We require ISO certification for ourselves and for our data centre partners as proof of adherence to strict controls and processes.
ISO/IEC 27001 is an internationally recognised best practice framework for an information security management system (ISMS), a suite of activities that governs the management of information security risks. The ISMS is an overarching management framework that enables us to effectively identify, analyse and address information security risks. The ISMS also ensures that our security arrangements are fine-tuned to keep up with the ever-changing security threats, vulnerabilities and business impacts that our company faces.
Certified compliance with ISO/IEC 27001 by an accredited and respected certification body is a choice, but at grexx we believe that through this certification we are able to demonstrate to our customers, employees, and other stakeholders that the security of their information is fundamental to our business. We also require that any data centre we use have the same certification.
The certification to this standard means that we:
- Identify risks and vulnerabilities, and implement suitable controls in a timely manner to manage or reduce them before they can cause any harm
- Demonstrate that our compliance to this standard and commitment towards information security is verified and vetted by an accredited and respected certification body
- Understand the need to protect company information and to provide the necessary resources to ensure we can do so effectively and with continuous improvement
We are committed to providing consistent and reliable service. One way we give our customers detailed, third-party assurance of this is by conforming to the International Standard on Assurance Engagements (ISAE) No. 3402. ISAE 3402 was issued by the International Auditing and Assurance Standards Board (IAASB), which is part of the International Federation of Accountants (IFAC). At grexx, we adopted this standard in 2011.
ISAE 3402 was developed to allow accounting firms to report on the system of internal control over financial reporting at a user organization. This means an independent third-party is verifying that grexx is smart, secure and efficient.
There are two types of Service Auditor's Reports: Type 1 and Type 2.
A Type 1 report describes the company’s description of controls at a specific point in time. A Type 2 report not only includes the company’s description of controls, but also includes detailed testing of the company’s controls over a minimum six-month period. At grexx, we have committed to conducting an ISAE 3402 Type 2 audit every year. You will be able to find information in our ISAE 3402 report such as:
- The independent service auditor's report
- Our description of controls
- Information provided by the independent service auditor; including a description of the service auditor's tests of operating effectiveness and the results of those tests
- Other relevant information we provided to complete the report
NEN 7510 is specially developed for the Dutch care situation and helps healthcare organizations take appropriate security measures. Topics covered by the NEN 7510 include ensuring data availability and the integrity and confidentiality of all information for the purpose of responsible care for patients.
NEN 7510 describes measures to deal with information adequately. These measures must be designed to be controlled according to the standard. NEN 7510 applies to the security of all types of information in and between the relevant organizations and all possible forms in which that information is displayed, recorded and transferred. A risk assessment is required in order to determine the required confidentiality, integrity and availability information.