Security and Privacy
Security
As a knowledge-centric company, we recognise the importance of information security to protect the interests of our clients, employees, our company and other stakeholders. In a world of ever-increasing cyber threats, information security is critical.
The information we handle at Royal HaskoningDHV includes that which is entrusted to us by clients and other third parties, project information, and company information like intellectual property, employee details and financial information.
Not only do we need to protect our internal systems and data to keep our business processes going, more and more IT services are becoming the primary business themselves. Information security is increasingly a business driver, especially for digital services that have a tangible impact on the physical world around us.
Our information and privacy protection strategy is centred around our Information Security Management System (ISMS), based on the international ISO/IEC 27001 standard. We renewed our certification to ISO 27001 in 2022, having first obtained it in 2019. Furthermore, we maintain the UK National Cyber Security Centre’s (NCSC) Cyber Essentials and Cyber Essentials Plus certifications. Cyber Essentials Plus is the highest level of certification offered under this scheme and is required when bidding for contracts which involve handling certain sensitive and personal information. Both certifications were renewed in 2022.
Security governance is of the highest importance for us, and we take great reassurance and confidence in our security practices. Our clients are becoming increasingly aware of security and privacy concerns and demand specific solutions for their security requirements. Internationally renowned certifications like ISO 27001 and Cyber Essentials guarantee the quality of our security systems and give us a competitive advantage in bids and tenders.
We only work with ICT vendors and suppliers that have a robust level of security in place. To test the security of our own, and our suppliers’ systems, we have expanded the pen tests and risk assessments programme we periodically undertake on critical systems. With our increased focus on delivering digital products, we have expanded our identity and access management platform, Smart Society. It allows secure and privacy-centred provision of our digital services.
In 2022, we invested heavily in new technology around cyber security. With these new products we made big steps in our transformation from a reactive to a proactive security operation. This is a direct result of the Zero Trust philosophy adopted a few years ago. Despite the automated, real-time response that comes with state-of-the-art technology, an important human factor still exists for maintaining a healthy security posture. Therefore, we expanded our Security Operations Centre (SOC) team’s efforts to continuously evaluate potential incidents, and proactively hunt for threats.
We closely monitor cyber threats resulting from cybersecurity developments worldwide. Based on advisories and threat intelligence provided by official bodies like the NCSC, we carry out a risk analysis on emerging threats and the potential impact for our company and the digital services we deliver to clients. No material impact emerged from these threats.
An important axis in cyber defence is making our people aware of cyber threats, like phishing and business email compromise. In 2022, we continued our awareness campaign, culminating in the annual Cyber Awareness month which focused on security hygiene.
Privacy
Royal HaskoningDHV deals with personal identifiable information, such as our employee data. We are dedicated to protecting the privacy of individuals and are committed to privacy legislation such as the General Data Protection Regulation (GDPR), Data Protection Act 2018 and Protection of Personal Information Act (POPI Act).