Hoelang duurt ISO 27001 certificering?

De doorlooptijd ligt gemiddeld tussen de 2 en 6 maanden. Snelste Scenario (2-3 maanden): Haalbaar voor kleine bedrijven (tot ca. 20 werknemers) die de basis al goed op orde hebben. Normaal Scenario (4-6 maanden): Dit is een reële doorlooptijd voor bedrijven vanaf 25+ medewerkers. Trager Scenario (6+ maanden): Voor grote organisaties of bedrijven in zwaar gereguleerde sectoren.

Is ISO 27001 verplicht?

Wettelijk gezien is ISO 27001 in de basis niet verplicht, maar commercieel gezien is het voor veel organisaties onmisbaar. Het is vaak verplicht of geëist in deze sectoren: Overheid (icm BIO) Zorg (NEN 7510) Financiële Diensten SaaS/Cloud Providers & Managed Services

Hoeveel kost ISO 27001 certificering?

De kosten bestaan uit drie onderdelen (indicaties): Begeleiding en Implementatie: Starttarief vaak vanaf €10.000. Dit omvat gap-analyse, inrichten ISMS en interne audits. De Externe Audit (Certificaat): De initiële audit begint rond €4.000 - €5.000. Jaarlijkse vervolgaudits tussen €1.500 en €2.500. Technische Implementatie & Tools: Variabel. Van enkele honderden euro's tot grotere investeringen in software of infrastructuur.

Kan een klein bedrijf ISO 27001 behalen?

Ja, zeker. Veel kleine bedrijven (5-20 medewerkers) zijn succesvol gecertificeerd. In de praktijk wordt aangenomen dat een organisatie uit minimaal 2 personen moet bestaan i.v.m. functiescheiding. Voor kleine bedrijven betekent dit vaak minder formele procedures en het combineren van rollen.

Wat is het verschil tussen ISO 27001 en NEN 7510?

ISO 27001 is de algemene wereldwijde standaard, terwijl NEN 7510 specifiek is ontwikkeld voor de Nederlandse zorgsector. Belangrijkste verschillen: Focus: NEN 7510 richt zich specifiek op patiëntgegevens. Toezicht: Bij NEN 7510 kan de IGJ toezicht houden. Logvereisten: NEN 7510 eist exacte logging van wie welk dossier inziet.

Book a call now

ISO 27001 Certification: The Fastest Route to the External Audit

Get your ISO 27001 certification in record time without
cringe-worthy jargon, unnecessary input, and wasted time.

With an ISO certificate, clients trust you immediately. We make it so that you not only close deals more easily, but also save hundreds of hours per year on administration and pointless questionnaires. Security that generates money instead of costing time.

Get your ISO 27001 certification in record time without
cringe-worthy jargon, unnecessary input, and wasted time.

Get your ISO 27001 certification in record time, without awkward jargon, unnecessary input, or wasted time.

Book a call now

Free ISO Readiness Check

The consultants of AuditDirect have:

100+

Companies successfully

guided

100+

Companies

successfully

guided

10+

Various countries

supported

10+

Various

countries

guided

500+

Audit days

experience

500+

Audit days

experience

Minimum years

work experience

Minimum years

work experience

Our 4-Step ISO 27001 Process

Our consultants collect all existing security measures and turn them into clear, practical documentation that matches exactly what the company already does. No unnecessary theory. Only what is needed to comply with the standard and enter the audit smoothly. This prevents delays, miscommunication, and duplicate work.

This is how we make sure every measure demonstrably works in practice and support the delivery of the required evidence. After that, we immediately schedule the audit and our consultants guide you through certification without confusion. After completion, we keep the system tight and up to date each year so follow-up audits continue to run smoothly and quickly with minimal internal burden.

Our consultants gather all existing security measures and turn them into clear, practical documentation that exactly matches what the company is already doing. No unnecessary theory. Only what is needed to meet the standard and enter the audit smoothly. This prevents delays, miscommunication, and duplicate work.

This is how we ensure that each measure demonstrably works in practice and support the delivery of the required evidence. After that, we schedule the audit right away and our consultants guide you through certification without noise. Once completed, we keep the system tight and up to date every year so reaudits continue to run smoothly and quickly with minimal internal burden.

Step 1

Documentation &

Preparation

Implementation &

Evidence

Step 2

Implementation &

Evidence

Step 2

Audit &

Certification

Step 3

Audit &

Certification

Step 3

Maintenance &

Follow-up

Step 4

Maintenance &

Follow-up

Step 4

For those who want to hear the ISO terms: Our expertise and jargon section.

We help you reach your ISO2700 through a structured, stress-free process. As your expert partner, we provide full guidance, from the initial phase through to certification. We start with a detailed gap analysis to determine the gap to the standard. After that, we carry out an in-depth risk analysis to identify threats and vulnerabilities. Based on this, we support you in setting up the ISMS (Information Security Management System), including the careful drafting of the policy.

The core of the implementation is that we discuss with relevant stakeholders such as your staff and suppliers how the policy can be translated into practical controls in line with Annex A of the ISO 27001 standard. The process is completed when we carry out and document the internal audit and the management review to complete the final steps of the PDCA cycle, and to safeguard and demonstrate the effectiveness of the ISMS. This shows that your organization is fully audit-ready for the external certification audit.

For those who want to hear the ISO terms: Our expertise and jargon section.

Benefits of ISO 27001 Certification

Hundreds of hours saved

By documenting processes clearly and simply, without unnecessary fuss, you structurally prevent avoidable mistakes. No more unnecessary questions, no more surprises. That saves you hundreds of hours of operational time each year.

Clear insight into risk

Our systematic approach prompts you to take a practical look at the places where your data and business processes are truly vulnerable. You gain a clear view of your current security status and how you manage risks.

Close deals faster

No more delays caused by missing security documents during a deal. Security administration is suddenly clear and under control. You can deliver faster, and the stress is finally gone.

Focus on growth

We make sure you are audit-ready as quickly as possible. We take the lead on everything related to ISO 27001, so you can focus again on the real work: growing safely and continuously, without compliance holding you back. At last, peace of mind.

The consultants at AuditDirect have provided guidance in 10+ different countries

Scroll to zoom • Drag to move

ISO 27001 Certification Products, Costs & Prices

ISO Reality Check

A brief, honest conversation to determine whether ISO 27001 is truly necessary.

FREE*

In 45 minutes, we will discuss:

Why the ISO requirement is there (from your client or internally)
Whether a certification is actually necessary, or if an alternative is sufficient
What your organization is already doing well
And what options you have to handle it smarter and simpler

And we are pragmatic enough that we are also willing to have this conversation with you and your client.

*A limited number of spots available.

Schedule your ISO Reality Check

More information

ISO Reality Check

A brief, honest conversation to determine whether ISO 27001 is truly necessary.

FREE*

In 45 minutes, we will discuss:

Why the ISO requirement is there (from your client or internally)
Whether a certification is actually necessary, or if an alternative is sufficient
What your organization is already doing well
And what options you have to handle it smarter and simpler

And we are pragmatic enough that we are also willing to have this conversation with you and your client.

*A limited number of spots available.

Schedule your ISO Reality Check

More information

ISO Baseline Assessment

In one day, we assess together how far your organization has already progressed toward ISO 27001.

€1,250

Within 24 hours you will receive:

A complete baseline assessment of your current situation
An action plan with concrete next steps
Insight into your strongest points and areas for improvement
Support within the organization, as our consultants will conduct interviews with the involved employees

Guidance only starts after the baseline assessment. This way, we know exactly what is and what is not needed, without wasting your company's time.

Schedule your ISO Baseline Assessment

More information

ISO Baseline Assessment

In one day, we assess together how far your organization has already progressed toward ISO 27001.

€1,250

Within 24 hours you will receive:

A complete baseline assessment of your current situation
An action plan with concrete next steps
Insight into your strongest points and areas for improvement
Support within the organization, as our consultants will conduct interviews with the involved employees

Guidance only starts after the baseline assessment. This way, we know exactly what is and what is not needed, without wasting your company's time.

Schedule your ISO Baseline Assessment

More information

ISO Internal Audit

A practical Internal Audit that tells you exactly whether you are ready for the external audit.

$1,600*

Within 72 hours you will receive:

A complete independent internal audit that meets the ISO 27001 standard 9.2.
Clear and applicable findings and recommendations
Concrete overview of areas for improvement before the external audit
Clear explanation for management and teams involved

*price is based on a small organization

Schedule your ISO internal audit

More information

ISO Internal Audit

A practical Internal Audit that tells you exactly whether you are ready for the external audit.

$1,600*

Within 72 hours you will receive:

A complete independent internal audit that meets the ISO 27001 standard 9.2.
Clear and applicable findings and recommendations
Concrete overview of areas for improvement before the external audit
Clear explanation for management and teams involved

*price is based on a small organization

Schedule your ISO internal audit

More information

ISO Reality Check

A brief, honest conversation to determine whether ISO 27001 is truly necessary.

FREE*

In 45 minutes, we will discuss:

Why the ISO requirement is there (from your client or internally)
Whether a certification is actually necessary, or if an alternative is sufficient
What your organization is already doing well
And what options you have to handle it smarter and simpler

And we are pragmatic enough that we are also willing to have this conversation with you and your client.

*A limited number of spots available.

Schedule your ISO Reality Check

More information

ISO Baseline Assessment

In one day, we assess together how far your organization has already progressed toward ISO 27001.

€1,250

Within 24 hours you will receive:

A complete baseline assessment of your current situation
An action plan with concrete next steps
Insight into your strongest points and areas for improvement
Support within the organization, as our consultants will conduct interviews with the involved employees

Guidance only starts after the baseline assessment. This way, we know exactly what is and what is not needed, without wasting your company's time.

Schedule your ISO Baseline Assessment

More information

ISO Internal Audit

A practical Internal Audit that tells you exactly whether you are ready for the external audit.

$1,600*

Within 72 hours you will receive:

A complete independent internal audit that meets the ISO 27001 standard 9.2.
Clear and applicable findings and recommendations
Concrete overview of areas for improvement before the external audit
Clear explanation for management and teams involved

*price is based on a small organization

Schedule your ISO internal audit

More information

Expert blogs about ISO 27001 &
Cybersecurity

Expert blogs on ISO27001 &
Cybersecurity

ISO 27001:2022 Incident Management for Dutch SMEs: Deep Dive

Click here to
read more

a blue and black background with wavy lines

Deep Dive: ISO 27001:2022 Logical Access Security

Click here to
read more

The 4 Real ISO 27001 Cloud Requirements for SMEs

Click here to
read more

Best ISO 27001 guidance for IT companies: What should you pay attention to?

Click here to
read more

ISO 27001 certification within 3 months: Is an accelerated process possible?

Click here to
read more

Frequently Asked Questions ISO 27001

What is ISO 27001?

ISO 27001 is the global standard for information security. It helps organizations keep their data safe by setting up a structured system: the Information Security Management System (ISMS).

ISO 27001 is primarily a management system. A certificate is not a 'guarantee' that an organization is 100% invulnerable, but it shows that you have put processes in place to continuously manage and reduce risks.

ISO 27001 is published by the International Organization for Standardization and is practical in nature. It is not only about theoretical security, but about setting up day-to-day processes that make your organization more resilient.

The standard consists of two main parts:

The High Level Structure (HLS): These are the 10 chapters with mandatory elements that govern the organizational structure. These address questions such as:
- What is our policy?
- Who is responsible for what?
- How do we analyze risks?
- How do we train employees?
- How do we arrange internal audits and management review?

Annex A (The security measures): This is a list of 93 controls, divided into four themes:

Organizational measures: This includes access security, but also incident management, business continuity and supplier management.
Personnel measures: Making sure employees know how to work safely (awareness, screening).
Technical measures: Protecting data through encryption, strong passwords and multi-factor authentication.
Physical measures: Making sure offices, servers and hardware are protected against unauthorized access and theft.

An ISO 27001 certification shows customers and partners that you take data protection seriously and that it is embedded in your day-to-day operations.

What is ISO 27001?

ISO 27001 is the global standard for information security. It helps organizations keep their data safe by setting up a structured system: the Information Security Management System (ISMS).

The standard consists of two main parts:

The High Level Structure (HLS): These are the 10 chapters with mandatory elements that govern the organizational structure. These address questions such as:
- What is our policy?
- Who is responsible for what?
- How do we analyze risks?
- How do we train employees?
- How do we arrange internal audits and management review?

Annex A (The security measures): This is a list of 93 controls, divided into four themes:

Organizational measures: This includes access security, but also incident management, business continuity and supplier management.
Personnel measures: Making sure employees know how to work safely (awareness, screening).
Technical measures: Protecting data through encryption, strong passwords and multi-factor authentication.
Physical measures: Making sure offices, servers and hardware are protected against unauthorized access and theft.

An ISO 27001 certification shows customers and partners that you take data protection seriously and that it is embedded in your day-to-day operations.

What is ISO 27001?

How long does ISO 27001 certification take?

The average turnaround time is between 2 and 6 months, but it can take longer depending on the complexity and ambition. This depends heavily on where you start, the availability of resources, and your sector.

Fastest Scenario (2-3 months): Achievable for small businesses (up to approx. 20 employees) that already have the basics well in place. Think of existing measures such as password management, access management, incident management, and backups. The process then focuses on formalizing the system and adding any missing parts.
Normal Scenario (4-6 months): This is a realistic turnaround time for companies with 25+ employees. We work through the 10 chapters of the HLS and the relevant measures from Annex A in a structured way.
Slower Scenario (6+ months): For large organizations, companies in heavily regulated sectors, or organizations with a very complex IT infrastructure.

What the turnaround time depends on:

Organization size: Larger companies have more processes to document and more stakeholders to take into account.
Current Security Level: If you already have 60% of the measures in place, things move faster.
Available Internal Resources: Can you free up someone full-time, or is someone doing this alongside other work?
Technical Complexity: The more complex your IT landscape, the more time the implementation takes.
Regulatory Requirements: In healthcare (NEN 7510) or government, requirements are often stricter or more specific.
Risk appetite (how much risk you are willing to accept): How safe do you want to be? Are you aiming for a certificate by the skin of your teeth, or do you want a perfectly organized security level?

How long does ISO 27001 certification take?

Fastest Scenario (2-3 months): Achievable for small businesses (up to approx. 20 employees) that already have the basics well in place. Think of existing measures such as password management, access management, incident management, and backups. The process then focuses on formalizing the system and adding any missing parts.
Normal Scenario (4-6 months): This is a realistic turnaround time for companies with 25+ employees. We work through the 10 chapters of the HLS and the relevant measures from Annex A in a structured way.
Slower Scenario (6+ months): For large organizations, companies in heavily regulated sectors, or organizations with a very complex IT infrastructure.

What the turnaround time depends on:

Organization size: Larger companies have more processes to document and more stakeholders to take into account.
Current Security Level: If you already have 60% of the measures in place, things move faster.
Available Internal Resources: Can you free up someone full-time, or is someone doing this alongside other work?
Technical Complexity: The more complex your IT landscape, the more time the implementation takes.
Regulatory Requirements: In healthcare (NEN 7510) or government, requirements are often stricter or more specific.
Risk appetite (how much risk you are willing to accept): How safe do you want to be? Are you aiming for a certificate by the skin of your teeth, or do you want a perfectly organized security level?

How long does ISO 27001 certification take?

Is ISO 27001 required?

Legally speaking, ISO 27001 is basically not mandatory (there is no law that says "you MUST have it"), but commercially it is essential for many organizations.

Mandatory or required in these sectors:

Government: For projects for the government, ISO 27001 is often a hard requirement, specifically in combination with the BIO (Baseline Information Security for Government).
Healthcare: If you process patient data, NEN 7510 is often required (this is based on ISO 27001, but more specific).
Financial Services: Banks and insurers almost always require this from partners.
SaaS/Cloud Providers & Managed Services: Customers expect you to be ISO 27001 certified if you manage their data.
Critical Infrastructure: Energy, telecom, etc.

Why companies still do it: Even when it is not mandatory, it helps close deals. If two similar companies compete, the party with ISO 27001 often earns the trust. It also helps you meet the GDPR requirement to take "appropriate technical and organizational measures".

Is ISO 27001 required?

Legally speaking, ISO 27001 is basically not mandatory (there is no law that says "you MUST have it"), but commercially it is essential for many organizations.

Mandatory or required in these sectors:

Government: For projects for the government, ISO 27001 is often a hard requirement, specifically in combination with the BIO (Baseline Information Security for Government).
Healthcare: If you process patient data, NEN 7510 is often required (this is based on ISO 27001, but more specific).
Financial Services: Banks and insurers almost always require this from partners.
SaaS/Cloud Providers & Managed Services: Customers expect you to be ISO 27001 certified if you manage their data.
Critical Infrastructure: Energy, telecom, etc.

Is ISO 27001 required?

How much does ISO 27001 certification cost?

It is difficult to give exact prices in advance, because this depends greatly on the size and complexity of your organization. Please note that the costs consist of three components.

Note: The amounts below are indications. In practice, costs may vary.

1. Guidance and Implementation This includes the gap analysis, policy development, setting up the ISMS, internal audits and guidance.

Because an internal audit alone quickly costs €1,600 and an implementation process (including audit guidance) often takes 10 to 15 days, the costs often differ from one company to another, and more complex organizations often require even more time.
Warning: Be careful with providers that promise extremely low prices; it often turns out later that a lot of extra work is needed or that the quality is insufficient for the auditor.

2. The External Audit (The Certificate) This is carried out by an independent Certification Body (CB).

The costs for the initial audit (year 1) usually start at around €4,000 - €5,000 for the smallest organizations.
Annual follow-up audits usually cost between €1,500 and €2,500.
For larger organizations, these rates are considerably higher.

3. Technical Implementation & Tools This is the most variable item. Sometimes open-source software or a small adjustment to existing tools is sufficient (such as enabling MFA). In other cases, the purchase of specific security software or an infrastructure upgrade is necessary. This can range from a few hundred euros to significant investments, depending on your current situation.

Cost of NOT doing it: Also consider the costs of not having information security: missed assignments, damage from data breaches, ransomware incidents or fines from the regulator.

How much does ISO 27001 certification cost?

It is difficult to give exact prices in advance, because this depends greatly on the size and complexity of your organization. Please note that the costs consist of three components.

Note: The amounts below are indications. In practice, costs may vary.

1. Guidance and Implementation This includes the gap analysis, policy development, setting up the ISMS, internal audits and guidance.

Because an internal audit alone quickly costs €1,600 and an implementation process (including audit guidance) often takes 10 to 15 days, the costs often differ from one company to another, and more complex organizations often require even more time.
Warning: Be careful with providers that promise extremely low prices; it often turns out later that a lot of extra work is needed or that the quality is insufficient for the auditor.

2. The External Audit (The Certificate) This is carried out by an independent Certification Body (CB).

The costs for the initial audit (year 1) usually start at around €4,000 - €5,000 for the smallest organizations.
Annual follow-up audits usually cost between €1,500 and €2,500.
For larger organizations, these rates are considerably higher.

Cost of NOT doing it: Also consider the costs of not having information security: missed assignments, damage from data breaches, ransomware incidents or fines from the regulator.

How much does ISO 27001 certification cost?

What are the chapters of ISO 27001 (HLS)?

The standard follows the so-called High Level Structure (HLS). Chapters 4 through 10 contain the mandatory requirements for your management system:

Ch. 4: Context of the organization: Understand your environment, who your stakeholders are, and what their requirements are. Determine the scope of your ISMS.
Ch. 5: Leadership: Top management must show ownership, establish policy, and ensure that roles and responsibilities are clear.
Ch. 6: Planning: The heart of the system: the risk assessment. What risks are there, which ones do we accept, and which ones will we address? What are our objectives?
Ch. 7: Support: Provide resources (people, money, tools), awareness, communication, and the management of documented information.
Ch. 8: Operation: The actual carrying out of the processes and risk treatment. This is where theory becomes practice.
Ch. 9: Performance evaluation: Measure to know. Carry out internal audits, monitor results, and perform the management review.
Ch. 10: Improvement: Respond to nonconformities and continually improve the system.

The first three chapters (1, 2, 3) are introductory and contain no requirements (scope, normative references, terms and definitions).

What are the chapters of ISO 27001 (HLS)?

The standard follows the so-called High Level Structure (HLS). Chapters 4 through 10 contain the mandatory requirements for your management system:

Ch. 4: Context of the organization: Understand your environment, who your stakeholders are, and what their requirements are. Determine the scope of your ISMS.
Ch. 5: Leadership: Top management must show ownership, establish policy, and ensure that roles and responsibilities are clear.
Ch. 6: Planning: The heart of the system: the risk assessment. What risks are there, which ones do we accept, and which ones will we address? What are our objectives?
Ch. 7: Support: Provide resources (people, money, tools), awareness, communication, and the management of documented information.
Ch. 8: Operation: The actual carrying out of the processes and risk treatment. This is where theory becomes practice.
Ch. 9: Performance evaluation: Measure to know. Carry out internal audits, monitor results, and perform the management review.
Ch. 10: Improvement: Respond to nonconformities and continually improve the system.

The first three chapters (1, 2, 3) are introductory and contain no requirements (scope, normative references, terms and definitions).

What are the chapters of ISO 27001 (HLS)?

Can a small business achieve ISO 27001?

Yes, definitely. ISO 27001 is scalable and adapts to the size of your organization.

A common question is: "Is ISO 27001 only for large corporations?" The answer is no. Many small businesses (5-20 employees) are successfully certified.

Benefits for Small Businesses:

Startups, small IT companies and service providers can gain significant benefits from ISO 27001:

Trust: Customers (and investors) trust you more quickly.
Competition: You win deals from larger competitors or companies that do not have their affairs in order.
Culture: Employees take security seriously from the start.
Scalability: Your processes are prepared for rapid growth.

How Small Is Too Small?

Although there is theoretically no lower limit, in practice it is assumed that an organization must consist of at least 2 people (these may also be hired staff). This is related to the requirement for segregation of duties; you can hardly independently check or audit yourself. For sole proprietorships, certification is therefore very difficult in practice.

Adjustments for Small Businesses:

The standard specifies what you must do, but not how. For a small business, this means:

Fewer formal and extensive procedures, more practical working agreements.
Combined roles (e.g. the operations director is also the Security Officer).
Use of standard tools (such as the built-in security of Microsoft 365/Google Workspace) instead of expensive enterprise solutions.

Can a small business achieve ISO 27001?

Yes, definitely. ISO 27001 is scalable and adapts to the size of your organization.

A common question is: "Is ISO 27001 only for large corporations?" The answer is no. Many small businesses (5-20 employees) are successfully certified.

Benefits for Small Businesses:

Startups, small IT companies and service providers can gain significant benefits from ISO 27001:

Trust: Customers (and investors) trust you more quickly.
Competition: You win deals from larger competitors or companies that do not have their affairs in order.
Culture: Employees take security seriously from the start.
Scalability: Your processes are prepared for rapid growth.

How Small Is Too Small?

Adjustments for Small Businesses:

The standard specifies what you must do, but not how. For a small business, this means:

Fewer formal and extensive procedures, more practical working agreements.
Combined roles (e.g. the operations director is also the Security Officer).
Use of standard tools (such as the built-in security of Microsoft 365/Google Workspace) instead of expensive enterprise solutions.

Can a small business achieve ISO 27001?

What is the difference between ISO 27001 and NEN 7510?

ISO 27001 is the general standard for all organizations. NEN 7510 has been specifically developed for the healthcare sector in the Netherlands and adds extra requirements for the protection of patient data.

Below are the main differences at a glance:

Scope: ISO 27001 applies to all organizations worldwide. NEN 7510 is specifically intended for healthcare institutions and medical service providers in the Netherlands.
Focus: Where ISO 27001 focuses on general information security, NEN 7510 focuses specifically on the availability, integrity, and confidentiality of patient data.
Origin: ISO 27001 is an international standard (ISO), while NEN 7510 is a Dutch standard (NEN).
Structure: Both standards use the High Level Structure (HLS) and the 93 controls from Annex A. NEN 7510, however, adds extra healthcare-specific requirements.
Oversight: In both cases, the certificate is issued by a Certification Body (CB). For NEN 7510, the Health and Youth Care Inspectorate (IGJ) may also provide statutory oversight.
Validity period: For both standards, the certificate is valid for 3 years.
Implementation time: An ISO process takes an average of 2 to 6 months. NEN 7510 often takes a little longer (3 to 8 months) due to the extra checks on patient data.
Logging requirements: ISO 27001 sets basic requirements for logging. NEN 7510 is much more extensive and requires exact logging of who viewed which record and when.
Physical security: With ISO, it is about standard access to and security of the premises. NEN 7510 sets stricter requirements, for example regarding the storage of medicines, prescriptions, and medical equipment.

What is the difference between ISO 27001 and NEN 7510?

Below are the main differences at a glance:

Scope: ISO 27001 applies to all organizations worldwide. NEN 7510 is specifically intended for healthcare institutions and medical service providers in the Netherlands.
Focus: Where ISO 27001 focuses on general information security, NEN 7510 focuses specifically on the availability, integrity, and confidentiality of patient data.
Origin: ISO 27001 is an international standard (ISO), while NEN 7510 is a Dutch standard (NEN).
Structure: Both standards use the High Level Structure (HLS) and the 93 controls from Annex A. NEN 7510, however, adds extra healthcare-specific requirements.
Oversight: In both cases, the certificate is issued by a Certification Body (CB). For NEN 7510, the Health and Youth Care Inspectorate (IGJ) may also provide statutory oversight.
Validity period: For both standards, the certificate is valid for 3 years.
Implementation time: An ISO process takes an average of 2 to 6 months. NEN 7510 often takes a little longer (3 to 8 months) due to the extra checks on patient data.
Logging requirements: ISO 27001 sets basic requirements for logging. NEN 7510 is much more extensive and requires exact logging of who viewed which record and when.
Physical security: With ISO, it is about standard access to and security of the premises. NEN 7510 sets stricter requirements, for example regarding the storage of medicines, prescriptions, and medical equipment.

What is the difference between ISO 27001 and NEN 7510?

ISO 27001 Compared to Other Standards

To understand what the right choice is for your organization, it is helpful to see how ISO 27001 compares with other commonly mentioned frameworks and standards.

The global standard: ISO 27001 is intended for all types of companies, regardless of the sector. Its biggest advantage is global recognition; with this certificate, you can show everywhere that you take security seriously. The focus is strongly on the 'Plan-Do-Check-Act' cycle, which means that you do not only secure, but continuously improve. Although it takes time and money to implement, the path is often easier and more logically structured than, for example, a SOC 2 process.

Specific to healthcare: NEN 7510 Do you work in healthcare or supply healthcare institutions? Then you will deal with NEN 7510. This is essentially ISO 27001, but supplemented with specific, stricter requirements for patient data. The big advantage is that it helps you meet the contractual requirements in the healthcare sector. The downside is that the process is more demanding than a regular ISO certification and that the standard is less relevant outside the Netherlands (and outside healthcare).

Focus on the US and SaaS: SOC 2 For SaaS companies and cloud providers that focus on the American market, SOC 2 is often important. Where ISO 27001 is about improving your management system, SOC 2 is purely about evidence (assurance): you must show that your controls worked at specific moments. Note: this is a very extensive and time-consuming process, often more demanding than ISO. In Europe, ISO 27001 is generally more widely recognized than SOC 2.

The law: GDPR The GDPR is not a choice, but a legal obligation for every company that processes personal data. The aim is to prevent fines and protect privacy. The difficult part, however, is that the GDPR is a law and not a standard for which you can be certified. So you cannot hang a "GDPR certificate" on the wall. ISO 27001 does help you show that you have taken the technical and organizational measures required by the GDPR.

The entry point: Internal Policy Very small companies sometimes choose to set up their own rules without an external standard. This is cheap and flexible, because you decide everything yourself. The major drawback is that it has no commercial value. Because there is no external auditor checking you, your own policy offers your customers no guarantee or proof of security.

ISO 27001 Compared to Other Standards

To understand what the right choice is for your organization, it is helpful to see how ISO 27001 compares with other commonly mentioned frameworks and standards.