ISO certification and Privacy certification

Why is certification necessary?

CBS is responsible for compiling official statistics and publishing the results. A prerequisite of this task is that the quality of this statistical information is guaranteed. As the basis for its statistics, CBS collects a large amount of data about persons, households, companies and institutes.

All the relevant parties need to be absolutely sure that their data is in safe hands. CBS has therefore set up a management system for quality, information security and privacy protection, based on the highest international standards. CBS is seeking to continuously improve and safeguard the quality of its products and services. Therefore CBS is aiming to obtain ISO certification for its products and services.

Product and service quality ISO 9001:2015

With the implementation of ISO 9001:2015 CBS’s current quality management systems and statistical processes are being updated to comply with an internationally recognised quality standard.

TüV Nederland has already established via audits that a number of organisational divisions have quality management systems that make them eligible for the ISO 9001:2015 certificate.
The ISO 9001:2015 certificate was awarded by TüV Nederland at the end 2016 to the departments of Data collection, the Netherlands business survey, Business registers and Policy-related statistics from the Centre for Policy-Related Statistics.

In 2017, the department of Communication and News and a few statistical and supporting processes are added. It’s CBS’ ambition to be ready for certification at the end of 2018.

Information security: ISO 27001:2015

The goal of information security is the safeguarding of the availability, integrity and confidentiality of the source data, information systems and statistics. ISO 27001 is one of the mandatory standards for the Dutch government. The standard contains requirements for the management system for information security, and states the areas for which security measures must be employed. At European Union level, an IT security framework based on ISO 27001 is used. Within the Dutch government, the Civil Service Baseline Information Security (BIR) is used. This is a tactical set of standards also based on ISO 27001.

CBS is in 2017 certified for ISO 27001:2013. With the combination of ISO 27001 certification and the Privacy Audit Proof certificates, CBS will also be able to demonstrate compliance with the requirements of the European IT security framework and the BIR.

Privacy protection: Privacy Audit Framework

Privacy protection encompasses all the measures that safeguard the proper protection of personal and company data. A large proportion of these measures relate to the security of the data and thereby overlap with the requirements for information security. Privacy protection is largely based on the Dutch Personal Data Protection Act respectively the European General Data Protection Regulation (GDPR).

Since 2015 there have been privacy audits at CBS, carried out by PWC, an external auditor. Information security aspects also come up for discussion during privacy audits.

The Privacy Audit Proof approval mark was awarded by PWC at the end of 2017 to all statistical processes and a number of supporting processes. CBS is aiming to be privacy proof in the first half of 2018.