Information security SURF services
We pay close attention to the information security of our own services and the services we procure for institutions. In this way, we minimise the risk of data being misused that is processed by our services, and thus the impact of security incidents. A number of SURF services are ISO 27001-certified.
In terms of information security, SURF aligns itself as much as possible with sectoral and general standards. SURF's information security policy is based on the SCIPR template for information security policy, which contains five principles. These principles are:
- Risk-based: we base measures on the potential security risks of our information, processes and IT facilities.
- Everyone: everyone is and feels responsible for the correct and secure use of resources and powers.
- Always: information security is in the DNA of all our work.
- Security by design: information security is an integral part of every project or change involving information, processes and IT facilities from the start.
- Security by default: users only have access to information and IT facilities that they need for their work. Opening up information is a conscious choice.
Baseline Information Security SURF
The technical and procedural measures are elaborated in the Baseline Information Security SURF (BIS). It is based on the measures of the ISO 27002 standard for information security. All SURF services must comply with the BIS.
View SURF's Baseline Information Security (pdf)
Assurance
SURF has set up an Information Security Management System (ISMS) containing a number of cyclical processes to ensure that our services continue to meet the standards of the Baseline Information Security SURF and the ISO 27001 framework. Examples of these processes are periodic internal audits and self-assessments. In the ISMS, we keep track of their findings and set out actions. This way, continuous improvement and adjustment take place.
Information and suitability classification
SURF works with two risk levels for the components Availability and Integrity/Reliability for information security, namely standard and high. The level standard provides a level of protection that can be considered approximately sufficient for confidential data (multifactor authentication is standard, for example).
Our services have a suitability classification: an indication of the data for which the service is suitable, so that you can quickly see the protection level at which a SURF service has been set up. Always check that this corresponds to your own organisation's agreements.
In the overview below, you can see at which level a service is protected. In the BIS you will find the corresponding security measures, so you can check what that protection entails. Bear in mind that a service may have different requirements on certain aspects depending on the nature of that service. Based on a risk analysis, the service implements the BIS measures as far as they are relevant. This suitability classification is intended as an aid and does not replace contractual agreements; you cannot derive any rights from it.
Service overview suitability classification
The level standard at SURF already provides a solid level of protection. Do you have questions about a service's protection measures? Click through and ask your question at the service itself.
NB Components of services and advisory services such as OZON, Vendor Compliance, CSY, etc. are not included in the overview.
ISO 27001-certified services
The declaration of applicability states the current scope of SURF's ISO 27001 certification. An external audit takes place annually in which compliance with this standard is tested.
Service outage information
In the event of disruptions to SURF services, you can find real-time updates on grotestoring.nl.
Questions about information security?
Do you have questions or comments about SURF's information security policy or the BIS? If so, please contact our CISO Raoul Vernède at raoul.vernede@surf.nl.
Documents to SURF information security policy
- SURF information security policy (pdf)
- SURF ISO 27001 certificate (in Dutch, pdf)
- Statement of applicability (in Dutch, pdf)
- SURF information security baseline ( pdf)
Frequently asked questions
What is the difference between SURF security baseline for education and research and the BIS (Baseline Information Security SURF) used by SURF?
The SURF security baseline was developed for and by SURF's members and has a specific elaboration for the education and research sector. The BIS (see above) is used as a baseline internally at SURF and contains control measures tailored to SURF. The BIS supports the Information Security Management System (ISMS), which includes such things as risk management, continuous improvement via PDCA cycle and audits, and together with the information security policy and operational guidelines, forms SURF's information security policy.
Both baselines are based on the ISO 27001/27002 as a best practice to be tailored for each organisation to the specific risks and requirements of its stakeholders.
What is the difference between SURFaudit and ISO 27001 and why does SURF not use the SURFaudit information security assessment framework?
SURFaudit was developed for and by educational institutions and research organisations and is partly based on the ISO 27000 approach. SURFaudit was developed as a self-assessment for an organisation to determine its maturity level per information security component and as a whole (scores range from 1 to 5). Using a maturity level also makes it possible to compare this score with other similar organisations and to visualise growth over time.
For IT service organisations such as SURF, the use of the internationally recognised standard ISO 27001 is more common. On the basis of external audits by an independent party, they can be certified. A maturity score SURFaudit of 3-5 roughly corresponds to an ISO 27001 certification. A large number of SURF's services are covered by ISO 27001 certification (see list above).
What is the difference between the BIO (Baseline Information Security Government) and the BIS used by SURF?
The BIO was drafted for government organisations. SURF is an IT organisation, which means that SURF cannot adopt some of the government-specific measures contained in the BIO. Moreover, SURF has decided to make some measures as included in the BIO more onerous for its own BIS. If you would like to know more about the differences between the BIO and the BIS, please contact us at cisoteam@surf.nl.
What is NEN7510 and does SURF also comply with it?
NEN7510 is similar to ISO 27001, but specifically for organisations in the healthcare sector. The elaboration of the standard components includes some additional measures. Suppliers to healthcare organisations are often expected to comply with NEN7510, especially if personal health information is processed. SURF does not comply with the NEN7510 standard - in many cases, ISO 27001 certification is also sufficient for a supplier to demonstrate that information security is in order in the services and/or products provided, sometimes with an explanation of specific measures, such as access security and encryption. That is why the ISO 27001 certificate is also important for SURF.
What is the SURF suitability classification of a service and what does it mean for me as a user/customer?
The SURF suitability classification is a designation that helps to quickly estimate the level of protection offered by a given IT service. The classification (standard or high) corresponds to the required measures as listed in the BIS. It remains the responsibility of the data owner and thus data controller to determine for themselves whether these measures are sufficient or whether additional measures are needed. The suitability classification is intended as an aid; for the provision of services, contractual agreements remain binding.
Must all components of a SURF service meet the specified suitability rating level?
The short answer to this is yes. Within the BIS, a distinction is made between protection level standard and high for the aspects of availability and integrity/confidentiality together. All relevant components of a SURF service, whether provided (partly) internally by SURF or purchased (partly) externally from external suppliers, must comply with the required relevant security measures.
Does the NIS2 Directive (cybersecurity law) apply to SURF?
Yes, SURF is identified for this as a supplier of IT to the education sector. The requirements have been incorporated into our BIS (see above) and we are preparing to meet the requirements.