Skip to main content
About/Quality
ISO 9001:2015 · ISO 27001:2022

Quality,
with a Q.

One management system, five tools that prove it works. ISO 9001:2015 and ISO 27001:2022 set how Conduction should run and what we measure. The How We Work handbook at docs.conduction.nl translates that into operations. pentest-tools.com and the GitHub-native quality workflow test the outcome. Every line of code, every service we deliver — the same predictable quality.

Read the policyCompliance FAQ
Certificates · handbook · scans · workflow● live
ISO 9001:2015 certificate
ISO 9001:2015
ISO 27001:2022 certificate
ISO 27001:2022
docs.conduction.nl · operating handbookLIVE
pentest-tools.com · daily scanCLEAN
GitHub PR #482 · code + security reviewMERGED
Quality tools

What we use to keep quality predictable.

Five tools, layered. ISO 9001 and 27001 define what good looks like and how we measure it. The How We Work handbook turns that into day-to-day operations. pentest-tools.com and the GitHub workflow test the outcome — externally and internally — every release.

International standard for quality management systems. Confirms that Conduction operates a documented QMS, runs internal audits, and conducts management reviews. Scope: software development, hosting, and advisory work for public-sector and MKB clients in the Netherlands. Annual surveillance audit, three-year recertification cycle. Full policy statement and scope below.

Read the quality policy
ISO 9001:2015 certificate, Conduction B.V.

ISO certifications

ISO 9001:2015 certificate, Conduction B.V., quality management system
ISO 9001:2015 — Quality management
ISO 27001:2022 certificate, Conduction B.V., information security management system
ISO 27001:2022 — Information security
Policy statement

Quality and information-security management system

Standard
ISO 9001:2015 · ISO/IEC 27001:2022
Adopted
January 2026
Certificates
24 Jul 2025 – 21 Jul 2028
Next review
January 2027

Conduction was founded in 2018 with the aim of contributing to a better digital world. We develop and operate democratic, inclusive, and transparent digital solutions in line with the Common Ground principles. As Digital Socials we tackle societal challenges for public organisations and governments, putting people at the centre and Tech to serve people as our guiding principle.

Quality and information security are essential to the trust of our customers, partners, and users. Conduction operates an integrated quality and information-security management system designed in accordance with ISO 9001:2015 and ISO/IEC 27001:2022. This system supports us in managing risks, seizing opportunities, and continually improving our services through the Plan-Do-Check-Act cycle. Quality and information-security objectives are set annually and reviewed periodically.

Through our quality and information-security management system we ensure that:

  • processes and ways of working are clearly documented and followed;
  • work is performed effectively and in a controlled manner, with attention to risk;
  • performance is monitored, evaluated, and improved where possible;
  • employees understand their responsibilities and the procedures that apply to them;
  • applicable laws, regulations, and contractual obligations are met.

The management team is responsible for and committed to establishing, implementing, and maintaining this policy, and ensures the organisation has the people, resources, and information it needs. We seize opportunities and mitigate risks. We share this with our employees and involve them as much as possible in the thinking. We make time for ourselves, the internal auditors, and our employees.

The scope of this policy and the certification covers quality in information security related to advising on, developing, and operating digital solutions for societal challenges.

Quality, information security, continual improvement, and customer satisfaction are central to Conduction. The ISO 9001:2015 and ISO/IEC 27001:2022 certificates were issued on 24 July 2025 and are valid through 21 July 2028.

For more information about our quality and information-security management system, please contact us via the contact form on our website.

Adopted by the management of Conduction B.V. — Amsterdam, the Netherlands. Text taken from the signed policy statement of January 2026.

docs.conduction.nl

How We Work — operating handbook.

The ISO policies say what Conduction is committed to. The handbook at docs.conduction.nl translates those commitments into the procedures every (digital) employee follows day to day — onboarding, building software, customer support, the Hydra pipeline, the Claude workflow. Every procedure lives in version control on GitHub and follows the same PR + review process described under Quality workflow below; auditors read the same source every employee does.

Brand & voice
  • logo · colour · type
  • voice & tone
  • visual diagram set

Identity

Who Conduction is. Brand, voice, and visual identity for both our culture and our designs.

Procedures
  • onboarding
  • roles · responsibilities
  • support & sla

Way of Work

How Conduction operates day-to-day — onboarding, roles, building software, and customer support. The handbook every (digital) employee follows.

Pipeline
  • spec → builder
  • code + security review
  • human approve → merge

Hydra

Conduction's agentic spec-driven CI/CD pipeline. From an OpenSpec change to a reviewed PR — Builder, parallel code + security review, human in the loop.

Conventions
  • skills · commands
  • parallel agents
  • spec-driven

Claude workflow

Spec-driven development with OpenSpec, GitHub Issues, and Claude Code. Skills, commands, conventions, parallel agents.

Clause map
  • 9001 §4–§10
  • 27001 §4–§10
  • annex a controls

ISO compliance

Engineering pipeline mapped to ISO/IEC 9001:2015 and 27001:2022 clause-by-clause, with gaps surfaced as a first-class output.

GitHub Projects
  • next · in flight
  • shipped
  • issues per spec

Roadmap

Where the Conduction app ecosystem is heading — tracked live on GitHub Projects. What's next, what's in flight, what's shipped.

Pentest tools

Conduction runs penetration tests against every application daily, using the commercial pentest-tools.com SaaS scanning platform. Coverage spans the OWASP Top 10, common CVEs, TLS hygiene, network exposure, and subdomain enumeration — across our apps, the managed Common Ground tenant at commonground.nu, and the marketing surfaces under conduction.nl.

If a finding pops up we triage and start handling it within 8 business hours.

Quality workflow on GitHub

Every Conduction app lives in public on GitHub under the ConductionNL organisation. The reusable Quality workflow — defined once in the .github repo and called by every app — runs the same gate stack on every pull request: four parallel quality matrices, then a gated test stage, then reporting + a Software Bill of Materials on protected branches.

Stage 1 · parallel
Quality gates
Four matrix jobs, fail-fast off, every PR.
PHP Qualitymatrix
composer scripts
  • lint
  • phpcs
  • phpmd
  • psalm
  • phpstan
  • phpmetrics
Vue Qualitymatrix
npm scripts
  • eslint
  • stylelint
Securitymatrix
audit
  • composer audit
  • npm audit
Licensematrix
SPDX allowlist
  • composer
  • npm
Stage 2 · gated
Tests
Only after PHP Quality + Security are green.
PHPUnitmatrix
PHP × Nextcloud
  • php 8.3 / 8.4
  • nc stable31 / 32
  • pgsql 16 service
Integrationnewman
Postman collections
  • newman run *.postman_collection.json
E2Eplaywright
Chromium + V8 coverage
  • npx playwright test
  • spec-to-test ≥ 75%
Stage 3 · always
Reporting
Quality Report
PDF + PR comment + step summary
  • aggregates result-* artifacts
  • pandoc → wkhtmltopdf
  • 90-day retention
Coverage baseline
guard + auto-update
  • PR: block manual baseline edits
  • main / development: bump if improved
Stage 4 · protected branches
Bill of Materials
SBOMCycloneDX
composer + npm, merged
  • composer CycloneDX:make-sbom
  • cyclonedx-npm
  • Grype CVE scan (fail on critical)
  • publish: artifact + release asset

Around the pipeline

  • Branch protection — three org-wide rulesets enforce the same rules everywhere: at least one approving review to merge into development, at least two reviews to merge into main. Direct pushes to protected branches are blocked.
  • Two-track review — pull requests pick up the right reviewer through labels: code-review:queued triggers the code-quality review against PHPCS / PHPMD / Psalm / PHPStan (or ruff / mypy / ESLint per stack); security-review:queued triggers an information-security review against the relevant ISO 27001:2022 Annex A controls.
  • Hydra automation — routine review runs through Hydra, which watches PR labels, dispatches review jobs to specialised agents, and writes findings back as PR comments. Human reviewers approve before merge.
  • Spec-driven changes — larger changes carry an OpenSpec change folder and an ADR. Spec next to the code, ADR for the architectural decision, PR cites both — the documentation trail required by ISO 9001:2015 §7.5 without a parallel quality handbook to keep in sync.

Beyond the two ISO certifications, the operating handbook, the pentest scans, and the GitHub workflow, the procurement-relevant compliance picture for Conduction is:

  • ISAE 3402 — managed hosting at commonground.nu runs on infrastructure operated by Cyso under ISAE 3402 Type II. Their attestation is available on request.
  • BIO — Baseline Informatiebeveiliging Overheid alignment is in progress. Status updates land here when complete.
  • DigiD — out of scope for our current portfolio. We integrate with DigiD-using systems but do not hold a DigiD assessment ourselves.

Compliance FAQ.

What is the difference between ISO 9001 and ISO 27001?

ISO 9001:2015 covers quality management: how we plan, build, deliver, and improve our work. ISO 27001:2022 covers information security: how we identify, mitigate, and audit risks to data we hold. Most procurement files want both. We are certified against both, by the same external auditor, on the same annual cycle.

Does Conduction's ISO 27001 certification cover my data when I self-host the app?

No. Self-hosted means your Nextcloud instance, your infrastructure, your data. Our ISO 27001 covers Conduction's own systems and the apps we develop. The security of the data you store in OpenRegister on your own server is your responsibility. If you want our certification to cover hosting too, use our managed Common Ground tenant at commonground.nu.

How often do you run the pentests?

Daily, against every application. The pentest-tools.com scans cover the OWASP Top 10, common CVEs, TLS hygiene, network exposure, and subdomain enumeration. When a finding appears, we triage and start handling it within 8 business hours.

Is Conduction BIO compliant?

BIO (Baseline Informatiebeveiliging Overheid) alignment is in progress. We use the BIO control set as the gap analysis against our existing ISO 27001 controls, and we publish a status update on this page once the alignment is complete. ISO 27001:2022 covers the majority of BIO requirements already, which is why most government clients consider Conduction procurement-ready today.

Do you hold a DigiD assessment?

No, DigiD is out of scope for our current portfolio. We build apps that integrate with DigiD-using systems (through OpenConnector), but we do not act as a DigiD service provider ourselves. If your tender requires a DigiD assessment, the assessment falls on the hosting party or the system that exposes the DigiD login.

What does the ISO 27001 certification cover at commonground.nu?

The managed Common Ground tenant runs on infrastructure operated by Cyso under ISAE 3402 Type II. Conduction's ISO 27001 covers the application layer (the Conduction apps, the development pipeline, the operations workflows), Cyso's ISAE covers the hosting layer (data centres, network, hypervisor). Together they cover the full stack a public-sector client buys at commonground.nu.

Can I get a copy of the Statement of Applicability or a pentest report?

The ISO 9001:2015 and ISO 27001:2022 certificates themselves are on this page — open the cert images for the full-resolution scans. For the SoA, the most recent internal-audit report, or the relevant pentest summary, write to info@conduction.nl with your contract or tender reference. We send those directly because we want a record of who is requesting them.