Information security SURF services

We pay close attention to the information security of our own services and the services we procure for institutions. In this way, we minimise the risk of data being misused that is processed by our services, and thus the impact of security incidents. A number of SURF services are ISO 27001-certified.

Information security policy

Principes informatiebeveiliging

In terms of information security, SURF aligns itself as much as possible with sectoral and general standards. SURF's information security policy is based on the SCIPR template for information security policy, which contains five principles. These principles are:

  • Risk-based: we base measures on the potential security risks of our information, processes and IT facilities.
  • Everyone: everyone is and feels responsible for the correct and secure use of resources and powers.
  • Always: information security is in the DNA of all our work.
  • Security by design: information security is an integral part of every project or change involving information, processes and IT facilities from the start.
  • Security by default: users only have access to information and IT facilities that they need for their work. Opening up information is a conscious choice.

View the SURF information security policy (pdf)

Baseline Information Security SURF

The technical and procedural measures are elaborated in the Baseline Information Security SURF (BIS). It is based on the measures of the ISO 27002 standard for information security. All SURF services must comply with the BIS. The BIS is currently undergoing a major update to comply with the latest laws and regulations in 2024.

View SURF's Baseline Information Security (pdf)

Assurance

SURF has set up an Information Security Management System (ISMS) containing a number of cyclical processes to ensure that our services continue to meet the standards of the Baseline Information Security SURF and the ISO 27001 framework. Examples of these processes are periodic internal audits and self-assessments. In the ISMS, we keep track of their findings and set out actions. This way, continuous improvement and adjustment take place.

Information and suitability classification

SURF works with two risk levels for the components Availability and Integrity/Reliability for information security, namely standard and high. The level standard provides a level of protection that can be considered approximately sufficient for confidential data (multifactor authentication is standard, for example).

Our services have a suitability classification: an indication of the data for which the service is suitable, so that you can quickly see the protection level at which a SURF service has been set up. Always check that this corresponds to your own organisation's agreements.

The overview below shows whether a service falls under ISO certification and at what level a service is protected. In the BIS you will find the corresponding security measures, so you can check what that protection entails. Bear in mind that a service may have different requirements on certain aspects depending on the nature of that service. Based on a risk analysis, the service implements the BIS measures as far as they are relevant. This suitability classification is intended as an aid and does not replace contractual agreements; you cannot derive any rights from it.

The level standard at SURF already provides a solid level of protection. Do you have questions about a service's protection measures? Click through and ask your question at the service itself.

NB Components of services and advisory services such as OZON, Vendor Compliance, CSY, etc. are not included in the overview.

Services overview suitability classification and ISO certification
Service name ISO 27001 certification Availability Integrity & Confidentiality
Copyright.com standard standard
Cloud Research Consultancy (CCS, MS4) V N/A standard
SURFcert ** N/A n/a
SURFcertificates V standard standard
SURFconext V standard* standard*
CopyrightCheck standard standard
SURFcumulus V standard standard
Dashboard standard standard*
SURF Data Repository V standard standard
Data Archive (plus B2SAFE) V standard standard
Data Persistent Identifiers (PID) V standard standard
SURF domains standard standard
SURFdrive V high standard*
edubadges standard standard*
SURFeduhub standard standard
eduID standard* standard*
eduroam standard standard
edusources standard standard
eduVPN V by default* standard
SURFfilesender standard standard*
SURFfirewall standard* standard*
HBO Knowledge bank standard standard
HPC Cloud V standard* as standard*
High-performance Dataprocessing - dCache V standard* standard*
High-performance data processing - Grid/GSP V standard standard*
High-performance data processing - Spider V standard standard*
Content Procurement standard standard
IT Procurement standard standard
iotroam standard standard
iRODS Hosting V standard Standard*
Jupyter Notebook Hub V standard standard
Choose Custom standard standard
SURFmail Filter default standard
MySURFmarket standard standard
SURFnetwork(Internet and lightpaths) standard* standard*
NL Source standard standard
Object Store V default* standard*
Publinova standard standard
RDM Storage Scale-out V standard standard*
SURF Research Access Management (SRAM) V standard* standard*
SURF Research Cloud V standard* standard*
Research Drive V high standard*
SURFsecureID V default* default*
SURFsharekit standard standard
National Supercomputer Snellius V standard standard
SURFsoc standard* standard*
SURFspot standard standard
Visualisation V standard standard
SURFwireless standard standard
Yoda hosting V standard standard*

* Under evaluation for protection level 'high' for availability and/or integrity and confidentiality

** SURFcert is certified by Trusted Introducer and a member of FIRST

ISO 27001-certified services

The declaration of applicability states the current scope of SURF's ISO 27001 certification. An external audit takes place annually in which compliance with this standard is tested. We are gradually expanding the scope of certification to more SURF services. The aim is for the certification to apply to all services by the end of 2024.

View SURF's ISO 27001 certificate (pdf)

Statement of applicability version 6.0 (pdf)

Questions?

Do you have questions or comments about SURF's information security policy or the BIS? If so, please contact our CISO Raoul Vernède at raoul.vernede@surf.nl.

Documents to SURF information security policy

Frequently asked questions

What is the difference between SURF security baseline for education and research and the BIS (Baseline Information Security SURF) used by SURF?

The SURF security baseline was developed for and by SURF's members and has a specific elaboration for the education and research sector. The BIS (see above) is used as a baseline internally at SURF and contains control measures tailored to SURF. The BIS supports the Information Security Management System (ISMS), which includes such things as risk management, continuous improvement via PDCA cycle and audits, and together with the information security policy and operational guidelines, forms SURF's information security policy.

Both baselines are based on the ISO 27001/27002 as a best practice to be tailored for each organisation to the specific risks and requirements of its stakeholders.

What is the difference between SURFaudit and ISO 27001 and why does SURF not use the SURFaudit information security assessment framework?

SURFaudit was developed for and by educational institutions and research organisations and is partly based on the ISO 27000 approach. SURFaudit was developed as a self-assessment for an organisation to determine its maturity level per information security component and as a whole (scores range from 1 to 5). Using a maturity level also makes it possible to compare this score with other similar organisations and to visualise growth over time.

For IT service organisations such as SURF, the use of the internationally recognised standard ISO 27001 is more common. On the basis of external audits by an independent party, they can be certified. A SURFaudit maturity score of 3-5 roughly corresponds to an ISO 27001 certification. A large number of SURF services are covered by ISO 27001 certification (see list above).

What is the difference between the BIO (Baseline Information Security Government) and the BIS used by SURF?

The BIO was drafted for government organisations. SURF is an IT organisation, which means that SURF cannot adopt some of the government-specific measures contained in the BIO. Moreover, SURF has decided to make some measures as included in the BIO more onerous for its own BIS. If you would like to know more about the differences between the BIO and the BIS, please contact us at cisoteam@surf.nl.

What is NEN7510 and does SURF also comply with it?

NEN7510 is similar to ISO 27001, but specifically for organisations in the healthcare sector. The elaboration of the standard components includes some additional measures. Suppliers to healthcare organisations are often expected to comply with NEN7510, especially if personal health information is processed. SURF does not comply with the NEN7510 standard - in many cases, ISO 27001 certification is also sufficient for a supplier to demonstrate that information security is in order in the services and/or products provided, sometimes with an explanation of specific measures, such as access security and encryption. That is why the ISO 27001 certificate is also important for SURF.

What is the SURF suitability classification of a service and what does it mean for me as a user/customer?

The SURF suitability classification is a designation that helps to quickly assess the level of protection offered by a given IT service. The classification (standard or high) corresponds to the required measures as listed in the BIS. It remains the responsibility of the data owner and thus data controller to determine for themselves whether these measures are sufficient or whether additional measures are needed. The suitability classification is intended as an aid; for the provision of services, contractual agreements remain binding.

Must all components of a SURF service meet the specified suitability rating level?

The short answer to this is yes. Within the BIS, a distinction is made between protection level standard and high for the aspects of availability and integrity/confidentiality together. All relevant components of a SURF service, whether provided (partly) internally by SURF or purchased (partly) externally from external suppliers, must comply with the required relevant security measures.