Every organisation that uses DigiD authentication for its digital services is required to have a DigiD assessment carried out annually. This assessment, prescribed by Logius (part of the Ministry of the Interior and Kingdom Relations), tests whether the ICT environment in which DigiD is processed complies with the NCSC ICT Security Guidelines for Web Applications standard.
The assessment must be performed by an independent, CIP registered assessor. The assessor evaluates both the technical and organisational security measures around the DigiD connection. Consider network security, access management, logging, incident management and vulnerability management.
The assessment results in a report that you submit to Logius. Logius evaluates the report and issues a verdict: compliant, partially compliant, or non compliant. If the outcome is inadequate you may lose your DigiD connection, which means that citizens can no longer log in to your service.
The scope of the assessment covers the entire chain: from the web application that integrates DigiD, through the infrastructure on which it runs, to the management processes around it. Subcontractors and cloud providers involved in the DigiD chain also fall within scope.
Common mistakes in DigiD assessments are incomplete scope definition, missing penetration tests, and insufficient logging of administrative actions. We see that organisations that start their preparations early generally get through the assessment more smoothly.
Our RE certified auditors guide you from scope definition to report delivery. Get in touch for a no obligation intake.
About the author
Partner | IT Auditor