Information security SURF services

We pay great attention to the information security of our own services and the services we purchase for the institutions. By doing so, we minimise the risk that data processed by our services will be misused, and thus the impact of security incidents. A number of SURF services are ISO 27001-certified.

Information security

Principes informatiebeveiliging

In terms of information security, SURF aligns itself as much as possible with sectoral and general standards. SURF's information security policy is based on the SCIPR template for information security policy, which contains five principles. These principles are:

  • Risk-based: we base measures on the potential security risks of our information, processes and IT facilities.
  • Everyone: everyone is and feels responsible for the correct and secure use of resources and powers.
  • Always: information security is in the DNA of all our activities.
  • Security by design: information security is an integral part of every project or change involving information, processes and IT facilities from the start.
  • Security by default: users only have access to information and IT facilities that they need for their work. Opening up information is a conscious choice

View SURF's information security policy (PDF, in English)

Continuous improvement and adjustment

SURF has set up an Information Security Management System (ISMS) containing a number of cyclical processes to ensure that our services continue to meet the standards of the ISO 270001 framework and the SURF Information Security Baseline. Examples of these processes are periodic internal audits and self-assessments. We keep track of their findings in the ISMS and set out actions. This ensures continuous improvement and adjustment.

Baseline Information Security SURF

The technical and procedural measures are elaborated in the Baseline Information Security SURF (BIS). It is based on the Baseline Information Security Government (BIO) and on the measures of the ISO 27002 standard for information security. All SURF services must comply with the BIS.

Information and suitability classification

SURF uses two risk levels for the Availability and Integrity/Trustworthiness components for information security since 2023: Basic and High. The Basic level provides a level of protection that can be considered approximately sufficient for confidential data (multifactor authentication is standard, for example). Our services are also labeled for which data the service is suitable, so that you can quickly see which protection level the SURF service has been set up for. Always check that this corresponds to your own organisation's agreements.

View the Baseline Information Security SURF (PDF)

ISO 27001-certified services

The services covered by Research Facilities have been ISO-certified for some time. You can see the current scope of ISO certification in the declaration of applicability. We are gradually expanding the scope of certification to more SURF services.

SURF services under ISO 27001 certification (November 2022)
  • Nationale supercomputer Snellius
  • Nationaal rekencluster Lisa
  • High-performance Dataprocessing - Grid/GSP, Spider, dCache
  • Jupyter Notebook Hub
  • Data Archive
  • Data Persistent Identifier
  • B2SAFE
  • iRODS Hosting
  • RDM Storage Scale-out
  • SURF Data Repository
  • SURF Research Cloud
  • Custom Cloud Solutions
  • Managed Services for Sustainable Scientific Solutions (MS4)
  • SURF Research Access Management (SRAM)
  • SURFconext
  • SURFsecureID
  • Research Drive
  • Object Store
  • SURFdrive
  • Visualisatie

The services covered by computing, data storage and analysis, visualisation, authentication, authorisation and cloud and grid services are certified in accordance with the global ISO 27001 standard for information security. An external audit takes place annually in which compliance with this standard is tested.

View SURF's ISO 27001 certificate (PDF, in Dutch)

Statement of applicability version 6.0 (PDF, in Dutch)


Do you have questions or comments about the information security policy of SURF services? If so, please contact our CISO Raoul Vernède at

Documents accompanying the SURF Information Security Policy:

Frequently asked questions

What is the difference between the Government Information Security Baseline (BIO) and SURF's Information Security Baseline (BIS)?

The Government Information Security Baseline (BIO) was drawn up for government organisations. However, SURF is an IT organisation. This means that SURF cannot adopt some of the government-specific measures contained in the BIO. In addition, SURF has decided to make some measures in the BIO more onerous for SURF's Baseline Information Security (BIS). If you would like to know more about the differences between the BIO and the BIS, please contact us.

What is NEN7510 and does SURF comply with it?

NEN7510 is a similar certification to ISO27001, but specifically for healthcare organisations. The elaboration of the parts of the standard are specified for healthcare and include some additional measures. Suppliers to healthcare organisations are therefore also often expected to comply with NEN7510, especially if personal health information is processed. SURF does not comply with the NEN7510 standard - in many cases, ISO27001 is also sufficient for suppliers to demonstrate that information security is in order in the services and/or products provided. Sometimes with an explanation of specific measures, such as access security and encryption. That is why the ISO27001 certificate is also important for SURF.