Information Security Management System

Oxyma operates an Information Security Management System (ISMS), an integrated quality assurance system that was developed in 2010.

This system is based on the combination of ISO9001:2008 and ISO/IEC 27001:2013 standards. The ISO9001 standard is aimed at process management and the ISO27001 is fully focused on information security. Oxyma completed the required audits in late 2010 and since then we are officially certified for these standards. We have annual external (re)certification audits by Intertec (former Moodys). On request we also support any external audits by compliancy officers from our Clients.

Data security

Oxyma works together with a specialized hosting partner. This partner is also certified for ISO27001. Our hosting partner is also audited by an independent party on all aspects, every year. This means that our partner must continuously monitor the adherence to measures that are taken, must evaluate the effect of the measures, and provide maintenance, monitoring and training of or to employees.

This certification guarantees our Clients that their information is secured in accordance with the highest standards. Availability, integrity and confidentiality of the data are safeguarded to the maximum degree. This certification also means our Clients inherently meet the relevant legislation and regulation such as the Personal Data Protection Act.

Parallel Service Ethics

As an integral part of our ISMS, Oxyma has in place a so called “conflicting accounts policy”. We have been operating under this policy since 2004. In 2010 it became part of our ISMS. This way our compliancy, to this policy, is subjected to external audits on an annual basis. The “conflicting accounts policy” was designed to service clients which are competitors within their marketplace. The immediate reason was the long relationship with KPN and the start of the cooperation with Vodafone.

The policy describes which roles (and employees) working for competitive clients have access to tactical and/or strategic information. A distinction is made between strategic information and daily operational activities. Employees with access to strategic information work exclusively for that client, and not at the same time for the competitor of the client. When the employee changes team/client, there is a pre-determined ‘quarantine period’ applicable. During that period the employee works for neither of both clients. For employees who perform daily operational activities, no quarantine period is applied.

All activities (of non-shared resources) for conflicting accounts, are to be performed at designated and separated locations within our offices (The Parallel Service Zone). For specific activities and/or projects, and on request of the client, our personnel sometimes conforms to additional terms by means of a Non-Disclosure Agreement on a personal level provisioned by the client.

For detailed reference, we can supply you with the ISMS Policy & Procedure “Information Security Policy for Conflicting Accounts” (PDF) as well a complete set of our ISMS documentation.