Security Verified requirements

This is the latest 2024 version of the ‘Security Verified’ standard. It is the official description of what an organisation needs to have in order to qualify for Security Verified.

Note: You can download all requirements here: Security Verified requirements EN 2024. A Dutch version of the Security Verified requirements is also available: Security Verified requirements NL 2024.

Overall structure

Security Verified 2024 has eight chapters divided into two parts:

  • Part A, chapters 1-4 contain mandatory requirements. An organisation must implement these in order to qualify
  • Part B, chapters 5-8 contain recommended controls. An organisation must demonstrate the implementation of at least 50% of the recommended controls to qualify for Security Verified certification.

The chapters 5-8 of Security Verified correspond to chapters A5 to A8 of the ISO 27001:2022 standard. Both the ISO standard and Security Verified have four chapters with the following controls:

Note that Security Verified has fewer controls than ISO 27001 and in many cases the controls are rephrased to make them more clear and more concrete. This makes the implementation easier to audit and thus improves the audit experience. Organisations that have implemented the ISO 27001 versions thoroughly will have no problem meeting the Security Verified controls.

Part 1: General requirements

Anything after the word “note” is merely a suggestion and not part of the requirements.

1. Leadership, team and resources

  • SV1.1 Top management  has demonstrated commitment and involvement in information security. Note: This corresponds to H5 of ISO 27001 and top management can do this by attending meetings, participating in training, reviewing and approving documents.
  • SV1.2 A permanent  information security team (IS team) with at least two members has been defined. This team composition is documented in the ISMS documentation.
  • SV1.3 The IS team has received enough time and resources to achieve continuous improvement
  • SV1.4 There is a main policy document, e.g. “XYZ IS policy” that is available to stakeholders that contains the ISMS scope, the risk based approach and commitment to continual improvement.
  • SV1.5 There is a managed set of documents stored in a central location that together form the ISMS
  • SV1.6 The security team has defined actions to grow its own knowledge, e.g. through books, courses and involvement in the information security community.

2. Risk management

  • SV2.1 There is a list of stakeholders and their requirements, including legal requirements such as GDPR, tax law and copyright law
  • SV2.2 There is a high level overview that describes the main information assets (main systems, types of devices, main databases, document types).
  • SV2.3 There is a risk inventory that contains probability, impact and owner of risks, the applicable controls to mitigate the risk. Some risks with a high score have an improvement plan.
  • SV2.4 There is documentation describing how each chosen measure / control is implemented in the organisation
  • SV2.5 There is a statement of applicability that explains which of the ISO 27001 standard controles are implemented in the organisation.

Note: we have free templates for most of these elements on our ISO 27001 and GDPR template page.

3. Operations

  • SV3.1 There is an overview (calendar, plan, roadmap) for the next 12 months with recurring information security activities, such as training, PEN-test, document review, access right checks
  • SV3.2 At least half the staff have attended a security awareness training and a next training is planned
  • SV3.3 Randomly selected staff members know whom to contact and how to respond in case of incidents or questions
  • SV3.4 There is evidence (e.g. signature) that staff have received and read  rules regarding information security.
  • SV3.5 For the current calendar year at least two IS team meetings have been planned where incidents and changes in the organisation are discussed.
  • SV3.6 Results and decisions from previous IS team meetings are documented in meeting minutes or an action list

4. Privacy and GDPR

  • SV4.1 If the organisation handles personal data, there is an up to date register of processing activities that meets the requirements of the GDPR.
  • SV4.2 If the organisation handles personal data, the organisation has a process for closing data processing agreements with customers o suppliers, an overview of which data processing agreements are in place and can show examples of data processing agreements
  • SV4.3 There is a proces for registering and handling Information security incidents, and a register of incidents. In the register states which incidents involve personal data and had significant consequences (GDPR data breaches).
  • SV4.4 A decision has been made and documented whether an Data Protection Officer / FG is needed. The name is included in the register of processing activities.
  • SV4.5 People whose personal data is processed are informed of the processing, their rights, and how to exercise their rights. This is for instance done using a privacy statement on the website or on portals/apps.

5. Organisational controls

These controls are not mandatory, but recommended.
  • SV5.1 There is a project plan template  that includes security and privacy measures. There is evidence that the template has been used in the organisation. This control is similar to ISO 27001 A5.8
  • SV5.2 There is a list of all company owned devices (laptops, tablets and phones) and current users. This control is similar to ISO 27001: A5.9.
  • SV5.3 For the main systems, it has been defined which roles get which access rights (role based access control). This is for instance defined in an authorisation matrix This control is similar to ISO 27001: A5.15
  • SV5.4 All employees get a unique company email address / identity and access to assets is linked to this email address. This control is similar to ISO 27001: A5.16
  • SV5.5 There are rules that require people to chose strong, unique passwords and these rules are included in training. This control is similar to ISO 27001: A5.17
  • SV5.6 There is an overview of all suppliers with impact on information security, information security requirements for each supplier and a score for each supplier on the service in past period. If suppliers have a low score, someone responded to this with an action. This control is similar to ISO 27001: A5.20
  • SV5.7 There is a business continuity plan with at least 4 scenarios and instructions for each scenario. This control is similar to ISO 27001: A5.29

7. Physical controls

These controls are not mandatory, but recommended.
  • SV7.1 The office space is divided into multiple security zone, and for each zone security measures are defined, for instance when zones are locked and whi can have keys. This control is similar to ISO 27001: A7.1. Note: we recommend making a zone plan by coloring a map of your office using green (visitors and employees can access), yellow (only employees can access) and red (only selected employees have access). The red zones can be cupboards or locked drawers if you do not have entire rooms.
  • SV7.2 There are rules (often called clean desk) to make sure paper documents with confidential information are stored securely and not left openly on desks. This control is similar to ISO 27001: A7.7
  • SV7.3 It is clear for employees whether they can use privately owned devices (laptops, phones) for business purposes. This control is similar to ISO 27001: A7.9
  • SV7.4 It there is a printer on a floor, there is shredder or locked recycling container on the same floor. There are also rules for use of USB sticks. This control is similar to ISO 27001: A7.10

8. Technological controls

These controls are not mandatory, but recommended.
  • SV8.1 Devices (PC, laptop, tablet and smartphone) have an up to date operating system, are encrypted and protected with password or biometrics. This control is similar to ISO 27001:A8.1. Note: you should consider using a mobile device management solutions (MDM) solution such as Miradore or Microsoft InTune if you have more than 50 devices.
  • SV8.2 Access to source code is controlled, using among other measures storing in a version control system in multiple repositories. This control is similar to ISO 27001:A8.4.
  • SV8.3 Multi-factor authentication is enabled for employees to access company email or main systems. This control is similar to ISO 27001:A8.5
  • SV8.4 The production servers are monitored to measure uptime, resource limits or performance issues. The team can show the monitoring dashboard or an SLA report A8.6
  • SV8.5 IT systems are scanned regularly for technical vulnerabilities, for instance using a PEN-test or source code scan. Results from a scan or test that are less than 12 months old are available. This control is similar to ISO 27001:A8.8
  • SV8.6 A backup and restore procedure for servers is documented including the backup frequency. Production servers are backed up at least daily. This control is similar to ISO 27001: A8.13
  • SV8.7 Production servers produce logs. The logs are stored securely (not in the same database). The organisation can show log reports or log data. This control is similar to ISO 27001:A8.15
  • SV8.8 There is a separate network for visitors. Visitors do not have access to the normal wireless network for employees. This control is similar to ISO 27001: A8.22
  • SV8.9 The communication to and from all servers is protected using https, TLS or other secure protocols. The organisation has determined a score using internet.nl, SSL labs or similar tools. This control is similar to ISO 27001: A8.24