Insight and overview of your governance, risk and compliance

Is your institution's business data sufficiently protected and is student and employee privacy well regulated? With SURFaudit, you always know where you stand.
Close-up man achter computer met allerlei documenten erbij


Assess your information security and/or privacy protection

With SURFaudit, you always know your progress on the implementation of measures from the assessment frameworks. You can apply the assessments to the institution as a whole, but also to a faculty or department.

See how you do against other institutions

Every year we organise the SURFaudit benchmark that shows how the sector is doing and how institutions are doing compared to each other. You can use the results in justifications to your board members, governments or auditors.

Increasing resilience by balancing governance, risk and compliance

SURFaudit allows you to take measures for your institution that are proportionate to the risks. Understanding risks makes your institution resilient and agile as circumstances change.

Do you have a question about SURFaudit? Get in touch.

Pasfoto Abdul Altawekji

Abdul Altawekji


What is SURFaudit?

SURFaudit helps you get started with issues around governance, risk management and compliance.

This service consists of several products:

Assessment frameworks information security & privacy.

To assess the state of information security and privacy at your institution, SURF has developed the SURFaudit Information Security Assessment Framework and the SURFaudit Privacy Assessment Framework. They describe what the requirements are to meet a certain maturity level and form the basis of self-assessment and (external) audits. The assessment frameworks contain measures relevant to the security and continuity of corporate data and the privacy of employees and students within your institution. To get started with these assessment frameworks, you can attend one of our master classes.

SURFaudit benchmark

It is becoming increasingly important to know where you stand with information security and privacy within your own institution, how the sector as a whole is doing, and how your institution is doing compared to the sector. The SURFaudit benchmark is a good way to find out. We aim for an average maturity level of 3 (on a scale of 5) for the whole sector.

SURF Security Baseline

This security baseline provides concrete tools to improve their information security. It also provides IT suppliers with clear and standardised requirements to comply with.

GRC application

With the Governance, Risk and Compliance (GRC) application, institutions can document their information security and privacy maturity and plan the necessary measures. In doing so, this application offers opportunities for a more risk-based approach. By introducing the same GRC application for the entire sector, institutions can work (together) more easily, learn from each other and thus grow in maturity together. The application will be available from 2024.
Read more about the GRC application on the SURFaudit wiki.

Cyber Threat Assessment

The Cyber Threat Assessment is a report that describes the biggest threats to the education and research sector in terms of information security. It includes an overview of incidents that have occurred in education and research organisations, current threats and relevant trends. The report is intended to inform board members, policymakers and professionals so that they can discuss information security risks.

Risk management: risk assessment toolkit

To identify information security risks for your institution, you can use the risk assessment toolkit. However, information security risks should also be considered in conjunction with other security risks. This is why we work closely with the Integral Security community.