Information security and compliance

Our approach

At Shift2, we are aware of our responsibility with regard to our customers' data, including public and confidential data. We understand that this data must be adequately protected by means of technical and organizational measures. Our approach supports governments in complying with the Baseline Information Security Government (BIO) and the Network and Information Systems Directive (NIS2), among other things. Although we, as an external service provider, are not directly subject to the BIO, we understand its crucial importance to our customers. That is why we have had our services certified for ISO 9001 (quality) and ISO 27001 (information security). 

Certifications

Achieving these certifications is an important milestone for us. It demonstrates that we have been complying with international information security standards since 2018 and continue to proactively respond to changing requirements and best practices, given the rapidly changing cybersecurity landscape. We intend to continue these certifications. 

ISO 27001 Information Security

The ISO 27001 standard specifies requirements for establishing, implementing, executing, monitoring, evaluating, and maintaining an Information Security Management System (ISMS). This provides a framework for identifying, assessing, and controlling information security risks. By applying the best practices of ISO 27002, we guarantee the confidentiality, integrity, and availability of information. ISO 27001 emphasizes a risk-based approach, enabling us to respond proactively to potential threats and vulnerabilities.

ISO 9001 Quality Management 

ISO 9001 sets requirements for a quality management system, including quality policy, process management, and customer focus. By working in accordance with ISO 9001, we guarantee the quality of our services and increase customer satisfaction. It demonstrates that Shift2 complies with relevant laws and regulations and considers customer satisfaction to be of paramount importance.

Scope of certifications 

Shift2 has certified its entire scope of services for both ISO 9001 and ISO 27001. The scope is as follows: "The development, sale, implementation, hosting, and management of web applications." 

Baseline Information Security Government (BIO) 

The Baseline Information Security Government (BIO) is a guideline that sets the minimum requirements for information security within the Dutch government. It is based on international standards such as ISO 27001 and ISO 27002, and helps government organizations protect their information and systems against threats. The BIO is mandatory for all government agencies and serves as the basis for their information security policy.

Shift2 is recognized as an "external service provider" and helps customers comply with BIO requirements. The new version of the BIO, based on ISO 27002:2022, aligns seamlessly with our recently obtained ISO certification. This means that our services and products are in line with government requirements.

DigiD assessment 

Every connection to DigiD is assessed annually in accordance with the standards framework of the DigiD ICT security assessment, based on the security guidelines of the National Cyber Security Center (NCSC). As a SaaS provider, we can have all 21 standards centrally audited and issue a Third Party Memorandum (TPM) for them. The TPM demonstrates that we, as a supplier, comply with the standards imposed on the so-called service organization. The TPM will be delivered by mid-October, so that our customers can comply with the ENSIA planning. Since the introduction of the DigiD assessment in 2012, Shift2 has successfully complied with all required standards.

Cloud compliance 

All Shift2 hosting takes place within the European Economic Area (EEA). Our hosting provider offers a comprehensive and future-proof cloud computing platform that delivers a wide range of infrastructure services. This platform is known for its reliability, scalability, and security. This enables us to manage our web applications and services flexibly and cost-effectively, with the assurance of a secure and stable environment that meets the highest standards for data protection and privacy.

The hosting provider complies with the following standards and certifications, among others:

• Relevant certifications: ISO 22301 (Security and Resilience), ISO 27001 (Security Management Controls), ISO 27017 (Cloud Specific Controls), ISO 27701 (Privacy Information Management), ISO 27018 (Personal Data Protection)
• Assurance reporting: SOC 2 Type 2 (Security, Availability, & Confidentiality Report)
• CISPE Code: Our hosting provider commits to strict data protection and privacy standards when providing cloud infrastructure services in accordance with the CISPE Code. 

Compliance with laws and regulations

Ensuring compliance with future legal developments regarding security requires a proactive approach. This is a requirement under ISO 27001, ISO 9001, and the BIO. Monitoring legislation and regulations is part of our management system. Shift2 works together with relevant authorities and industry organizations, such as the Information Security Service for municipalities (IBD) and the Association of Netherlands Municipalities (VNG), to stay up to date with the latest developments.

Confirmation of compliance

At Shift2, we attach great importance to regularly confirming that we comply with all relevant requirements and standards in the field of information security and quality management. We do this by means of, among other things:

Our ISO 9001 and ISO 27001 certifications are periodically assessed by independent auditors. These audits ensure that our Information Security Management System (ISMS) and quality management system continuously comply with international standards and remain in line with the latest best practices and regulations.

In addition to the annual penetration tests conducted as part of DigiD, we regularly have our systems and processes assessed by external experts. This includes penetration tests, risk analyses, and security reviews to ensure that we are prepared for potential threats and vulnerabilities. 

Responsible Disclosure

At Shift2, we take the security of our systems and users very seriously and attach great importance to continuously improving it. Despite all precautions, vulnerabilities may be found in our systems. To stay one step ahead of malicious parties, we encourage anyone who discovers a vulnerability to report it to us. We have a responsible disclosure policy that allows security researchers and users to report vulnerabilities safely and responsibly. 

Emiel Duinisveld, Chief Information Security Officer (CISO) Shift2:

“It is always nice to receive confirmation from an independent auditor that our efforts in the field of information security are yielding the desired results. This is particularly true of the DigiD assessment, which also involves a penetration test to thoroughly examine both the web application and the infrastructure.”