Information security and compliance
We take the security of our systems and users very seriously and are committed to continuously improving it.
At Shift2, we strive for a future where taking care of government business is as easy as using your favorite app on your phone. We believe in creating reliable open solutions and digital systems that benefit society so that everyone can conduct government business effortlessly.
The reliability of information is essential here, especially for our customers with public tasks. On top of this, organizations are increasingly being asked to demonstrate compliance with requirements and standards.
Our approach
At Shift2, we are aware of the responsibility we bear regarding our customers' data, including public and confidential data. We understand that this data must be appropriately protected through technical and organizational measures. Our approach supports governments in complying with the Government Information Security Baseline (BIO) and the Network and Information Systems Directive (NIS2), among others. Although as an external service provider we are not directly subject to the BIO, we understand its critical importance to our clients. Therefore, we have had our services certified to ISO 9001 (quality) and ISO 27001 (information security).
Certifications
Achieving these certifications is an important milestone for us. It demonstrates that we have met international information security standards since 2018 and continue to proactively address changing requirements and best practices, given the rapidly changing cybersecurity landscape. We intend to continue these certifications.
ISO 27001 Information Security
The ISO 27001 standard specifies requirements for establishing, implementing, executing, monitoring, assessing and maintaining an Information Security Management System (ISMS). This provides a framework for identifying, assessing and managing information security risks. By applying the best practices of ISO 27002, we ensure the confidentiality, integrity and availability of information. ISO 27001 emphasizes a risk-based approach, allowing us to proactively respond to potential threats and vulnerabilities.
ISO 9001 Quality Management
ISO 9001 sets requirements for a quality management system, including quality policy, process management and customer orientation. By working according to ISO 9001, we ensure the quality of our services and increase customer satisfaction. It demonstrates that Shift2 complies with relevant laws and regulations and is committed to customer satisfaction.
Scope of certifications
Shift2 has the entire scope of services certified for both ISO 9001 and ISO 27001. The scope is as follows: "Developing, selling, implementing, hosting and managing web applications."
Government Information Security Baseline (BIO).
The Baseline Information Security Government (BIO) is a guideline that establishes the minimum requirements for information security within the Dutch government. Based on international standards such as ISO 27001 and ISO 27002, it helps government organizations protect their information and systems from threats. The BIO is mandatory for all government agencies and serves as the basis for their information security policies.
Shift2 is noted as an "external service provider" and helps clients meet the requirements of the BIO. The new version of the BIO, based on ISO 27002:2022, aligns seamlessly with our recently achieved ISO certification. This means that our services and products are in line with government requirements.
DigiD assessment
Each connection to DigiD is tested annually according to the standards framework of the DigiD ICT Security Assessment, based on the security guidelines of the National Cyber Security Center (NCSC). As a SaaS provider, we can have all 21 standards audited centrally and provide a Third Party Memorandum (TPM) for them. The TPM demonstrates that we as a vendor meet the standards imposed on the so-called service organization. The TPM will be delivered by mid-October so that our customers can meet the ENSIA schedule. Since the introduction of the DigiD assessment in 2012, Shift2 has successfully met all required standards.
Cloud compliance
All of Shift2's hosting takes place within the European Economic Area (EEA). Our hosting provider offers a comprehensive and future-proof cloud computing platform that provides a wide range of infrastructure services. This platform is known for its reliability, scalability and security. This allows us to manage our web applications and services flexibly and cost-effectively, with the assurance of a secure and stable environment that meets the highest standards for data protection and privacy.
The hosting provider meets the following standards and certifications, among others:
- Relevant certifications: ISO 22301 (Security and Resilience), ISO 27001 (Security Management Controls), ISO 27017 (Cloud Specific Controls), ISO 27701 (Privacy Information Management), ISO 27018 (Personal Data Protection)
- Assurance reporting: SOC 2 Type 2 (Security, Availability, & Confidentiality Report)
- CISPE Code: Our hosting provider commits to strict data protection and privacy standards in providing cloud infrastructure services according to the CISPE Code.
Complying with laws and regulations
Ensuring future legal developments regarding security requires a proactive approach. This is a requirement of ISO 27001, ISO 9001 and the BIO. Monitoring of laws and regulations is part of our management system. Shift2 collaborates with relevant authorities and industry organizations, such as the Information Security Service for municipalities (IBD) and the Association of Dutch Municipalities (VNG), to keep abreast of the latest developments.
Confirmation of compliance
At Shift2, we are committed to having regular confirmation that we are in compliance with all relevant information security and quality management requirements and standards. We do this through such means as:
Our ISO 9001 and ISO 27001 certifications are periodically reviewed by independent auditors. These audits ensure that our Information Security Management System (ISMS) and quality management system continually meet international standards and remain in line with the latest best practices and regulations.
In addition to annual DigiD pen tests, we have our systems and processes regularly reviewed by external experts. This includes penetration tests, risk analyses and security reviews to ensure we are prepared for potential threats and vulnerabilities.
Responsible Disclosure
At Shift2, we take the security of our systems and users very seriously and are committed to continuously improving it. Despite all precautions, it may happen that a vulnerability is found in our systems. To stay one step ahead of malicious actors, we encourage anyone who discovers a vulnerability to report it to us. We have established a responsible disclosure policy for this purpose, which allows security researchers and users to safely and responsibly report vulnerabilities.
Emiel Duinisveld, Chief Information Security Officer (CISO) Shift2:
"Every time it is nice to receive confirmation from an independent auditor that our information security efforts are producing the desired results. In particular with the DigiD assessment where also with a penetration test the web application as the infrastructure is examined in detail."
Questions about our information security and certifications?
If you have questions about information security or Shift2's certifications, please contact Emiel Duinisveld, Chief Information Security Officer. With Emiel you can also request the certificates and the corresponding Declaration of Applicability (CoA).