Archived Plans

Define our operations within the ISO/IEC 27001 framework and ensure that we are at the level of ISO 27001 certification, with the Plan/Do/Check/Act cycle fully in place.

In Q1 2023, we are completing the gap analysis against the ISO 27001 standard, which was initiated in Q4 2022. The analysis will provide us with the necessary insights to plan appropriately, from a people, process and technology perspective, the implementation of ISO 27001 throughout 2023 and 2024.

In 2023 we are guiding organisation-wide efforts to streamline our patch management and vulnerability management processes. 

In Q1 2023, we will be focusing on drafting the relevant policies and procedures.

In Q1 2023, we will be enhancing the design of our cloud security controls for services migrating to the cloud as well as our cloud security monitoring capabilities.

In Q1 2023, we are establishing an internal Risk & Compliance function. One of the first focus areas for the new function will be the modernisation of the risk management methodology in order to assess risk using an agile and collaborative approach. 

We expect the work for the enterprise risk management modernisation to be executed throughout 2023.

This work item was migrated from the Information Security Quarterly Planning.

Define our operations within the ISO/IEC 27000 framework and ensure that we are at the level of ISO 27001 certification, with the Plan/Do/Check/Act cycle fully in place.

The work started in 2022 and is expected to be completed in 2023-2024.

This work item was migrated from the Information Security Quarterly Planning.

To supplement our existing responsible disclosure policy, we are planning to implement a public bug bounty programme for our external facing services.

This work item was migrated from the Information Security Quarterly Planning.

We are supporting the development of an independent TF-CSIRT and intend to join the Supervisory Board of the new Dutch foundation.

This work was completed in Q3 2023. 

This work item was migrated from the Information Security Quarterly Planning.

Define our operations within the ISO/IEC 27000 framework and ensure that we are at the level of ISO 27001 certification, with the Plan/Do/Check/Act cycle fully in place.

The work started in 2022 and is expected to be completed in 2023-2024.

This work item was migrated from the Information Security Quarterly Planning.

To supplement our existing responsible disclosure policy, we have implemented a private bug bounty programme with the vendor Intigriti for our external facing services.

Researchers are invited to participate in the RIPE NCC programme and identify security vulnerabilities for our external perimeter and services. The identified vulnerabilities are triaged internally and according to their criticality, a bug bounty is paid out.

The work was completed in Q4 2022.

This work item was migrated from the Information Security Quarterly Planning.

Define our operations within the ISO/IEC 27000 framework and ensure that we are at the level of ISO 27001 certification, with the Plan/Do/Check/Act cycle fully in place.

The work started in 2022 and is expected to be completed in 2023-2024.

This work item was migrated from the Information Security Quarterly Planning.

To supplement our existing responsible disclosure policy, we are planning to implement a public bug bounty programme for our external facing services.

This work item was migrated from the Information Security Quarterly Planning.

We are supporting the development of an independent TF-CSIRT and intend to join the Supervisory Board of the new Dutch foundation.

This work was completed in Q3 2023. 

This work item was migrated from the Information Security Quarterly Planning.

Define our operations within the ISO/IEC 27000 framework and ensure that we are at the level of ISO 27001 certification, with the Plan/Do/Check/Act cycle fully in place.

The work is expected to be completed in 2023-2024.