1. Purpose
This policy establishes Hybrid Core BV's approach to protecting the confidentiality, integrity, and availability of its information assets. It reflects the company's commitment to responsible information security management, consistent with the principles of ISO 27001 and applicable regulatory requirements including the NIS2 Directive.
2. Scope
This policy applies to all employees, contractors, and third parties who access or process Hybrid Core BV information assets. It covers all information in any format - digital, physical, or verbal - including internal business data, client and partner data, intellectual property, research outputs, and data processed under EU-funded project agreements.
3. Policy statement
Hybrid Core BV recognises that information is a critical business asset. The company is committed to protecting information from unauthorised access, disclosure, alteration, and destruction. Security must be built into our systems, processes, and culture from the outset, not treated as an afterthought.
4. Principles
4.1 Confidentiality
Information is accessible only to those who have a legitimate need for it. Access rights are granted on the basis of least privilege and reviewed regularly.
4.2 Integrity
Information is accurate, complete, and protected from unauthorised modification. Changes to critical systems and data are logged and subject to appropriate controls.
4.3 Availability
Information systems and data are available when required by authorised users. Business continuity and disaster recovery planning ensures that critical operations can be maintained in the event of an incident.
4.4 Security by design
Security considerations are integrated into the design and development of systems and products from the earliest stage. This includes secure coding practices, architecture reviews, and threat modelling.
4.5 Risk management
Information security risks are identified, assessed, and managed in a structured manner. The company maintains a risk register and implements controls proportionate to the identified risks and the sensitivity of the information involved.
4.6 Supplier and third-party security
Third parties who access or process Hybrid Core BV information assets are required to meet appropriate security standards. Contractual obligations, due diligence, and periodic reviews are used to manage supply chain security risk.
4.7 Incident management
Information security incidents must be reported promptly. The company maintains an incident response process that enables timely containment, investigation, notification, and recovery. Where required, incidents will be notified to the relevant supervisory authorities.
5. Responsibilities
5.1 Management
Management is responsible for providing the resources and direction necessary for effective information security, approving the risk management framework, and ensuring that security obligations are embedded in contracts with third parties.
5.2 Employees and contractors
All employees and contractors are responsible for complying with information security policies and procedures, protecting the assets and systems they use, reporting security incidents and vulnerabilities, and completing security awareness training.
5.3 IT and security function
The IT and security function is responsible for implementing and maintaining technical controls, managing access rights, monitoring for security threats, and coordinating the response to security incidents.
6. Key security requirements
The following minimum requirements apply across the organisation:
- Strong, unique passwords and multi-factor authentication for all critical systems
- Encryption of sensitive data at rest and in transit
- Regular patching and updates of operating systems and applications
- Controlled and documented access to sensitive information systems
- Regular backups with tested recovery procedures
- Endpoint protection on all company devices
- Clear desk and clear screen procedures for physical security
- Secure disposal of physical and digital media containing sensitive information
7. Reporting and compliance
Security incidents and suspected vulnerabilities must be reported to the IT and security function immediately. Significant incidents affecting personal data will be reported to the relevant data protection supervisory authority within the timeframes required by GDPR. The company reserves the right to investigate security incidents and may involve law enforcement where criminal activity is suspected.
8. Monitoring and review
Information security controls are subject to regular technical testing, including vulnerability assessments and penetration testing. Compliance with this policy is monitored through internal audits and management reporting. The policy will be reviewed at least every two years or following a significant security incident.
9. Communication and awareness
All employees and contractors receive security awareness training at induction and on a regular basis. Security responsibilities are communicated clearly as part of the onboarding process and reinforced through ongoing training and communications.
10. Review cycle
This policy is reviewed every two years by the Hybrid Core Management Team, or sooner in response to significant security incidents, regulatory changes, or material changes to the company's technical environment.
11. Version control
Version: 1.0
Owner: Hybrid Core Management Team
Approved by: Hybrid Core Management
Effective Date: 01.06.2026
Review Period: Every 2 Years