Skip to main content
About/Quality
ISO 9001:2015 · ISO 27001:2022

Quality.

One integrated quality and information-security management system. ISO 9001:2015 and ISO 27001:2022 anchor the policies, pentest-tools.com runs the continuous scans, and the entire build flow lives in public on GitHub. Together they cover scope, audit trail, and ongoing assurance for every Conduction app.

Read the policyCompliance FAQ
Certificates · scans · workflow● live
ISO 9001:2015 certificate
ISO 9001:2015
ISO 27001:2022 certificate
ISO 27001:2022
pentest-tools.com · weekly scanCLEAN
GitHub PR #482 · code + security reviewMERGED
Quality tools

What we use to keep quality measurable.

The four pillars our QMS and ISMS lean on. The two ISO certificates anchor the management system, the commercial pentest platform supplies continuous external assurance, and the GitHub workflow keeps every code change inside the same audit trail.

International standard for quality management systems. Confirms that Conduction operates a documented QMS, runs internal audits, and conducts management reviews. Scope: software development, hosting, and advisory work for public-sector and MKB clients in the Netherlands. Annual surveillance audit, three-year recertification cycle. Full policy statement and scope below.

Read the quality policy
ISO 9001:2015 certificate, Conduction B.V.

ISO certifications

ISO 9001:2015 certificate, Conduction B.V., quality management system
ISO 9001:2015 — Quality management
ISO 27001:2022 certificate, Conduction B.V., information security management system
ISO 27001:2022 — Information security
Policy statement

Quality policy

Reference
ISO 9001:2015 §5.2
First issued
24 July 2025
Last review
April 2026
Next review
February 2027

Conduction is committed to delivering high-quality open-source software and services for digital government infrastructure. Our Quality Management System (QMS) is designed to consistently meet customer requirements and applicable regulatory requirements, and to enhance customer satisfaction.

Scope

The design, development, implementation, and support of open-source software solutions for digital government infrastructure, delivered from the Netherlands by Conduction B.V. employees and contractors — including remote workers.

Excluded: hardware manufacturing, physical product distribution.

Quality objectives

  • Support tickets acknowledged within one business day.
  • Every pull request passes the automated quality gates before merge.
  • At least two process improvements implemented per quarter.
  • Every employee reviewed annually against the competence matrix.

Management commitment

Conduction's management commits to:

  1. Providing the resources necessary to establish, implement, maintain, and continually improve the QMS.
  2. Communicating the importance of effective quality management and conforming to QMS requirements.
  3. Ensuring this policy is understood, implemented, and maintained at all levels of the organisation.
  4. Reviewing this policy at least annually as part of the management review cycle.

Adopted by the management of Conduction B.V. — Amsterdam, the Netherlands.

Policy statement

Information-security policy

Reference
ISO 27001:2022 §5.2 · Annex A.5.1
First issued
24 July 2025
Last review
April 2026
Next review
February 2027

Conduction protects the confidentiality, integrity, and availability of the information it handles — including customer data, internal systems, and the open-source software it develops and operates. This policy establishes the framework for Conduction's Information Security Management System (ISMS) in accordance with ISO 27001:2022.

Scope

All information assets related to the design, development, implementation, and support of our open-source software for digital government infrastructure, including:

  • Source code and repositories on GitHub.
  • Customer data processed via Conduction's software and hosting.
  • Internal systems (Google Workspace, Jira, Passwork, development environments).
  • Employee devices (BYOD) used for company work.

Security objectives

  • Zero unauthorised access incidents per year.
  • Critical systems ≥ 99.5% uptime (status.commonground.nu).
  • Security incidents acknowledged within four business hours.
  • Critical and high CVEs patched within 30 days.
  • Every employee completes the annual security awareness session.

Key Annex A controls

  • Access control (A.5.15) — role-based, granted on a need-to-know basis.
  • Cryptography (A.8.24) — protects sensitive data in transit and at rest.
  • Supplier relationships (A.5.19) — assessed and contractually bound.
  • Incident management (A.6.8) — covers all suspected incidents.
  • Business continuity (A.5.29) — documented for every critical service.

The privacy side of the ISMS is described in the privacy policy.

Adopted by the management of Conduction B.V. — Amsterdam, the Netherlands.

Pentest tools

Continuous external assurance is the third leg of the management system. Conduction subscribes to the commercial pentest-tools.com SaaS scanning platform and runs scheduled tests against the production surfaces of our apps, the managed Common Ground tenant at commonground.nu, and the marketing surfaces under conduction.nl.

The platform combines a website vulnerability scanner, a network scanner, a CVE checker against the running stack, TLS configuration auditing, and subdomain enumeration. Coverage maps to the OWASP Top 10 and the controls in ISO 27001:2022 Annex A.8 (technological controls).

How it fits the ISMS. Findings flow into the same incident-management process described in the security policy. Critical and high CVEs trigger the 30-day patch SLA in Annex A.8.8. Every scan run is recorded; the last-scan summary is reviewed at the monthly MT quality meeting. The full pentest reports are available to clients under NDA — write to info@conduction.nl with your contract or tender reference.

Quality workflow on GitHub

Every Conduction app lives in public on GitHub under the ConductionNL organisation. The development workflow is the operational layer of the QMS — it is how the documented procedures from §7.5 and §8 actually run, with the trail from feature request through merged code visible end-to-end.

Branch protection. Three org-wide rulesets enforce the same rules everywhere: at least one approving review to merge into the development branch, at least two reviews to merge into main. Direct pushes to protected branches are blocked. Every change moves through a pull request.

Two-track review. Pull requests pick up the right reviewer through labels. The code-review:queued label triggers a code review against the project's coding standards (PHPCS, PHPMD, Psalm, PHPStan for PHP apps; ruff + mypy for Python ExApps; ESLint + Vue rules for frontends). The security-review:queued label triggers an information-security review against the relevant ISO 27001:2022 Annex A controls.

Hydra automation. Routine review work runs through Hydra, our internal coordination layer — it watches PR labels, dispatches review jobs to specialised agents, and writes the findings back as PR comments. The trail of who reviewed what, with which feedback, lives in the PR history. Human reviewers approve before merge.

Spec-driven changes. Larger changes carry an OpenSpec change folder and an ADR. The spec lives next to the code, the ADR records the architectural decision and its rationale, and the PR cites both. That gives the documentation trail required by ISO 9001:2015 §7.5 (control of documented information) without a parallel quality-handbook to keep in sync.

Automated CI gates. Every PR runs the language-appropriate linters, static analysers, unit tests, and dependency-vulnerability scans before a human reviewer is asked to look. PRs that fail a gate are blocked until fixed. The CI configuration is in the repository, so the gates are visible to anyone reading the code.

Beyond the two ISO certifications, pentest scans, and the GitHub workflow, the procurement-relevant compliance picture for Conduction is:

  • ISAE 3402 — managed hosting at commonground.nu runs on infrastructure operated by Cyso under ISAE 3402 Type II. Their attestation is available on request.
  • BIO — Baseline Informatiebeveiliging Overheid alignment is in progress. Status updates land here when complete.
  • DigiD — out of scope for our current portfolio. We integrate with DigiD-using systems but do not hold a DigiD assessment ourselves.

Compliance FAQ.

What is the difference between ISO 9001 and ISO 27001?

ISO 9001:2015 covers quality management: how we plan, build, deliver, and improve our work. ISO 27001:2022 covers information security: how we identify, mitigate, and audit risks to data we hold. Most procurement files want both. We are certified against both, by the same external auditor, on the same annual cycle.

Does Conduction's ISO 27001 certification cover my data when I self-host the app?

No. Self-hosted means your Nextcloud instance, your infrastructure, your data. Our ISO 27001 covers Conduction's own systems and the apps we develop. The security of the data you store in OpenRegister on your own server is your responsibility. If you want our certification to cover hosting too, use our managed Common Ground tenant at commonground.nu.

How often do you run the pentests?

The pentest-tools.com scans run on a continuous schedule against the production surfaces. The full multi-vector scan runs at least monthly; the targeted scans (TLS, CVE, OWASP Top 10) run weekly. Findings above the medium threshold are triaged within the same week, and critical or high CVEs trigger the 30-day patch SLA in ISO 27001:2022 Annex A.8.8.

Is Conduction BIO compliant?

BIO (Baseline Informatiebeveiliging Overheid) alignment is in progress. We use the BIO control set as the gap analysis against our existing ISO 27001 controls, and we publish a status update on this page once the alignment is complete. ISO 27001:2022 covers the majority of BIO requirements already, which is why most government clients consider Conduction procurement-ready today.

Do you hold a DigiD assessment?

No, DigiD is out of scope for our current portfolio. We build apps that integrate with DigiD-using systems (through OpenConnector), but we do not act as a DigiD service provider ourselves. If your tender requires a DigiD assessment, the assessment falls on the hosting party or the system that exposes the DigiD login.

What does the ISO 27001 certification cover at commonground.nu?

The managed Common Ground tenant runs on infrastructure operated by Cyso under ISAE 3402 Type II. Conduction's ISO 27001 covers the application layer (the Conduction apps, the development pipeline, the operations workflows), Cyso's ISAE covers the hosting layer (data centres, network, hypervisor). Together they cover the full stack a public-sector client buys at commonground.nu.

Can I get a copy of the Statement of Applicability or a pentest report?

The ISO 9001:2015 and ISO 27001:2022 certificates themselves are on this page — open the cert images for the full-resolution scans. For the SoA, the most recent internal-audit report, or the relevant pentest summary, write to info@conduction.nl with your contract or tender reference. We send those directly because we want a record of who is requesting them.