ISO 27001 certification

Why ISO 27001 certification?

As soon as sensitive or confidential information is processed, customers and users want a guarantee or some form of demonstrability that the organisation applies adequate information security.

The government may also require a certain certification within your organisation's industry. Consider, for example, the NEN 7510 for healthcare providers. But legislation around the AVG or Data Processing Act and Cybersecurity Notification Duty may also increase or require the need for a certificate.

When there is a legislative requirement or great interest from customers or users to demonstrate that information security is in good order, ISO 27001 certification can be an excellent solution.

ISO 27001 implementation

Many SME organisations are reluctant to implement adequate information security according to ISO 27001. This is not entirely unexpected, because of the abstract description of the standard which makes translating it to their own practice very difficult. On the other hand, because of the large amount of documentation that needs to be drawn up and new processes that need to be implemented.

Many organisations therefore choose to have a large part of the implementation carried out by external consultants or to do only what is strictly necessary for the customer's requirements. 

Yet implementation of information security according to ISO 27001 need not be expensive or complicated for an SME organisation. The bulk of SME organisations are organised in a similar way, thus the main implementation requirements are comparable.

ISO 27001 audit

An ISO 27001 audit is used to determine whether your organisation is eligible for ISO 27001 certification. With an ISO 27001 certificate, your organisation demonstrates that you comply with the set standards and requirements around information security. You don't get this certificate just like that, however; there are a lot of guidelines you need to meet. 

An ISO 27001 audit for certification consists of two phases. The first phase mainly assesses the documentation, while the second phase looks at the implementation and operation of the ISMS.

Migrating from ISO 27001:2017 to 2022

The Dutch-language ISO 27001:2017 (and the English-language ISO 27001:2013) have been updated to the new ISO 27001:2022. This new standard is available in Base27 alongside the existing version. The new standard has been updated to reflect current threats, insights and techniques. This makes it more in line with information security practices. 

Naturally, the ISMS needs to be adapted accordingly. The good news is that you are not alone; with the help of Base27, we offer you all the support you need to make this migration possible.

• Until 1 May 2024, initial audits may still be performed on the old ISO 27001:2017, after that, no more.
• A transition period for existing certifications applies until 1 October 2025; before then, the ISMS must therefore be migrated and audited (recertified).

ISO 27001 vs NEN 7510

When we talk about the international standard for information security, we are talking about ISO 27001. The process by which an organisation gets and keeps its information security in order is described in this standard. ISO 27001 is a broad standard, focusing on information security in general. When a company applies the processes around information security based on ISO 27001, it is also possible to obtain a certificate for this. 

NEN 7510 is an information security standard specifically for organisations in the healthcare sector. This Dutch standard is required by law for institutions such as hospitals, general practitioners, pharmacists, nursing homes, etcetera. NEN 7510 is based on ISO 27001 and despite differences, the similarities between NEN 7510 and ISO 27001 are very great. In fact, the NEN 7510 is an addition, or extension, and so differences can be detected.