Do your customers ask whether details are safe at your organization? Or do suppliers or stakeholders ask which measures you took with regards to information security? And how do you show them that you correctly deal with this sensitive data? This is possible with a certification in the field of information security. U might have heard about the standards ISO/IEC 27001 and NEN 7510 before, but what does it exactly mean? What are the differences and what do all these abbreviations mean?

The abbreviations.

ISO stands for the International Organization for Standardization and IEC for the International Electrotechnical Commission. ISO focuses on standards for quality management systems, product-, material and construction standards, whereas IEC mainly focuses on all the International standards for electrical, electronic and related technologies. Together these organizations published the ISO/IEC 27001. In the Netherlands, this standard is also being called as NEN-ISO/IEC 27001. NEN is the abbreviation for the Dutch Standard. The Dutch Normalisation Institute owns the accepted International (ISO,IEC), European (EN) and National Standards (NEN) in the Netherlands.

Why do the information security standards exist?

Information security is highly demanded. Many organizations are facing confidential and/or privacy sensitive data on daily basis. It is crucial that this information won’t ‘’end on the streets’’. On one hand because you want to protect the data of your customers. On the other hand as the law- and regulations on this field are becoming more severe. With the information security standards, you are able to show your orginanisation you are dealing with the vulnerable data in a responsible way. Besides that, it helps to protect the confidentiality, availability and integrity of the data. With the standards you are able to implement the appropriate measures based on a risk analysis. Besides, the standards require to set up an Information Security Management System (ISMS). This management system can be tested via conducting an audit by a certified institution (CI) which is according to the ISO 27001 or NEN 7510 standard. When the audit results show that your system and processes are sufficient, you will receive a certificate for this. This certificate is evidence that the information security in your organization is adequately managed. Subsequently, you can use this for tenders, or requirements from customers or stakeholders.

ISO 27001

With the ISO 27001 certification, organizations show they take the appropriate control measures to realize data security. It preserves the availability, integrity and confidentiality of data. The ISO 27001 standard forms the worldwide standardization when it comes to information security. The basis for this is the implementation of an Information Security Management System, in which the management-and assurance measures taken by the organization will be determined. This will be done via a risk analysis.

NEN 7510

The NEN 7510 standard is developed by the Royal Netherlands Standardization Institute for information security in the health care institutions in the Netherlands. These standards describe measures that must be taken by health care institutions and suppliers. This, in order to protect data of patients adequately. These measures will result in a monitored process concerning information security. Besides, they relate to all the appearances in which data of patients is established. The security requirements apply to information within the care institution. Besides that, it applies to exchanged information shared within the organizations.

ISO 27001 vs NEN 7510

  • The basic of both standards is exactly the same but….
  • NEN 7510 owns 3 extra control measures compared to ISO 27001.
  • NEN 7510 has named a specific care control measure for 33 existing control measures.
  • NEN 7510 specifically focuses on organizations processing personal health care information, which is not the case at ISO 27001.

For which organizations is a ISMS- certification relevant?

The NEN 7510 certification is mostly suitable for organizations processing personal health care information. Examples are: ICT-service providers, application developers (PGO’s) in the care, and certainly the care institutions themselves. The ISO 27001 certification is suitable for all organizations who wish to guarantee information security in a structural way. This specifically applies to ICT-companies such as data centers, system operators, software suppliers, and data marketing agencies.


Do you wish to get more information about the standards or the implementation of these? Follow an introduction or implementation training that includes a complete explanation about the standards and to get insights about the implementation. View the training about information security

Did you know that…..

You can get certified for a both ISO 27001 and NEN 7510 in case information security needs to be demonstrated towards outside organizations, as well as when working with personal health care information? Going through the audit for both standards at once will safe a lot of time and costs. Besides, you will have your information security for all your stakeholders and/or customer adequately managed. Would you like to know more about ISO 27001 and/or NEN 7510? We are happy to help you! Please feel free to contact us.