Both VASP and VCDM are audited annually by external auditors. The external audit includes both review of the Quality Management System and ISMS (VCDM), such as documentation, procedures and role descriptions, and interviews with teams and individual employees to verify that the system is followed.

All products in VASP and VCDM are subject to internal audits at least annually. These audits are performed by both a member of the security team and the DPO and/ or representatives of the DPO, to ensure that two different roles review the product before it gets “the green light”.

The purpose of the internal audit is to ensure compliance towards our Quality Management System and if applicable for the product in question, VCDM, and to identify areas of improvements for the product or service, the team and the security programs themselves.. Follow-up actions are registered and followed up in the Security Maturity Index, Architecture Index and if appropriate as risks.

Specifically for VCDM, internal audits are handled through the dedicated VCDM Compliance Process. This includes preparations, review meeting, review report, and registering follow ups that will be measured through the VCDM Index.