Information Security Management System


Crystalloids regards information security as an important asset whereby it must be ensured that risks should be acceptable to the customer and that measures must be made effective without compromising the effectiveness, flexibility, and efficiency of our services. 

ISMS and NEN-ISO 27001 standard

We have an ISMS framework of policy principles with regard to the confidentiality, integrity, and availability of the information provided, within which a balanced (effective and efficient) system of interrelated measures is developed, to protect the information system against internal and external threats.

We implement and maintain the ISMS and ensure continuous improvement by applying the Deming quality circle (plan, do, check, act) so that the ISMS meets the High-Level Structure (HLS) requirements of the NEN-ISO/IEC 27001 standard.


The scope of our NEN-ISO/IEC 27001 is: 

Information security related to consultancy, design, development, assembling, configuration, training, technical and functional support, related to Google Cloud Platform technologies with a focus on data sciences, data engineering, business analytics, and real-time channel management.

Policy principles

We aim to manage and to be in control by living by 26 information policy principles. We are able to mitigate the information security risks while keeping our flexibility and efficiency.

The policy principles are the bridge between the information security risks and the management objectives and managerial measures of our Internal Norm. If you wish to learn about these principles and our ISMS please contact us. 

Risk management cycles

The Crystalloids management sees three cycles of risk management:

  1. The business risk assessment is carried out every three years with the complete derivation of measures and improvements.
  2. Incident handling and changing procedures with their impact analyses are applied on a day-to-day basis so that the needs of stakeholders can be anticipated at lightning speed. For Crystalloids, this is the most important risk management tool. In addition, an IB meeting is organized four times a year.
  3. Every year during the internal audit, the course of events and especially the day-to-day risk assessment is reviewed. This leads to the observation of deviations, which are resolved by improvements.
The improvements from these three cycles are included in the improvement plan. The management is explicitly involved in all three cycles and continuously assesses whether the management system meets its expectations.


ISO/IEC 27001 is widely known, providing requirements for an information security management system (ISMS), though there are more than a dozen standards in the ISO/IEC 27000 family.

Using them enables organizations of any kind to manage the security of assets such as financial information, intellectual property, employee details, or information entrusted by third parties.

The external audits were executed by Brandcompliance.

Contact Us