Technical & Organizational Measures
Last Updated: 01 February 2024
1. Introduction
As a DATA PROCESSOR acting on behalf of our clients, the effective Data Owners and Data Controllers, beqom is committed to implement and maintain a robust Security Concept designed to achieve a high level of security while complying with privacy requirements and operational constraints.
This document summarizes those Technical and Organizational Measures (TOMs) we have taken in order to secure and protect data entrusted to beqom by our clients.
2. Compliance
beqom has implemented and maintained compliance with industry standards for Information Security and Privacy Management practices. Compliance is assessed by an independent 3rd party and beqom will share relevant certifications and materials with customers under a Non-Disclosure Agreement.
beqom has appointed a Chief Privacy Officer to address all privacy matters. If you have any questions related to our practices or to this document, please contact us at [security.officer@beqom.com].
3. Security Requirements
With respect to Personal Data, the DATA PROCESSOR has to comply with the below technical and organizational Security Requirements, in accordance with the EU data processing requirements (see Article 32 EU-GDPR).
| 3.1 INFORMATION SECURITY POLICIES AND ORGANIZATION | ISO27001 |
| A set of policies for information security is defined, approved by management, published, and communicated to employees and relevant external parties. | 5.1.1 |
| The policies for information security are reviewed at planned intervals, or if significant changes occur, to ensure their continuing suitability, adequacy, and effectiveness. | 5.1.2 |
| All information security responsibilities are defined and allocated. | 6.1.1 |
| Conflicting duties and areas of responsibility are segregated to reduce opportunities for unauthorized or unintentional modification or misuse of DATA PROCESSOR’s assets. | 6.1.2 |
| Appropriate contacts with relevant authorities are maintained. | 6.1.3 |
| Appropriate contacts with special interest groups or other specialist security forums and professional associations are maintained. | 6.1.4 |
| Information security is addressed in project management, regardless of the type of project. | 6.1.5 |
| 3.2 HUMAN RESOURCES MANAGEMENT | ISO27001 |
| Background verification checks on all candidates for employment are carried out in accordance with relevant laws, regulations, and ethics, and shall be proportional to the business requirements, the classification of the information to be accessed, and the perceived risks. | 7.1.1 |
| The contractual agreements with employees and contractors state their and DATA PROCESSOR’s responsibilities for information security. | 7.1.2 |
| Management requires all employees and contractors to apply information security in accordance with the established policies and procedures of DATA PROCESSOR. | 7.2.1 |
| All employees of DATA PROCESSOR and, where relevant, contractors receive appropriate awareness education and training and regular updates in organizational policies and procedures, as relevant to their job function. | 7.2.2 |
| There is a formal and communicated disciplinary process in place to take action against employees who have committed an information security breach. | 7.2.3 |
| Information security responsibilities and duties that remain valid after termination or change of employment are defined, communicated to the employee or contractor and enforced. | 7.3.1 |
| 3.3 MANAGEMENT OF INFORMATION SECURITY INCIDENTS | ISO27001 |
| Management responsibilities and procedures are established to ensure a quick, effective, and orderly response to information security incidents. | A.16.1.1 |
| Information security events are reported through appropriate management channels as quickly as possible. | A.16.1.2 |
| Employees and contractors using the DATA PROCESSOR’s information systems and services are required to note and report any observed or suspected information security weaknesses in systems or services. | A.16.1.3 |
| Information security events are assessed and it is decided if they are to be classified as information security incidents. | A.16.1.4 |
| Information security incidents are responded to in accordance with the documented procedures. | A.16.1.5 |
| Knowledge gained from analyzing and resolving information security incidents is used to reduce the likelihood or impact of future incidents. | A.16.1.6 |
| DATA PROCESSOR defines and applies procedures for the identification, collection, acquisition, and preservation of information, which can serve as evidence. | A.16.1.7 |
| 3.4 PERSONAL DATA DISCLOSURE AND NOTIFICATION | ISO27018 |
| DATA PROCESSOR will notify the customer, in accordance with any procedure and time periods agreed in the contract, of any legally binding request for disclosure of Personal Data by a law enforcement authority, unless such a disclosure is otherwise prohibited. | A.5.1 |
| Disclosures of Personal Data to third parties are recorded, including what Personal Data has been disclosed, to whom and at what time. | A.5.2 |
| DATA PROCESSOR will promptly notify the customer in the event of any unauthorized access to Personal Data or unauthorized access to processing equipment or facilities resulting in loss, disclosure or alteration of Personal Data. | A.9.1 |
| 3.5 INFORMATION CLASSIFICATION, ASSET MANAGEMENT & DISPOSAL | ISO27001 |
| Assets associated with information and information processing facilities are identified and an inventory of these assets is drawn up and maintained. | A.8.1.1 |
| Assets maintained in the inventory are owned. | A.8.1.2 |
| Rules for the acceptable use of information and of assets associated with information and information processing facilities are identified, documented, and implemented. | A.8.1.3 |
| All employees and external party users return all DATA PROCESSOR-owned assets in their possession upon termination of their employment, contract or agreement. | A.8.1.4 |
| Information is classified in terms of legal requirements, value, criticality, and sensitivity to unauthorized disclosure or modification. | A.8.2.1 |
| An appropriate set of procedures for information labeling is developed and implemented in accordance with the information classification scheme adopted by DATA PROCESSOR. | A.8.2.2 |
| Procedures for handling assets are developed and implemented in accordance with the information classification scheme adopted by DATA PROCESSOR. | A.8.2.3 |
| Procedures are implemented for the management of removable media in accordance with the classification scheme adopted by DATA PROCESSOR. | A.8.3.1 |
| Media is disposed of securely when no longer required, using formal procedures. | A.8.3.2 |
| Security is applied to off-site assets, taking into account the different risks of working outside DATA PROCESSOR’s premises. | A.11.2.6 |
| All items of equipment containing storage media are verified to ensure that any sensitive data and licensed software has been removed or securely overwritten prior to disposal or re-use. | A.11.2.7 |
| 3.6 LOGICAL ACCESS CONTROL AND AUTHENTICATION | ISO27001 |
| An access control policy is established, documented and reviewed based on business and information security requirements. | A.9.1.1 |
| The allocation of secret authentication information is controlled through a formal management process. | A.9.2.4 |
| Users are required to follow the DATA PROCESSOR’s practices in the use of secret authentication information. | A.9.3.1 |
| Where required by the access control policy, access to systems and applications is controlled by a secure log-on procedure. | A.9.4.1 |
| Password management systems are interactive and shall ensure quality passwords. | A.9.4.2 |
| A policy and supporting security measures is adopted to manage the risks introduced by using mobile devices. | 6.2.1 |
| A policy and supporting security measures is implemented to protect information accessed, processed, or stored at teleworking sites. | 6.2.2 |
| Users ensure that unattended equipment has appropriate protection. | A.11.2.8 |
| A clear desk policy for papers and removable storage media and a clear screen policy for information processing facilities is adopted. | A.11.2.9 |
| 3.7 AUTHORIZATION | ISO27001 |
| A formal user registration and de-registration process is implemented to enable assignment of access rights. | A.9.2.1 |
| A formal user access provisioning process is implemented to assign or revoke access rights for all user types to all systems and services. | A.9.2.2 |
| The allocation and use of privileged access rights is restricted and controlled. | A.9.2.3 |
| Asset owners review users’ access rights at regular intervals. | A.9.2.5 |
| The access rights of all employees and external party users to information and information processing facilities are removed upon termination of their employment, contract or agreement, or adjusted upon change. | A.9.2.6 |
| Information involved in application service transactions is protected to prevent incomplete transmission, misrouting, unauthorized message alteration, unauthorized disclosure, unauthorized message duplication, or replay. | A.14.1.3 |
| 3.8 PHYSICAL ACCESS CONTROL AT BEQOM PREMISES | ISO27001 |
| Security perimeters are defined and used to protect areas that contain personal data and processing facilities. | A.11.1.1 |
| Secure areas are protected by appropriate entry controls to ensure that only authorized personnel are allowed access. | A.11.1.2 |
| Physical security for offices, rooms, and facilities is designed and applied. | A.11.1.3 |
| Physical protection against natural disasters, malicious attacks, or accidents is designed and applied. | A.11.1.4 |
| Procedures for working in secure areas are designed and applied. | A.11.1.5 |
| 3.9 PHYSICAL ACCESS CONTROL AT THE CLOUD DATA-CENTER FACILITIES | AZURE AND AWS |
|
Security perimeters are defined and used to protect areas that contain personal data and processing facilities.
|
ISO27001 ISO27017 ISO27018 ISO27701 HIPAA FedRAMP SOC1 SOC2 UK G-Cloud … |
|
Secure areas are protected by appropriate entry controls to ensure that only authorized personnel are allowed access.
|
|
|
Physical security for offices, rooms, and facilities is designed and applied.
|
|
|
Physical protection against natural disasters, malicious attacks, or accidents is designed and applied.
|
|
|
Procedures for working in secure areas are designed and applied.
|
|
|
Access points such as delivery and loading areas, and other points where unauthorized persons could enter the premises, are controlled and, if possible, isolated from information processing facilities to avoid unauthorized access.
|
| 3.10 NETWORK SECURITY | ISO27001 |
| Users are only provided with access to the network and network services that they have been specifically authorized to use | A.9.1.2 |
| Networks are managed and controlled to protect information systems and applications. | A.13.1.1 |
| Security mechanisms, service levels, and management requirements of all network services are identified and included in network services agreements, whether these services are provided in-house or outsourced. | A.13.1.2 |
| Groups of information services, users, and information systems are segregated on networks. | A.13.1.3 |
| 3.11 SECURE SYSTEM DEVELOPMENT | ISO27001 |
| The information-security related requirements are included in the requirements for new information systems or enhancements to existing information systems. | A.14.1.1 |
| Rules for the development of software and systems are established and applied to developments within DATA PROCESSOR. | A.14.2.1 |
| Principles for engineering secure systems are established, documented, maintained, and applied to any information system implementation efforts. | A.14.2.5 |
| DATA PROCESSOR established and appropriately protects secure development environments for system development and integration efforts that cover the entire system development lifecycle. | A.14.2.6 |
| DATA PROCESSOR supervises and monitors the activity of outsourced system development. | A.14.2.7 |
| Access to program source code is restricted. | A.9.4.5 |
| 3.12 LOGGING AND LOG MANAGEMENT | ISO27001 |
| Event logs recording user activities, exceptions, faults, and information security events are produced, kept, and regularly reviewed. | A.12.4.1 |
| Logging facilities and log information are protected against tampering and unauthorized access. | A.12.4.2 |
| System administrator and system operator activities are logged and the logs protected and regularly reviewed. | A.12.4.3 |
| 3.13 TECHNICAL VULNERABILITY MANAGEMENT AND PROTECTION FROM MALWARE | ISO27001 |
| Information about technical vulnerabilities of information systems being is obtained in a timely fashion, DATA PROCESSOR’s exposure to such vulnerabilities evaluated and appropriate measures taken to address the associated risk. | A.12.6.1 |
| Detection, prevention, and recovery controls to protect against malware are implemented, combined with appropriate user awareness. | A.12.3.1 |
| 3.14 USE OF CRYPTOGRAPHY | ISO27001 |
| A policy on the use of cryptographic controls for protection of information shall be developed and implemented. | A.10.1.1 |
| A policy on the use, protection, and lifetime of cryptographic keys is developed and implemented through their whole lifecycle. | A.10.1.2 |
| Cryptographic controls are used in compliance with all relevant agreements, legislation and regulations. | A.18.1.3 |
| 3.15 INPUT CONTROL | ISO27018 |
| The collection of Personal Data is limited to that which is within the bounds of applicable law DATA PROTECTION LAW and strictly necessary for the specified purpose(s). | A.3 |
| DATA PROCESSOR provides the customer with the means to enable them to fulfill their obligation to facilitate the exercise of Personal Data subjects’ rights to access, correct and/or erase Personal Data pertaining to them. | A.1.1 |
| DATA PROCESSOR implements appropriate measures that enable Personal Data subjects to access, check, update/correction and removal of their data. | A.8 |
| 3.16 DATA TRANSFER CONTROL | ISO27001 |
| Formal transfer policies, procedures, and controls are in place to protect the transfer of information through the use of all types of communication facilities. | A.13.2.1 |
| Agreements address the secure transfer of business information between DATA PROCESSOR and external parties. | A.13.2.2 |
| Information involved in electronic messaging is appropriately protected. | A.13.2.3 |
| Information involved in application services passing over public networks are protected from fraudulent activity, contract dispute, and unauthorized disclosure and modification. | A.14.1.2 |
| Media containing information is protected against unauthorized access, misuse, or corruption during transportation. | A.8.3.3 |
| Requirements for confidentiality or non-disclosure agreements reflecting DATA PROCESSOR’s needs for the protection of information are identified, regularly reviewed, and documented. | A.13.2.4 |
| Individuals under DATA PROCESSOR’s control with access to Personal Data are subject to a confidentiality obligation. |
ISO 27018 - A.10.1
|
| 3.17 DATA SEPARATION | ISO27001 |
| Access to information and application system functions is restricted in accordance with the access control policy. This includes the isolation of Personal Data in multi-tenant systems. | A.9.4.1 |
| Development, testing, and operational environments are separated to reduce the risks of unauthorized access or changes to the operational environment. | A.12.1.4 |
| Test data is selected carefully, protected, and controlled. | A.14.3.1 |
| 3.18 CONTROL OF INSTRUCTIONS | ISO27018 |
| Personal Data to be processed under a contract will not be processed for any purpose independent of the instructions of the customer. | A.2.1 |
| Personal Data processed under a contract is not used by DATA PROCESSOR for the purposes of marketing and advertising without express consent. Such consent will not be a condition of receiving the service. | A.2.2 |
| Copies of security policies and operating procedures are retained for a specified, documented period upon replacement (including updating). | A.9.2 |
| 3.19 CONTROL OF INSTRUCTIONS (THIRD PARTY SUBCONTRACTING) | ISO27001 |
| Information security requirements for mitigating the risks associated with Supplier’s SUBPROCESSOR’s access to the DATA PROCESSOR’s assets is agreed upon with the Supplier SUBPROCESSOR and documented. | A.15.1.1 |
| All relevant information security requirements are established and agreed upon with each Supplier SUBPROCESSOR that may access, process, store, communicate, or provide IT infrastructure components for the DATA PROCESSOR’s information. | A.15.1.2 |
| Agreements with Suppliers include requirements to address the information security risks associated with information and communications technology services and product supply chain. | A.15.1.3 |
| DATA PROCESSOR regularly monitors, reviews, and audits Supplier SUBPROCESSOR service delivery. | A.15.2.1 |
| Changes to the provision of services by Suppliers, including maintaining and improving existing information security policies, procedures, and controls, are managed, taking account of the criticality of business information, systems, and processes involved and re-assessment of risks. | A.15.2.2 |
| Contracts between DATA PROCESSOR and any subcontractors that process Personal Data specify minimum technical and organizational measures that meet the information security and Personal Data protection obligations of DATA PROCESSOR. Such measures will not be subject to unilateral reduction by the sub-contractor. |
ISO 27018 - A.10.12
|
| 3.20 CHANGE CONTROL | ISO27001 |
| Operating procedures will be made available to all entitled users who need them. | A.12.1.2 |
| Changes to systems within the development lifecycle are controlled by the use of formal change control procedures. | A.14.2.2 |
| When operating platforms are changed, business critical applications are reviewed and tested to ensure there is no adverse impact on operations or security. | A.14.2.3 |
| Modifications to software packages are discouraged, limited to necessary changes, and all changes shall be strictly controlled. | A.14.2.4 |
| Testing of security functionality is carried out during development. | A.14.2.8 |
| Acceptance testing programs and related criteria is established for new information systems, upgrades, and new versions. | A.14.2.9 |
| Procedures are implemented to control the installation of software on operational systems. | A.12.1.2 |
| Rules governing the installation of software by users are established and implemented. | A.12.6.2 |
| 3.21 AVAILABILITY CONTROL (BACKUP) | ISO27001 |
| Backup copies of information, software, and system images are taken and tested regularly in accordance with an agreed backup policy. | A.12.3.1 |
| Records are protected from loss, destruction, falsification, unauthorized access, and unauthorized release in accordance with legislatory, regulatory, contractual, and business requirements. | A.18.1.3 |
| 3.22 AVAILABILITY CONTROL (BUSINESS CONTINUITY AND DISASTER RECOVERY) | ISO27001 |
| DATA PROCESSOR determines its requirements for information security and the continuity of information security management in adverse situations, e.g. during a crisis or disaster. | A.17.1.1 |
| DATA PROCESSOR establishes, documents, implements and maintains processes, procedures and controls to ensure the required level of continuity for information security during an adverse situation. | A.17.1.2 |
| DATA PROCESSOR verifies the established and implemented information security continuity controls at regular intervals in order to ensure that they are valid and effective during adverse situations. | A.17.1.3 |
| Information processing facilities are implemented with redundancy sufficient to meet availability requirements. | A.17.2.1 |
| 3.23 AVAILABILITY CONTROL (OPERATIONAL ASPECTS) | ISO27001 |
| The use of utility programs that might be capable of overriding system and application controls is restricted and tightly controlled. | A.9.4.4 |
| The use of resources is monitored, tuned and projections made of future capacity requirements to ensure the required system performance. | A.12.1.3 |
| The clocks of all relevant information processing systems within a security domain are synchronized to a single reference time source. | A.12.4.4 |
| Audit requirements and activities involving verification of operational systems are carefully planned and agreed to minimize disruptions to business processes. | A.12.7.1 |
| Operating procedures will be made available to all entitled users who need them. | A.12.1.1 |
| 3.24 AVAILABILITY CONTROL (ENVIRONMENTAL SECURITY) | ISO27001 |
| Equipment is sited and protected to reduce the risks from environmental threats and hazards, and opportunities for unauthorized access. | A.11.2.1 |
| Equipment is protected from power failures and other disruptions caused by failures in supporting utilities. | A.11.2.2 |
| Power and telecommunications cabling carrying data or supporting information services are protected from interception, interference, or damage. | A.11.2.3 |
| Equipment is correctly maintained to ensure its continued availability and integrity. | A.11.2.4 |
| Equipment, information, or software is not taken off-site without prior authorization. | A.11.2.5 |
| 3.25 COMPLIANCE | ISO27001 |
| DATA PROCESSOR’s approach to managing information security and its implementation is reviewed independently at planned intervals or when significant changes occur. Relevant certificates are shared with customers. | A.18.2.1 |
| Information systems are regularly reviewed for compliance with DATA PROCESSOR’s information security policies and standards. | A.18.2.3 |
| Managers regularly review the compliance of information processing and procedures within their area of responsibility with the appropriate security policies, standards, and any other security requirements. | A.18.2.2 |
| All relevant legislative statutory, regulatory, contractual requirements, and DATA PROCESSOR’s approach to meet these requirements are explicitly identified, documented, and kept up to date for each information system and DATA PROCESSOR. | A.18.1.1 |
| Appropriate procedures are implemented to ensure compliance with legislative, regulatory, and contractual requirements related to intellectual property rights and use of proprietary software products. | A.18.1.2 |
| Privacy and protection of personally identifiable information is ensured as required in relevant legislation and regulation where applicable. | A.18.1.4 |
4. Crossborder Transfer
As between beqom and its subprocessors processing of Personal Data outside the EEA, UK and/or Switzerland, beqom has entered into the EU Standard Contractual Clauses, the UK Standard Contractual Clauses Addendum, the standard contractual clauses approved by the Swiss Federal Data Protection and the Information Commissioner; beqom also relies on recognised and effective international certification mechanisms.
5. Validity and document management
The current version of this document is effective as of the last update set out in the Revision History.
The owner of this document is the Head of Risk and Compliance, who checks and, if necessary, updates the document at least once a year.
6. Revision History
V2.1: February 2024
V2.0: April 2023