SURFaudit: know your information security and privacy

Has your institution organised the security and continuity of its company data, and the privacy of its students and staff? Have your business partners done so? SURFaudit shows you what you should take care of at a minimum for information security and privacy. Determine how your institution is doing and compare with other institutions.

Close-up man achter computer met allerlei documenten erbij

SURFaudit Security Standard: audit your information security

Know what is important for your information security and what you need to have arranged as a minimum. But also what the risk areas are for your sector. With our Security Standard for Higher Education and the accompanying assessment-method, we help you to protect the security and continuity of your business data and the privacy of students and staff.

SURFaudit and the ISO standard for information security

The SURFaudit Security Standard for Higher Education is derived from the ISO/IEC 27002:2013 standard, the most widely accepted international standard for information security. From this standard we selected the most important statements an educational institution must put in place. This selection is partly based on SURF's Cyber Threat Assessment Report (PDF, in Dutch), which describes the key threats for the education and research sectors in the field of information security.

The SURFaudit Security Standard also incorporates the privacy guidelines from the Dutch Data Protection Authority (2013, in Dutch). The most recent version of the SURFaudit Security Standard is based on the latest ISO/IEC 27002 standard and was published in 2015.

The standards have been grouped into 6 clusters:

  1. Policy and organisation
  2. Staff, students and guests
  3. Rooms and equipment
  4. Continuity
  5. Confidentiality and integrity
  6. Monitoring and logging

Determine your maturity level

In addition to the Security Standard, an accompanying self-assessment method is available. It describes the criteria that must be met to reach a particular level of maturity. The self-assessment method has been developed in close collaboration with the educational institutions' internal auditors and was subsequently agreed on with external auditors. The latest version (2019) is based on the NBA Maturity Model for Information Security v2.0 (in Dutch).

Using the self-assessment method you determine your maturity level for each statement in the assessment-method:

Volwassenheidsniveau SURFaudit






Controls are not, or only partly defined and/or executed in an inconsistent manner and rely heavily on individuals.



Controls are in place and executed in a structured and consistent, but informal, manner.



Controls are documented and executed in a structured and formal manner. Execution of control can be proved, is tested and effective."


Managed and measurable

The effectiveness of the control is periodically assessed and improved when necessary. This assessment is documented."


Continuous improvement

An enterprise wide risk and control programme provides continuous and effective control and risk issues resolution."

Measure your security posture with the SURFaudit-benchmark

Every bi-annual SURFaudit benchmark we analyse the outcome of all participating institutions' self-assessments. For each cluster we determine the average maturity level and compare it to the SURF baseline. The baseline indicates the recommended maturity level for each measure. It is partly determined by the risks identified in the Cyber Threat Assessment Report. The recommended level for each measure is determined as follows:

  • The measure is so crucial that regular review (PDCA) is essential: maturity level 4.
  • The measure is so basic that it must be implemented: maturity level 3.
  • Based on the analysis of the Cyber Risks Report, the measure is classified as essential: maturity level 3.
  • All other measures: maturity level 2.

More information

  • For more information or to obtain a copy of the SURFaudit self-assessment, please contact us at
  • The SURFaudit Security Standard for Higher Education is subject to a NEN license and only available to SURF members (see for details).