Integrity
Warnings on external communication
Communication coming from outside the organisation needs to be clearly distinguishable from internal communication with warnings that the originating party is from outside the organisation. This includes electronic messages received...
Technical email security
IT components send emails to end-users using an email address ending in a top-level domain for which the organisation is legally responsible. Mailservers take measures to prevent the reception and...
Email forwarding
Automatic forwarding of email to external addresses is denied-by-default.
Encrypted connections
All data in transit is transferred over encrypted connections, using the encrypted versions of protocols or encapsulation of plaintext protocols over encrypted connections.
Offline backup
All critical backup media, documentation and other IT resources needed for IT recovery, and business continuity plans are stored offsite. The content of backup storage is determined after collaboration between...
Datacenter uptime
Data centres used in the processing of information take appropriate measures to guarantee continued uptime.
Backup procedure
For every system a documented backup procedure is available with values for the RPO (Recovery Point Objective, maximum tolerable amount of data that can be lost) and RTO (Recovery Time...
Supplier Security Management
Before engaging in an agreement with a supplier of an IT-service, an information security risk assessment is performed. Contractual agreements regarding information security are made with suppliers of IT-services. Suppliers...
Software Bill-of-Materials
The organisation must know what software is used on managed devices, including a Software “Bill-of-Materials” (BOM) of libraries and components.
Domain reservations
Description Domain names reserved for organisational purposes cannot be released shortly after the domain name is no longer needed. A list of domain names that can never be released needs...