Technical and organisational measures (TOM)


This document outlines the technical and organisational measures (TOM) taken by VOICT.

VOICT is ISO 27001 (information security) certified.
ISO/IEC 27001 is an ISO standard for information security that describes how information security could be organised in a process-oriented way in order to implement security measures. The standard specifies requirements for establishing, implementing, executing, controlling, assessing, maintaining and improving a documented Information Security Management System (ISMS) within the framework of the general business risks for the organisation. The ISMS is designed to ensure the choice of adequate and proportionate security measures that protect the information and provide confidence to stakeholders.

All subjects that are part of the TOMs are also, in detail, part of the ISMS of ISO 27001.

Technical measures

VOICT makes every effort – in accordance with the most recent standards in its branch – to secure and keep the (Personal) Data to be processed secure against intruders and against external mischief as well as careless, inexpert or unauthorised use. In concrete terms, this means, among other things, that the Personal Data is not stored on a computer that can be accessed directly – i.e. without a level of security – from the Internet. This does not alter the fact that information can be sent via sFTP, SMS and/or e-mail and that the nature of the service is Software as a Service and access to the data via a web browser or api’s is part of the standard service.
Technical measures resulting from this include an implemented procedure for:
● Backup and Restore of Data
Making backups and periodic restorative exercises in good time in order to reduce the risk of data loss.
● Software updates
The patching of all software involved in the processing of personal data.
● OWASP vulnerabilities
Periodically check that services are tested and free of the top 10 most common vulnerabilities identified by the Open Web Application Security Project (OWASP),
These tests are executed by the company Securify (
● Detection of undesirable behaviour
The detection of attacks and organizational processes to detect and act on these reports, including analysis of log files for unlawful behaviour.
● Data destruction after end of contract
VOICT shall destroy all personal data within 30 days of the date of termination of the contract. Unless otherwise included in the exit plan agreed with the Customer.
● Physical access restriction
A physical security access control is in place to prevent unauthorised access of individuals to locations where personal data is stored or processed. The data centre where the data is stored has video surveillance, access control and iris scan for access control.
● Data media
A procedure is in place for the removal, destruction and reuse of data media containing personal data.
● Secure information transfer
Personal data is secured during electronic transmission and cannot be read. Any passwords are sent separately.
● Duty to report security incidents
Any security-related incident is recorded and reported to the Customer as contained in the Appointments and Procedures Dossier (DAP),

Organisational measures

The organisational measures that have been taken consist of implemented policies in the field of e.g:
• Information security
In this policy, information security covers all measures aimed at ensuring the availability, integrity and confidentiality of data and limiting the possible consequences of security incidents to an acceptable, predetermined level. These reliability requirements apply to VOICT as follows:
o Availability (continuity, response time)
o Integrity (accuracy, completeness, timeliness, lawfulness)
o Confidentiality (exclusivity)
This security policy is based on the Code of Practice for Information Security or NEN-ISO/IEC 27001, a ‘best practice’ standard for structurally setting up and permanently improving information security.

• Access to buildings and systems
This policy specifies rules for access to systems, services and facilities.

• Clear desk and clear screen
Rules to prevent sensitive (company) information, including login details, keys, financial and personnel data, from being left unattended in the workplace.

• Classification and compliance
Classification and compliance policy defines access to individual documents and records.

• Backup and restore
Rules to ensure that backup copies are made at defined intervals and tested regularly.

• Acceptable use
A code of conduct on information security and employee security awareness.

• Supplier evaluation
Establishing periodically and objectively whether suppliers meet the requirements.

• Monitoring
Definition of elements that are part of the monitoring policy, which methods are applied, when monitoring is carried out and how accountability is given for the analysis and evaluation of the monitoring. With the ultimate aim of demonstrably controlling.

• BYOD and teleworking
Provisions on how the organization retains control of its information while it is accessed by portable devices or devices not owned and/or controlled by the organization.

• Account management and passwords
Rules to ensure secure password management and use of passwords