen van gegevensverwerkingsactiviteiten, het management van datalekken, en het fungeren als betrouwbaar contactpunt voor toezichthoudende autoriteiten. 


Onze gecertificeerde DPO’s combineren gedegen juridische kennis met ruime praktijkervaring binnen diverse sectoren, zowel privaat als publiek. Hierdoor bieden wij een volwaardige, continu beschikbare DPO-dienstverlening die perfect aansluit op de unieke privacybehoeften en compliance-uitdagingen van elke organisatie. Deze deskundigheid versterkt het vertrouwen van klanten en medewerkers en helpt organisaties effectief te voldoen aan hun wettelijke verplichtingen.

ISO/IEC 27001 Lead auditor

ISO/IEC 27001 Lead auditor badge

ISO/IEC 27001 Lead auditor

Het bezit van het ISO/IEC 27001 Lead Auditor-certificaat bevestigt onze grondige kennis van informatiebeveiligingsnormen en onze bekwaamheid om formele audits uit te voeren op een Information Security Management System (ISMS). Deze certificering weerspiegelt onze deskundigheid in het beoordelen van risico’s, naleving, en de doeltreffendheid van beveiligingsmaatregelen binnen organisaties. Hierdoor kunnen wij ondersteuning bieden bij zowel interne evaluaties als voorbereidingen op externe certificaties, en dit in uiteenlopende sectoren waar informatiebeveiliging van cruciaal belang is.

ISO27001:2022

Valid until May 15, 2027
ISO27001:2022 badge

ISO27001:2022

De ISO/IEC 27001:2022 is een internationale norm voor informatiebeveiliging. Ze specificeert eisen voor het opzetten, implementeren, onderhouden en continu verbeteren van een Information Security Management System (ISMS). Het doel is om organisaties te helpen hun informatie systematisch te beveiligen tegen risico’s zoals datalekken, cyberaanvallen of ongeautoriseerde toegang.

De versie 2022 is een geactualiseerde editie, met meer nadruk op risicobeheer, leiderschap, en continue verbetering, en sluit beter aan bij moderne dreigingen en technologieën.

KMO-Portefeuille (erkende dienstverlener)

Valid until Mar 26, 2030
KMO-Portefeuille (erkende dienstverlener) badge

KMO-Portefeuille (erkende dienstverlener)

De KMO-Portefeuille is een subsidiemaatregel van de Vlaamse overheid die kleine en middelgrote ondernemingen (KMO’s) financieel ondersteunt bij het volgen van opleidingen en het inwinnen van advies. Organisaties die erkend zijn als dienstverlener voor de KMO-Portefeuille voldoen aan specifieke kwaliteits- en administratieve vereisten en mogen via het platform diensten aanbieden aan Vlaamse ondernemingen.

Deze erkenning biedt klanten niet alleen financiële voordelen, maar ook vertrouwen in de deskundigheid en betrouwbaarheid van de dienstverlener.

NIS 2 Directive: Senior Lead Implementor

NIS 2 Directive: Senior Lead Implementor badge

NIS 2 Directive: Senior Lead Implementor

Het NIS 2 Directive: Senior Lead Implementor-certificaat bevestigt onze diepgaande kennis van de vereisten en verantwoordelijkheden die voortvloeien uit de NIS2-richtlijn, gericht op de beveiliging van netwerk- en informatiesystemen binnen essentiële en belangrijke entiteiten. Deze certificering onderschrijft onze expertise in het opzetten, implementeren en optimaliseren van beheersmaatregelen op vlak van cybersecurity, risicobeheer, governance en incidentrespons. Ze stelt ons in staat organisaties te begeleiden bij het naleven van de NIS2-verplichtingen en bij het opbouwen van een weerbare en conforme digitale infrastructuur.

Compliances

Cyber Fundamentals (CyFun)

Cyber Fundamentals (CyFun)

Vlaams/Nationaal raamwerk dat bedrijven helpt om hun cyberweerbaarheid op basisniveau op orde te brengen. Focus op identificeren, beschermen, detecteren, reageren en herstellen.

GDPR

GDPR

De GDPR (General Data Protection Regulation) is een Europese wetgeving die de privacy en bescherming van persoonsgegevens van burgers binnen de EU regelt. Ze is sinds mei 2018 van kracht en verplicht organisaties om zorgvuldig om te gaan met persoonlijke gegevens, transparant te zijn over het gebruik ervan, en passende beveiligingsmaatregelen te nemen. De GDPR geeft individuen meer controle over hun data en legt bedrijven strenge verplichtingen op, met hoge boetes bij niet-naleving.



Informatie : AVG Toolbox

ISO/IEC 27001

ISO/IEC 27001

Internationale standaard voor informatiebeveiliging. Toont aan dat je als organisatie risico’s beheerst en je data adequaat beschermt.

NIS2 (EU)

NIS2 (EU)

Europese richtlijn die strengere eisen oplegt aan cybersecurity, vooral voor essentiële en belangrijke sectoren. Vanaf 2024 belangrijk voor veel bedrijven.

Cybersecurity Framework

Our cybersecurity approach is based on the NIST Cybersecurity Framework, which organizes cybersecurity activities into five core functions: Identify, Protect, Detect, Respond, and Recover.

IDENTIFY

BASIC_ID.AM-01.1: An inventory of physical and virtual infrastructure assets — such as hardware, network devices, and cloud-hosted environments — that support information processing shall be documented, reviewed, and updated as changes occur.

BASIC_ID.AM-02.1: An inventory of software, digital services, and business systems used within the organisation shall be documented, reviewed, and updated as changes occur

BASIC_ID.AM-07.1: Data that the organisation stores and uses shall be identified.

BASIC_ID.AM-05.1: The organisation’s assets shall be prioritised based on classification, criticality, and business value.

BASIC_ID.AM-08.2: Patches and security updates for operating systems and critical system components shall be installed.

BASIC_ID.RA-01.1: Threats and vulnerabilities shall be identified in all relevant assets, including software, network and system architectures, and facilities that house critical computing assets

BASIC_ID.RA-05.1: The organisation shall conduct risk assessments in which risk is determined by threats, vulnerabilities and the impact on business processes and assets.

BASIC_ID.IM-03.1: The organisation shall conduct post-incident evaluations to analyse lessons learned from incident response and recovery, and consequently improve processes / procedures / technologies to enhance its cyber resilience.

IMPORTANT_ID.AM-01.2: The inventory of enterprise assets associated with information and information processing facilities shall reflect changes in the organisation’s context and include all information necessary for effective accountability.

IMPORTANT_ID.AM-02.2: The inventory reflecting which software, services and systems are used in the organisation shall reflect changes in the organisation’s context and include all information necessary for effective accountability.

IMPORTANT_ID.AM-02.3: The people responsible and accountable for managing software platforms and applications within the organisation shall be formally identified.

IMPORTANT_ID.AM-02.4: When unauthorised software is detected, it shall be quarantined for possible exception handling, removed, or replaced, and the inventory shall be updated accordingly.

IMPORTANT_ID.AM-03.2: The organisation's network communication and internal data flows shall be mapped, documented, authorised, and updated when changes occur.

IMPORTANT_ID.AM-04.1: Organisations shall keep a clear and up-to-date list of all external services it uses, including how they connect to their systems. These services shall be reviewed and approved before use, and the list shall be updated whenever changes happen.

IMPORTANT_ID.AM-08.3: The organisation shall enforce accountability for all its business-critical assets throughout the system lifecycle, including removal, transfers, and disposition.

IMPORTANT_ID.AM-08.6: The organisation shall plan, perform and document preventive maintenance and repairs on its critical system components according to approved processes and tools.

IMPORTANT_ID.AM-08.8: The organisation should pre-approve, monitor and enforce maintenance tools for use on its critical systems.

IMPORTANT_ID.RA-01.2: A process shall be established to continuously monitor, identify, and document vulnerabilities of the organisation's business critical systems.

IMPORTANT_ID.RA-01.3: The organisation shall establish and maintain a documented process that enables continuous review, analysis and remediation of vulnerabilities and provides for information sharing where applicable.

IMPORTANT_ID.RA-01.5: Vulnerability scanning shall not adversely impact system functions.

IMPORTANT_ID.RA-02.1: A threat and vulnerability awareness program that includes a cross-organisation information-sharing capability shall be implemented.

IMPORTANT_ID.RA-05.2: The organisation shall conduct and document risk assessments in which risk is determined by threats, vulnerabilities, impact on business processes and assets, and likelihood of their occurrence.

IMPORTANT_ID.RA-08.1: The organisation shall establish and implement a vulnerability management plan to identify, analyse, assess, mitigate and communicate all types of vulnerabilities including in the form of a Coordinated Vulnerability Disclosure (CVD) according to applicable legal modalities.

IMPORTANT_ID.RA-06.1: Risk responses shall be identified, prioritised, planned, tracked and communicated.

IMPORTANT_ID.IM-03.2: The organisation shall incorporate lessons learned from incident handling activities into updated or new incident handling processes and/or procedures that are framed by appropriate training after review, approval and testing.

IMPORTANT_ID.IM-03.3: The organisation shall identify improvements derived from the monitoring, measurements, assessments, and lessons learned and consequently translate this into improved processes / procedures / technologies to enhance its cyber resilience (continuous improvement).

IMPORTANT_ID.IM-03.4: The organisation shall collaborate and share information about its critical system's related security incidents and mitigation measures with designated partners.

IMPORTANT_ID.IM-03.5: Communication of effectiveness of protection technologies shall be shared with relevant stakeholders.

IMPORTANT_ID.IM-03.6: The organisation shall implement, where feasible, automated mechanisms to facilitate the process of information sharing and collaboration.

IMPORTANT_ID.IM-04.1: Contingency and continuity plans shall be established, communicated, maintained, tested, validated, and improved.

IDENTIFY

Develop an organizational understanding to manage cybersecurity risk to systems, people, assets, data, and capabilities.

PROTECT

BASIC_PR.AA-01.1: Identities and credentials for authorised users, services, and hardware shall be managed.

BASIC_PR.AA-03.1: All wireless access points used by the organisation, including those providing guest access, shall be securely configured, managed, and monitored to prevent unauthorised access and ensure network integrity.

BASIC_PR.AA-03.2: Multi-Factor Authentication (MFA) shall be required to access the organisation's networks remotely.

BASIC_PR.AA-05.1: Access permissions, rights, and authorisations shall be defined, managed, enforced and reviewed.

BASIC_PR.AA-05.2: It shall be determined who needs access to the organisation's business-critical information and technology and the means to gain access.

BASIC_PR.AA-05.4: No one shall have administrative privileges for routine day-to-day tasks.

BASIC_PR.AA-06.1: Physical access to all organisational assets, including critical zones, should be managed, monitored, and enforced based on risk.

BASIC_PR.AT-01.1: The organisation shall establish and maintain a cybersecurity awareness and training programme to ensure that all personnel understand how to perform their tasks securely and responsibly.

BASIC_PR.DS-01.9: Enterprise assets shall be disposed of safely.

BASIC_PR.DS-11.1: Backups for the organisation's business-critical data shall be performed and stored on a different system from the device on which the original data resides.

BASIC_PR.PS-04.1: Log records shall be generated and made available for continuous monitoring.

BASIC_PR.PS-05.1: Installation and execution of unauthorised software shall be prevented.

BASIC_PR.IR-01.1: Firewalls shall be installed, configured, and actively maintained on all networks used by the organisation to protect against unauthorised access and cyber threats.

BASIC_PR.IR-01.2: To safeguard critical systems, organisations shall implement network segmentation and segregation aligned with trust boundaries and asset criticality, thereby limiting threat propagation and enforcing strict access control.

IMPORTANT_PR.AA-02.1: The organisation shall implement documented procedures for verifying the identity of individuals before issuing credentials that provide access to the organisation's systems.

IMPORTANT_PR.AA-03.3: The organisation shall define, document, and implement usage restrictions, connection requirements, and authorisation procedures for remote access to its critical systems. These controls shall ensure that only approved users can connect, using secure methods, with access limited to what is necessary for their role.

IMPORTANT_PR.AA-05.5:: Where technically, operationally, and economically feasible—without compromising system integrity, safety, or compliance—automated mechanisms shall be implemented to manage user accounts on critical ICT and OT systems. Feasibility shall be determined based on system capabilities, integration potential, risk assessment, and business impact.

IMPORTANT_PR.AA-05.6: Separation of duties (SoD) shall be ensured in the management of access rights.

IMPORTANT_PR.AA-05.7: Privileged users shall be managed and monitored.

IMPORTANT_PR.AA-06.2: Physical access controls should include specific procedures for emergency situations, ensuring continued protection of critical and non-critical assets during such events.

IMPORTANT_PR.AT-01.2: The organisation shall include insider threat awareness and reporting in its cybersecurity training to help personnel recognise and respond to potential internal risks.

IMPORTANT_PR.AT-01.3: Personnel shall receive training to understand their specific roles, responsibilities, and priorities during a cybersecurity or information security incident, including the steps they need to follow to respond effectively.

IMPORTANT_PR.AT-02.1: Members of management bodies shall be able to demonstrate that they have completed training that gives them a solid understanding of information and cybersecurity and risk management so that they can assess information and cyber security risks and their consequences and propose the necessary risk mitigation, considering their roles, responsibilities and authorities.

IMPORTANT_PR.AT-02.3: Privileged users shall be qualified before privileges are granted, and these users shall be able to demonstrate the understanding of their roles, responsibilities, and authorities.

IMPORTANT_PR.DS-01.1: The organisation shall implement software, firmware, and information integrity checks to detect unauthorised changes to its critical system components during storage, transport, start-up and when determined necessary.

IMPORTANT_PR.DS-01.4: The organisation shall define and enforce clear policies and practical safeguards to manage and restrict the use of portable storage media, in order to reduce the risk of data leakage, unauthorised access, and malware introduction.

IMPORTANT_PR.DS-01.5: The organisation shall only allow the use of removable media when absolutely necessary, and shall put technical measures in place to block automatic execution of files from these devices.

IMPORTANT_PR.DS-11.2: The reliability and integrity of backups shall be verified and tested regularly.

IMPORTANT_PR.DS-11.3: The organisation shall maintain secure backups of business-critical data in a separate storage location to ensure data availability in case of system failure or data loss. Backup storage shall apply equivalent security controls as the primary environment.

IMPORTANT_PR.PS-03.1: Hardware used in business-critical environments shall be maintained, replaced, or removed based on its associated security and operational risk.

IMPORTANT_PR.PS-04.2: The organisation shall ensure that logbook records contain an authoritative time source or internal clock time stamp that is compared and synchronised with an authoritative time source.

IMPORTANT_PR.PS-06.1: Security shall be considered throughout the lifecycle of systems and applications, whether developed internally or acquired externally.

IMPORTANT_PR.PS-06.2: Changes and exceptions shall be tested and validated before being implemented into operational systems.

IMPORTANT_PR.IR-01.3: To ensure operational stability and security, the organisation shall, without exception, identify, document, and control connections between components of its critical systems.

IMPORTANT_PR.IR-01.4: The organisation shall implement appropriate boundary protection measures to monitor and control communications at external and key internal boundaries of its critical systems, across both IT and OT environments, to ensure secure and reliable operations.

IMPORTANT_PR.IR-02.1: The organisation shall define, implement and maintain policies and procedures related to emergency and safety systems, fire protection systems and environmental controls for its critical systems.

IMPORTANT_PR.IR-04.1: Adequate resource capacity planning shall ensure that availability of organisation's critical system information processing, networking, telecommunications, and data storage is maintained.

PROTECT

Develop and implement appropriate safeguards to ensure delivery of critical infrastructure services.

DETECT

BASIC_DE.CM-01.1: Firewalls shall be installed and operated at the network boundaries, including endpoint firewalls.

BASIC_DE.CM-01.2: Anti-virus, -spyware, and other -malware programs shall be installed and updated.

BASIC_DE.CM-03-1: End point and network protection tools to monitor end-user behaviour for dangerous activity shall be implemented.

BASIC_DE.AE-03.1: The logging functionality of protection and detection tools shall be enabled. Logs shall be backed up and retained for a predefined period and regularly reviewed to identify unusual or potentially harmful activity.

IMPORTANT_DE.CM-01.3: The organisation shall monitor and identify unauthorised use of its business critical systems through the detection of unauthorised local connections, network connections and remote connections.

IMPORTANT_DE.CM-02.1: The physical environment shall be monitored to find potentially adverse events.

IMPORTANT_DE.CM-03.2: End point and network protection tools that monitor end-user behaviour for dangerous activity shall be managed.

IMPORTANT_DE.CM-06.1: External service provider activities and services shall be secured and monitored to find potentially adverse events.

IMPORTANT_DE.CM-06.2: External service providers' conformance with personnel security policies and procedures and contract security requirements shall be monitored relative to their cybersecurity risks.

IMPORTANT_DE.CM-09.1: The organisation shall monitor computing hardware, software, runtime environments, and their data to detect potentially adverse events

IMPORTANT_DE.AE-02.1: Cybersecurity and information security events shall be reviewed and analysed to identify potential attack targets and methods, in accordance with applicable laws, regulations, standards, and policies.

IMPORTANT_DE.AE-03.2: The organisation shall ensure that event data from critical systems is collected and correlated using information from multiple relevant sources.

IMPORTANT_DE.AE-06.1: Information about adverse events shall be promptly delivered to authorised personnel and systems to enable timely detection, investigation, and response.

IMPORTANT_DE.AE-08.1: Incidents shall be reported when adverse events meet defined and documented incident criteria.

DETECT

Develop and implement appropriate activities to identify the occurrence of a cybersecurity event.

RESPOND

BASIC_RS.MA-01.1: The incident response plan is executed in coordination with relevant third parties once an incident is declared.

BASIC_RS.CO-02.1: Internal and external stakeholders shall be notified of incidents.

IMPORTANT_RS.MA-02.1: Information/cybersecurity incidentreports shall be triaged and validated in accordance with the organisation’s incident response procedures.

IMPORTANT_RS.MA-03.1: Information/cybersecurity incidents shall be categorised, prioritised and escalated as determined in the incident response plan.

IMPORTANT_RS.CO-02.2: Cybersecurity incidents shall be shared with relevant external stakeholders within the timeframes defined in the Incident Response Plan, including reporting significant incidents to authorities as required by law.

IMPORTANT_RS.MI-01.2: The organisation shall detect unauthorised access or data leakage and take appropriate mitigation actions, including monitoring of critical systems at external boundaries and key internal points.

RESPOND

Develop and implement appropriate activities to take action regarding a detected cybersecurity incident.

RECOVER

BASIC_RC.RP-01.1: A recovery process for disasters and information/cybersecurity incidents shall be developed and executed.

RECOVER

Develop and implement appropriate activities to maintain plans for resilience and to restore capabilities impaired by cybersecurity incidents.

GOVERNANCE

BASIC_GV.PO-01.1: Policies and procedures for managing information and cybersecurity shall be established, documented, reviewed, approved, updated when changes occur, communicated and enforced.

BASIC_GV.OC-03.1: Legal and regulatory requirements regarding information and cybersecurity shall be identified and implemented.

BASIC_GV.RM-03.1: As part of the organisation-wide risk management strategy, a comprehensive strategy to manage information and cybersecurity risks shall be developed and updated when changes occur.

BASIC_GV.RR-04.1: Personnel with access to the organisation’s most critical information or technology shall be authenticated.

IMPORTANT_GV.OC-03.2: Legal, regulatory, and contractual obligations related to information and cybersecurity shall be continuously managed to ensure they remain accurate, up to date, and effectively applied.

IMPORTANT_GV.OC-04.2: The organisation shall define and document cybersecurity requirements for essential operations, validate them through testing and audits, maintain records of results and corrective actions, and regularly update requirements based on evolving risks.

IMPORTANT_GV.OC-05.1: The organisation shall identify, document, and communicate its role in the supply chain, including the external capabilities, services, and dependencies it relies on (upstream), as well as its interactions with downstream stakeholders.

IMPORTANT_GV.RM-02.1: Risk appetite and risk tolerance statements shall be defined, documented, approved by senior management, communicated, and maintained.

IMPORTANT_GV.RM-03.2: Information and Cybersecurity risks shall be documented, as part of the enterprise risk management processes, formally approved by senior management, and updated when changes occur.

IMPORTANT_GV.RR-02.1: Information security and cybersecurity roles, responsibilities and authorities for employees, suppliers, customers, and partners shall be documented, reviewed, authorised, kept up to date, communicated, and coordinated internally and externally.

IMPORTANT_GV.RR-03.2: The organisation shall assign roles and responsibilities for reviewing and updating response and recovery plans, ensuring they reflect changes in the risk environment and remain effective.

IMPORTANT_GV.RR-04.2: A cybersecurity process for human resources shall be developed and maintained applicable at recruitment, during employment and at termination of employment.

IMPORTANT_GV.PO-01.2: Organisational-wide information and cybersecurity policies and procedures shall include the use of cryptography and, where appropriate, encryption,reflect changes in requirements, threats, technology and organisational roles, and be approved by senior management, who oversee its implementation.

IMPORTANT_GV.SC-02.1: Third-party providers shall notify any transfer, termination or transition of personnel with physical or logical access to business-critical system elements of the organisation.

IMPORTANT_GV.SC-05.1: Requirements for addressing cybersecurity risks and the sharing of sensitive information in supply chains shall be established, prioritised, integrated into contracts and other types of formal agreements, and enforced.

IMPORTANT_GV.SC-07.1: The risks posed by a supplier, its products and services and other third parties shall be identified, documented, prioritised, mitigated and assessed at least annually and when changes occur during the relationship.

IMPORTANT_GV.SC-08.1: The organisation shall identify and document key personnel from relevant suppliers and other third parties to include them in incident planning, response, and recovery activities.

GOVERNANCE

Cybersecurity framework category for governance functions and controls.

Trust Policies

Activabeheer (Asset Management)

Activaclassificatie (Asset Classification)

Activainventarissen (Hardware/Software) (Asset Inventories)

Activatracering (Asset Tracking)

IT Activabeheer (ITAM) Programma (IT Asset Management Program)

Veilige Activaverwijdering (Secure Asset Disposal)

Activabeheer (Asset Management)

Deze categorie detailleert hoe uw organisatie hardware- en software-activa bijhoudt, classificeert en beheert. Deze processen tonen aan hoe u de volledige levenscyclus van bedrijfsmiddelen bewaakt om beveiligingsrisico's te beheersen en compliance te waarborgen.

Applicatiebeveiliging

Responsible Disclosure

Application Penetration Testing

Applicatiebeveiliging

Deze categorie detailleert hoe beveiliging is geïntegreerd in uw applicatieontwikkeling en onderhoudsprocessen. Deze praktijken tonen aan hoe u beveiligingskwetsbaarheden in uw softwareontwikkelingslevenscyclus voorkomt, identificeert en aanpakt.

Bedrijfsbeveiliging (Corporate Security)

E-mailbescherming

Personeelshandboek

Medewerkerstraining

Incidentrespons

Interne Beoordelingen

Penetratietesten

Personeelsbeëindiging/Overplaatsing

Security Operations Center

Programma voor Extern Personeel

Bedrijfsbeveiliging (Corporate Security)

Deze categorie omvat beveiligingspraktijken op organisatieniveau, waaronder personeelsbeleid, training en incidentrespons. Deze maatregelen tonen aan hoe de menselijke en organisatorische aspecten van beveiliging worden beheerd om een algehele beveiligingscultuur te creëren.

Bedrijfscontinuïteit/Herstel na Ramp (BC/DR)

Alternatieve Verwerkings-/Opslaglocatie (Alternate Processing/Storage Site)

Bedrijfscontinuïteitsmanagementsysteem (BCMS) (Business Continuity Management System)

Bedrijfscontinuïteitsplan (BCP) (Business Continuity Plan)

Noodplantesten/Geleerde Lessen (Contingency Plan Testing/Lessons Learned)

Continuïteitstraining/Simulaties (Contingency Training/Simulations)

Continuïteits-/Nood Operatieplan (Continuity/Contingency of Operations Plan)

Gegevensback-up/Back-upbescherming (Data Backup/Backup Protection)

Disaster Recovery Plan (DRP) (Disaster Recovery Plan)

Tabletop Oefeningen (Tabletop Exercises)

Bedrijfscontinuïteit/Herstel na Ramp (BC/DR)

Deze sectie beschrijft hoe uw organisatie zich voorbereidt op en herstelt van ernstige verstoringen. Deze plannen en procedures demonstreren uw vermogen om kritieke bedrijfsfuncties te handhaven of snel te herstellen bij calamiteiten, waardoor de impact op klanten wordt geminimaliseerd.

Beleidsregels (Policies)

Acceptabel Gebruiksbeleid (Acceptable Use Policy)

Toegangscontrolebeleid

Anti-Malware Beleid

Activabeheerbeleid (Asset Management Policy)

Bewustzijn- en Trainingbeleid (Awareness and Training Policy)

Back-upbeleid

Bring Your Own Device (BYOD) Beleid

Bedrijfscontinuïteit/Herstel na Ramp Beleid (Business Continuity/Disaster Recovery Policy)

Configuratiebeheerbeleid (Configuration Management Policy)

Beleidsregels (Policies)

Deze sectie bevat de formele beleidsregels die uw beveiligingspraktijken sturen en reguleren. Deze documenten demonstreren uw systematische aanpak van beveiligingsbeheer en vormen het fundament voor consistente en effectieve beveiligingsmaatregelen binnen uw organisatie.

Continue Monitoring (Continuous Monitoring)

Gegevensverliespreventiesysteem (DLP) (Data Loss Prevention System)

Event & Auditlogbeheer

Beoordelingen & Updates (Reviews & Updates)

Continue Monitoring (Continuous Monitoring)

Deze sectie beschrijft hoe uw organisatie doorlopend systemen en netwerken bewaakt op beveiligingsgebeurtenissen. Deze processen demonstreren uw vermogen om bedreigingen en kwetsbaarheden tijdig te detecteren en erop te reageren door constante waakzaamheid.

Eindpuntbeveiliging (Endpoint Security)

Anti-Malware

Schijfversleuteling

DNS-filtering

Eindpuntdetectie & -respons

Host Indringpreventiesysteem (Host Intrusion Prevention System - HIPS)

Beheer van Draagbare Opslag

Eindpuntbeveiliging (Endpoint Security)

Deze categorie behandelt hoe u eindapparaten zoals computers, laptops en mobiele apparaten beveiligt die toegang hebben tot uw systemen. Deze beveiligingsmaatregelen tonen aan hoe u bedreigingen voorkomt en detecteert op het niveau van individuele apparaten, waardoor een cruciale verdedigingslinie wordt geboden tegen kwaadwillenden.

Fysieke & Omgevingsbeveiliging (Physical & Environment)

Toegangsmonitoring (Access Monitoring)

Alarmen & Bewaking (Alarms & Surveillance)

Alternatieve Werklocaties (Alternate Work Sites)

Noodstroom & -verlichting (Emergency Power & Lighting)

Brandbescherming (Fire Protection)

Fysieke Toegangsbeveiliging (Physical Access Security)

Stroomapparatuur & Bekabeling (Power Equipment & Cabling)

Telewerken op Afstand (Remote Telework)

Bezoekerscontrole (Visitor Control)

Fysieke & Omgevingsbeveiliging (Physical & Environment)

Deze categorie omvat maatregelen voor de beveiliging van fysieke faciliteiten en omgevingen waar uw systemen zich bevinden. Deze controles tonen aan hoe u ongeautoriseerde fysieke toegang voorkomt en bescherming biedt tegen omgevingsrisico's zoals brand of stroomuitval.

Gegevensbeveiliging

Access Monitoring

Data Backups

Data Erasure

Encryption-at-rest

Encryption-in-transit

Media Protection

Physical Media Disposal

Physical Security

Gegevensbeveiliging

Deze sectie beschrijft hoe uw organisatie gegevens beschermt gedurende de hele levenscyclus. Deze maatregelen demonstreren uw toewijding aan het beschermen van klantinformatie door middel van technische controles, beleid en procedures voor gegevensverwerking.

Gegevensprivacy

Cookies

Data Breach Notifications

Gegevensprivacy

Deze categorie schetst hoe uw organisatie persoonlijke gegevens beheert en privacy-rechten respecteert. Deze praktijken tonen uw toewijding aan naleving van gegevensprivacy en ethische gegevensverwerking.

Incidentrespons (Incident Response)

Incidentmeldingsproces (Incident Reporting Process)

Incidentrespons (Incident Response)

Deze categorie beschrijft hoe uw organisatie zich voorbereidt op, reageert op en herstelt van beveiligingsincidenten. Deze processen tonen uw vermogen aan om effectief om te gaan met beveiligingsgebeurtenissen en de impact ervan op klanten en bedrijfsactiviteiten te minimaliseren.

Infrastructuur

Statusmonitoring

Network Time Protocol

Tijdsynchronisatie

Infrastructuur

Deze categorie omvat alle componenten van uw technische infrastructuur, waaronder cloud-diensten, datacenters en netwerkconfiguraties. Deze elementen vormen de technische basis waarop uw SaaS-oplossing draait en tonen aan hoe u betrouwbaarheid, schaalbaarheid en veiligheid op infrastructuurniveau waarborgt.

Juridisch

Cyber Insurance

Data Processing Agreement

Data Subject Requests

Master Services Agreement

Privacy Policy

Service-Level Agreement

Terms of Service

Juridisch

Deze sectie biedt toegang tot contractuele overeenkomsten en juridische documentatie die uw relatie met klanten definiëren. Deze documenten formaliseren beveiligingstoezeggingen, gegevensverwerkingspraktijken en compliance-verplichtingen.

Netwerkbeveiliging

Gegevensverliespreventie

Firewall

Netwerk Penetratietesten

Verkeersfiltering

Web Application Firewall

Draadloze Beveiliging

Netwerkbeveiliging

Deze sectie beschrijft hoe uw organisatie de communicatie binnen en naar uw netwerken beveiligt. Deze maatregelen demonstreren uw aanpak om netwerkverkeer te monitoren, te filteren en te beschermen tegen indringers en gegevensexfiltratie.

Productbeveiliging

Audit Logging

Data Beveiliging

Integraties

Multi-Factor Authenticatie

Passkey Ondersteuning

Role-Based Access Control

Service-Level Agreement

SSO

Team Management

Productbeveiliging

Bevat technische en organisatorische maatregelen om je product te beveiligen, toegang te controleren en gebruikersrollen te beheren.

Rapporten

Vulnerability Assessment Report

Rapporten

Verwijst naar technische en compliance-documentatie die je kunt aanleveren om je beveiligingsniveau en infrastructuur aan te tonen.

Risicobeheer (Risk Management)

Risicobeoordelingen (Risk Assessments)

Beheer van Toeleveringsketen Risico's (Supply Chain Risk Management)

Afhankelijkheid van Derden (Third-Party Dependence)

Risicobeheer (Risk Management)

Deze sectie schetst hoe uw organisatie beveiligingsrisico's identificeert, beoordeelt en beheert. Deze praktijken demonstreren uw systematische aanpak om risico's te begrijpen en geschikte beveiligingsmaatregelen te implementeren op basis van het dreigingslandschap.

Risicoprofiel

Hersteltijddoelstelling

Afhankelijkheid van Derden

Hosting

Risicoprofiel

Bepaalt de veerkracht van je systeem en het belang van je dienst voor klanten. Bevat hersteldoelen, datasensitiviteit en afhankelijkheid van derden.

Toegangscontrole

Access Log Management

Automated Account Management

Bring Your Own Device (BYOD)

Data Access

Internal Single-Sign-On (SSO)

Least Privilege

Logging

Mobile Device Access

Password Manager

Password Security

Remote Access

Separation of Duties

System Use Notification

User Access Review

Virtual Private Network (VPN)

Wireless Access

Toegangscontrole

Deze sectie detailleert hoe uw organisatie toegang tot systemen en gegevens beheert en beperkt. Deze controles voorkomen ongeautoriseerde toegang terwijl ze ervoor zorgen dat legitieme gebruikers hun vereiste functies efficiënt kunnen uitvoeren.

Training

Phishing Training

Rolgebaseerde Training (Role-Based Training)

Security Awareness Training

Trainingsprogramma

Training

Deze categorie beschrijft de beveiligingstraining en bewustwordingsprogramma's voor uw medewerkers. Deze initiatieven tonen aan hoe u een sterke beveiligingscultuur opbouwt en ervoor zorgt dat personeel over de kennis beschikt om veilig te handelen en beveiligingsrisico's te herkennen.

Wijzigingsbeheer (Change Management)

Configuratiebeheerprogramma (Configuration Management Program)

Impactanalyse (Impact Analysis)

Wijzigingsbeheer (Change Management)

Deze sectie beschrijft hoe uw organisatie veranderingen in IT-systemen en -processen beheert. Deze procedures demonstreren uw gecontroleerde aanpak voor het implementeren van veranderingen, waardoor het risico op beveiligingsproblemen als gevolg van wijzigingen wordt verminderd.

Information Pages

Privacybeleid:

https://normnest.eu/nl/privacy-policy/

Cookiebeleid:

https://normnest.eu/nl/cookie-policy/

Algemene Voorwaarden:

https://normnest.eu/nl/algemene-voorwaarden/

Contactpagina:

https://normnest.eu/nl/contact-us/