ISO Certification at Conduction
Conduction holds active certifications for both ISO 9001:2015 (Quality Management) and ISO 27001:2022 (Information Security Management). Certificates are available on the internal ISO drive.
These certifications mean that our processes, policies, and responsibilities are documented, reviewed, and audited — both internally and by external auditors.
Policy Documents
| Document | ISO Clause | Status |
|---|---|---|
| Quality Policy | ISO 9001:2015 §5.2 | Active |
| Information Security Policy | ISO 27001:2022 §5.2 | Active |
| Incident Reporting | ISO 27001:2022 A.6.8 / ISO 9001:2015 §10.2 | Active |
| Security Practices | ISO 27001:2022 Annex A | Active |
| Privacy & AVG | AVG/GDPR, ISO 27001:2022 A.5.34 | Active |
The PDCA Cycle
Our quality and security management follows a Plan-Do-Check-Act cycle:
| Phase | What we do | When |
|---|---|---|
| Plan | Annual planning, set objectives, update risk inventory | January |
| Do | Daily operations following documented processes | Continuous |
| Check | Internal audits, MT quality meetings, management review | Monthly / Quarterly / Annually |
| Act | Corrective actions tracked in Jira, process improvements | As needed, reviewed monthly |
Management Review (§9.3)
The management team conducts a formal management review annually (February). Topics include:
- Performance against quality and security objectives
- Internal and external audit results
- Customer satisfaction and feedback
- Incident trends and corrective actions
- Risk inventory review
- Supplier evaluations
- Employee satisfaction and competence
- Changes affecting the QMS/ISMS
Additionally, monthly MT quality & safety meetings (last Monday of each month) address operational quality and security topics.
Records of management reviews are maintained on the internal ISO drive.
Internal Audits (§9.2)
Internal audits are conducted regularly to verify that the QMS and ISMS are functioning as intended. Results are discussed in MT quality meetings and used to drive improvements.
- Audit plan and schedule are maintained internally
- Internal auditors are trained (internal audit course)
- Audit findings are tracked as Jira issues until closure
- External certification audits are conducted annually by our certification body
Risk Management (§6.1)
Conduction maintains a risk inventory covering both quality and information security risks. The risk assessment process:
- Identify risks to quality, security, and continuity
- Assess likelihood and impact
- Treat — accept, mitigate, transfer, or avoid
- Monitor — review effectiveness of controls
The risk inventory is reviewed annually and updated when significant changes occur. The risk register is maintained on the internal ISO drive.
Statement of Applicability (§6.1.3)
The Statement of Applicability (Verklaring van Toepasselijkheid / VvT) documents all ISO 27001:2022 Annex A controls and their implementation status at Conduction. The VvT is maintained on the internal ISO drive. Contact the Quality & Safety Lead for access.
Business Continuity (A.5.29–A.5.30)
Critical services have documented recovery procedures. Supplier criticality for business continuity is assessed as part of the supplier evaluation (see below). The business continuity approach is reviewed during the annual management review.
Roles and Responsibilities (§5.3)
The ISO responsibility matrix maps every clause of ISO 9001 and ISO 27001 to a named responsible person and lead role. This matrix is maintained on the internal ISO drive.
For the organisational structure, roles, and team descriptions, see Organisation.
Supplier Management (§8.4 / A.5.19–A.5.22)
Suppliers with access to data or systems are evaluated annually (April and September) on:
- Price/quality and risk assessment
- ISO certification status
- Personal data access and data processing agreements
- EEA data location and CLOUD Act exposure
- Business continuity criticality and mitigating measures
The supplier register is maintained on the internal ISO drive. Conduction's general terms follow the NL Digital standard.
Customer Satisfaction (§9.1.2)
Customer satisfaction is measured through:
- NPS surveys at defined measurement moments
- Annual customer evaluations (face-to-face or written)
- Partner/reseller evaluations conducted annually
Results are discussed in MT quality meetings and used to set improvement targets. Feedback is tracked in the evaluation register on the internal ISO drive.
Competence and Training (§7.2)
A competence matrix defines the required knowledge and skills per role. Employees are reviewed annually against this matrix. Training needs are identified during annual evaluations.
Security awareness sessions are conducted regularly (team presentations, interactive quizzes). Topics include ISO handbooks, information security, and data protection.
Document Control (§7.5)
ISO documentation is controlled as follows:
- Policies and procedures are published on this documentation site (version-controlled via Git)
- Operational records (audits, reviews, risk registers) are maintained on the ISO drive
- External access to the ISO drive is tracked and limited (accountant, ISO advisor, subsidies only)
- Annual review — all handbooks and policies are reviewed and re-established annually (December per the quality calendar)
- Changes to this site require a pull request with peer review
Physical Safety
- The fire safety plan (brandveiligheidsplan) is available on Drive — covers building layout, escape routes, BHV responsibilities, and evacuation procedures
- At least 3 employees maintain BHV certification
- A workplace risk assessment (RI&E) has been conducted; the plan of action is maintained on Drive
- The office has security cameras active outside office hours for security purposes only
Context of the Organization (§4.1–4.2)
Context analyses (SWOT, stakeholder analysis, competitive analysis) are maintained internally and reviewed annually as part of the management review cycle. These analyses inform the risk inventory and strategic planning.
Questions?
Any employee can raise concerns or suggest improvements via a GitHub Issue or directly with the Quality Manager.