Decos is no stranger to complying with national and international and sector-specific standards and/or agreements.
For instance, we have long been certified according to the international ISO/IEC 27001:2017 which is a globally recognised standard in the field of information security. Also, we adhere to ISO 16175 (previously NEN 2082) governing archiving standards. In addition, we are familiar with the Dutch Government Information Security Baseline (BIO). The BIO describes the interpretation of the NEN-ISO/IEC 27001:2017 and NEN-ISO/IEC 27002:2017 standards for the government.
Our current ISO27001:2017 certificate and accompanying statement of applicability can be found here.
Another example of standards that we follow is the 'comply or explain' obligation of the Standardization Forum. Not everything on this list applies to Decos. This list contains a number of parts that we receive a lot of questions about. We will briefly describe how Decos meets / wants to comply with this:
- DNSSEC: Per our policy this is implemented by default for our public services. In order for DNSSEC to work fully, all components involved must support this. Currently, Microsoft Azure (Azure) does not (yet) support DNSSEC in their environment. That is why a 100% DNSSEC check is not possible with some of our products. It is good to know that the root of our DNS records are correctly registered with our provider True. As soon as Azure starts supporting DNSSEC, we will do the same;
- IPv6: Per our policy this is implemented by default for our public services. We use Microsoft Azure (Azure) to offer these services. A solution to offer IPv6 connectivity within Azure is the use of Azure Front Door (AFD). However, the use of AFD can cause the DNSSEC check to no longer be 100%;
- DDoS protection: Services running on Azure are inherently protected by standard infrastructure-level DDoS protection. Do note that this is not the Azure DDoS Protection Standard protection which is also available.
We are also in the process of implementing the SOC2 category of the Service Organisation Controls (SOC) framework. A SOC2 audit measures the effectiveness of a Cloud Service Provider (CSP) based on the American Institute of Certified Public Accountants (AICPA) Trust Service Principles and Criteria. At the end of the process, this first results in a SOC2 type 1 report (design/existence) and, after a fixed agreed period, (often 3, 6 or 12 months) an SOC2 type 2 report (operation).
Decos has an ISAE3000 - SOC2 type 1 report. This report can be requested via your account manager. There will be a fee charged in order to receive this report. We expect the first SOC2-type2 report at the beginning of Q3 2022.
For our products for which we offer a DigiD connection, we also meet the standard set by Logius. Decos is here for audited by an approved auditor associated with Norea. An up-to-date assurance report of this audit is available to our (future) DigiD customers.