Has your institution organised the security and continuity of its company data, and the privacy of its users? Have your business partners done so? With SURFaudit you can tell what to do for a minimum level of security and privacy. Compare the audit results of various departments or institutions and see where your institution stands.

Close-up man achter computer met allerlei documenten erbij

SURFaudit Framework of Standards

SURFaudit uses the Framework of Standards for Information Security in Higher Education, which specifies what your institution must put in place as a minimum in terms of security and continuity in order to protect business data and the privacy of students and staff. This forms part of the Framework for Information Security in Higher Education.


The framework of standards used by SURFaudit is based on ISO 27002:2013, the most widely accepted international standard in the field of information security. From this ISO standard we selected those components that an educational institution must put in place as a minimum. Amongst others, this selection is based on SURF's Cyberdreigingsbeeld 2015 (PDF, in Dutch), which describes the key threats for the education and research sectors in the field of information security.

The Framework of Standards also incorporates all of the privacy factors referred to in the Dutch Data Protection Authority's guidelines on Personal Data Security (2013, in Dutch). The most recent version of the Framework of Standards was published in 2015.

The standards have been grouped into 6 clusters:

  1. Policy and organisation.
  2. Staff, students and guests.
  3. Rooms and equipment.
  4. Continuity.
  5. Confidentiality and integrity.
  6. Monitoring and logging.

Assessment Framework

In addition to the Framework of Standards, an Assessment Framework is also available. This describes, for each measure in the Framework of Standards, the criteria that must be met if a particular level of maturity is to be achieved. The Assessment Framework was drawn up in close consultation with the educational institutions' internal auditors and subsequently agreed with external auditors. The latest version was produced in conjunction with the vocational training sector.

Maturity levels

In a self-assessment or audit, the institution's performance against each measure is determined using the Cobit Maturity Model (CMM):

Model Volwassenheidsniveau
Level Description Explanation
0 Non-existent Processes are not applied.
1 Initial/Ad Hoc Processes are organised in an ad hoc manner and are heavily dependent on individuals.
2 Repeatable but Intuitive Work is done in a specific way.
3 Defined Process Processes have been documented and are known to those involved.
4 Managed and Measurable Processes are managed, are part of an improvement cycle (PDCA) and are measurable.
5 Optimised Improvements are made as a matter of course and best practices are followed

SURFaudit benchmark

During the two-yearly SURFaudit benchmark, the results of the participating institutions are averaged out and performance against the baseline is determined for each cluster. The baseline indicates the recommended CMM level for each measure in the Framework of Standards, based amongst others on the risks identified in the Cyber Risks Report. The recommended level will always be one of the following:

  • The measure is so crucial that regular review (PDCA) is essential: CMM level 4.
  • The measure is so basic that it must be implemented: CMM level 3.
  • Based on the analysis of the Cyber Risks Report, the measure is classified as essential: CMM level 3.
  • All other measures: CMM level 2.

More information

  • If you would like more information or a copy of the SURFaudit Framework of Standards, please contact us at
  • The Assessment Framework is available to members of the SCIPR community