ISO/IEC 27001:2022 Annex A A.5.24–A.5.28 Incident Management for Dutch SMEs

Executive summary

Incident management in ISO/IEC 27001:2022 Annex A (A.5.24–A.5.28) is emphatically much more than “an incident register.” The controls require demonstrable preparation, triage & decision-making, coordinated response, learning/improvement, and evidence handling. Especially for Dutch SMEs without a SOC, blind spots and major risks arise: responsibilities are implicit, panic sets in, decisions are made in chat/phone calls and remain vague, evidence is lost, and reporting obligations are only addressed late. [1]

The biggest audit trap is getting stuck on: “just show me a list of incidents,” while the logic of the standard (and practical resilience) is about repeated action under pressure: who decides what, within what time, with what information, and how do you prove it afterwards. [2]

For SMEs, a “Minimum Viable Incident Management” approach is realistic and effective: a compact incident response plan, a simple severity matrix, a call and escalation list, fixed templates (incident log, decision log, evidence list, lessons learned), and contractual arrangements with ICT suppliers. This aligns with practical guidance from the National Cyber Security Centre[3] and Digital Trust Center[4]. [5]

Legally, an “incident” is often broader than a “data breach,” but as soon as personal data may have been affected, clear obligations apply: reporting deadlines, informing affected individuals when there is likely a high risk, and a documentation duty. In practice, organizations do not fail on technology, but on speed + substantiation (what did you know when, why did you report or not report, what evidence was collected, what decisions were made, and what did you do to limit damage). [6]

Scope and assumptions

This blog covers ISO/IEC 27001:2022 Annex A controls A.5.24 through A.5.28 (incident management) with a focus on Dutch SMEs without a dedicated security team and without a SOC. The following sources were used, among others: publications by the International Organization for Standardization[7], NEN[8], the Dutch Data Protection Authority[9], ENISA[10] and the National Institute of Standards and Technology[11] (for incident response and forensics). [12]

Because the exact ISO texts are protected by copyright, we do not quote them here verbatim: we do discuss the intent of the standard, and then translate it into practical, auditable implementation requirements, evidence examples, and SME-specific patterns. The ISO/IEC 27035 series is explicitly mentioned as relevant further reading for incident management (plan/prepare and lessons learned). [13]

Overview table: controls vs. typical failure patterns vs. audit evidence vs. remediation

Control A.5.24 Information security incident management planning and preparation

Scope and purpose

A.5.24 is about organizing in advance: processes, roles and responsibilities, so that during an incident you can act faster and more consistently, leading to less damage. This is in line with the definition of incident response as a coordinated process to limit damage and speed up recovery. [34]

For SMEs, the key is not “more documents,” but less improvisation: a small team that knows what to do, with a limited set of scenarios that you have actually practiced. [35]

Concrete implementation requirements

An audit-ready implementation for SMEs has at least:

Incident Response Plan (IRP) with scope and triggers - Define what your organization considers a “security event” and when something becomes an “incident” (incl. examples). [36] - Record which incident types you primarily prepare for (practical: ransomware, phishing/BEC, data breach due to misconfiguration, account compromise). This aligns with the NCSC approach of being prepared for incidents and incident response (including specifically ransomware). [35] Also record which actions must be taken immediately to limit further damage; it is important to do this beforehand, in a calm setting.

Roles and authorities (SME-realistic) - Incident coordinator (usually IT lead or MSP contact). - Business owner (management team member) for impact/continuity decisions. - Privacy/GDPR responsible person (DPO or “privacy contact point”) for data breach assessment and communication. - Communications owner (internal/external). - Supplier contact (MSP, cloud, software supplier). [37]

Severity matrix and escalation criteria - A severity matrix (S1–S4) based on impact (C/I/A), scope, customer impact, legal reporting obligations, recovery time. [21]Exercises and maintenance - Tabletop exercises (at least annually; more practical: 2× per year) and processing “lessons learned.” Practicing and testing preparation and recovery (such as backups) is an explicit part of “prepare for incidents.” [38]

Common SME shortcomings

Roles without authority: “IT will handle it,” but IT is not allowed to decide to shut down production, inform customers, or make a legal report. Result: lost time and chaotic communication. [39]

No contractual path to suppliers: in incidents, the MSP is often the actual responder, but escalation/SLAs/forensic support are not arranged in advance. You see this in supply-chain-like incidents where many organizations depend on a single management platform. [40]

No practice: the plan exists, but has never been tested. Then the call tree, access to admin accounts, crisis communication, and decision-making fall apart under pressure. [41]

Audit shortcomings: what is asked too little, and what is actually needed

What auditors often accept - “Here is our incident procedure document” + “here is the incident list.” [42]

What you should also want to see as an auditor - Evidence that the IRP works: exercise report + improvement actions + retest (PDCA). [43]
- Current call and escalation list (including outside office hours) and demonstrable use in at least one (tabletop or real) scenario. [44]
- Scenario runbooks (ransomware/data breach/account compromise) including “first 60 minutes” actions. [45]

Recommendations and practical tips

Tip: build an “IRP-lite” that you are willing to use - 3 pages is often better than 30: (1) scope/roles, (2) severity + escalation, (3) runbooks + evidence checklist. [15]

Tip: define decision authority in advance - Who may: isolate systems, reset accounts, communicate externally, start forensic investigation, inform customers, report a data breach? This prevents a decision vacuum. [46]

Tip: make recovery testable (not just backup creation) - Test recovery periodically; otherwise you only discover during an incident that restores do not work or are too slow. [47]

Relevant audit questions and red flags

Interview questions - “Who is incident coordinator in the absence of person X, and how do we reach them outside office hours?” [44]
- “Which 3 incident types have you practiced, and what did you change after the exercise?” [43]

Document checks - IRP version control + change log + exercise reports. [14]
- Supplier contracts/SLAs: incident notification, support with forensics, log access, response times. [48]

Red flags - “We didn’t have time to practice” (structural). [27]
- “We’ll just call someone when it happens” without a call tree and without escalation criteria. [15]

Control A.5.25 Assessment and decision on information security events

Scope and purpose

A.5.25 is about triage and decision-making: assessing security events and deciding whether (and how) they should be handled further as incidents. The intent of the standard is that you do not only respond once it is “clearly wrong,” but that there is a consistent, documented assessment step that triggers prioritization and response. [49] It also means that events without impact or potential impact do not need to be fully documented, which saves administration.

Concrete implementation requirements

Definitions and classification - Define “event,” “incident,” “data breach/personal data breach” and link them to decision criteria. [50] - Implement a simple classification: impact (C/I/A), likelihood/certainty, scope, legal/contractual impact, and urgency. [21]

Decision log (auditable) - Record: who assessed, what evidence was available, what severity, what decision (escalate/monitor/close), and why. In practice, this is crucial to be able to justify decisions afterwards (also to a regulator). [51]

Link to data breach reporting obligations - If personal data may have been affected, you must make that assessment explicitly and in a timely manner, because the reporting deadline is short and documentation is required. [52]

Common SME shortcomings

Triage = “gut feeling”: one IT person decides by intuition and closes reports too early (“false alarm”), causing later escalation to come too late. This pattern is even more common in organizations with limited detection/monitoring. [53]

No recording of events: events that happen frequently are therefore forgotten and not structurally analyzed for trends (and cause). One CEO fraud email is not a big deal, but 12 per year may point to a targeted attack.

No separation between incident management and privacy assessment: a potential data breach is handled purely technically and the legal workflow is forgotten (notification to regulator/affected individuals and documentation). [54]

Audit shortcomings: what is asked too little, and what is actually needed

Too low a bar - An incident register without visible classification/triage and without a decision log. [55]

What “good” looks like - For 3–5 random events: complete triage (input → assessment → decision → follow-up), including evidence (log fragments, tickets, emails/Teams) and explicit data breach assessment where relevant. [56]

Recommendations and practical tips

Tip: make triage low-threshold, but mandatory for S2+ - Use a template with 10 fields (time, source, system, type, C/I/A, scope, suspected cause, actions, decision, owner). Consistency beats perfection. [57]

Tip: include “decision rules” that auditors can follow - Examples: “If email account compromised + mailbox rules → automatically S2/S3”; “If production >2 hours down → S3”; “If personal data may be exfiltrated → privacy assessment within 4 hours.” (Example rules: fill in organization-specific.) [58]

Relevant audit questions and red flags

Interview questions - “When was the last time an event was not classified as an incident—why, and who decided that?” [59]
- “Who does the data breach assessment when the privacy contact person is absent?” [60]

Log/tool checks - Are there “security events” in logs (for example M365 sign-in alerts) that never come back in triage? (That is a sign that triage is not end-to-end.) [18]

Red flags - No proof that decisions were recorded (“it’s in Teams”). [61]
- Everything is classified as “low,” but there have been clear disruptions (for example recovery actions, downtime). [62]

Control A.5.26 Response to information security incidents

Scope and purpose

A.5.26 requires that you handle incidents according to documented procedures, in a coordinated approach that includes containment, recovery and communication. This aligns with standard incident response phases (detection/analysis → containment → eradication → recovery → post-incident). [63]

Concrete implementation requirements

Operationalizing procedures - Runbooks per incident type with: first response, containment options, recovery steps, communication steps, and “stop/think” decision points (for example isolate vs shut down). [64]

Communication plan (internal and external) - Who communicates what, to whom, when, and through which channels; including customers/suppliers and—if relevant—mandatory communication. [37]

Recovery organization - Recovery of critical processes should be aligned with what you consider the maximum acceptable outage and what you need to protect; that requires thinking about recovery in advance (KPIs/continuity). [65]

Common SME shortcomings

Containment is too drastic or too late - Too drastic: shutting everything down immediately (loss of evidence, longer downtime). - Too late: keeping on “watching” until ransomware or exfiltration proceeds. Organized response reduces those extremes. [66]

Recovery without integrity checks - SMEs often recover “as quickly as possible” without validating whether systems are clean or backups are reliable. NCSC emphasizes the importance of recovery setup and backup testing. [67]

Maintaining containment and response measures: after the incident, losing focus on the measures taken because of the incident, causing for example a “temporary downgrade of security to keep working” to become a permanent downgrade of security.

Supplier only comes into view when it is already burning - With MSP/cloud dependencies, it becomes clear during a crisis that support is not 24/7, or that log access/forensics are “extra.” Supply-chain incidents show how broad the impact can be. [68]

Audit shortcomings: what is asked too little, and what is actually needed

Too thin audit practice - “Show 1 incident; okay, it is registered.” (But the key is: was the response demonstrably according to procedure, including communication, containment, recovery and evidence?) [42]

What you as auditor should require (sample) - An end-to-end dossier: timeline, decisions, communication, recovery, and (where relevant) data breach notification or justification for why not. [69]

Recommendations and practical tips

Tip: separate “business restore” from “forensic preserve” - Create an explicit moment: “freeze evidence” (log export, snapshots) before large-scale cleanup actions. This is consistent with forensic best practices. [70]

Tip: work in two speeds - Fast lane: business continuity (minimum restore). - Deep lane: root cause analysis (what/how got in, what was affected, what needs to improve structurally). [71]

Tip: secure communication artifacts - Keep (1) an internal status update (timeline), (2) a customer message (if needed), (3) a supplier escalation email/ticket, and (4) a management decision log. [72]

Relevant audit questions and red flags

Interview questions - “Show the latest incident where you isolated systems: how was the decision made, and which procedure did you follow?” [73]
- “Who may communicate externally, and how do you avoid conflicting messages?” [39]

Document checks - Runbooks + proof that they were used (tickets, exports, changelogs). [74]

Red flags - Unexplained absence of logs/snapshots “because we already reinstalled everything.” [75]
- No demonstrable backup recovery test, while saying “we can always restore.” [76]

Control A.5.27 Learning from information security incidents

Scope and purpose

A.5.27 requires that lessons learned from incidents are used to strengthen controls and processes and prevent recurrence. This is also a core part of ISO/IEC 27035 (lessons learned phase) and of common incident response guidance (post-incident activity). [77]

Concrete implementation requirements

Post-Incident Review (PIR) as a fixed process - Within a fixed period (for example 10 working days), conduct a review including: root cause, what went well/wrong, detection points, response time, communication, customer impact, costs/hours, and improvement actions. [78]

Trend & metrics (SME-light) - Track at least: incident type, volume, lead time to detection/containment, business impact, and (rough) costs/hours. This supports management decision-making and prioritization. [29] This can also be valuable to do periodically for events.

Demonstrable follow-up - Improvement actions get an owner, deadline, and status. “Lessons learned” without follow-up is useless from an audit and operational perspective. [29]

Common SME shortcomings

“We don’t have time” - The organization moves on after recovery, but leaves the root cause and structural improvements untouched. As a result, the incident repeats (variants of the same pattern). [43]

No feedback loop to awareness - The incident is not translated into behavior and process (for example phishing → training → email hardening). ISO/IEC 27035-2 explicitly mentions lessons learned; NCSC also emphasizes preparation and learning. [29]

Audit shortcomings: what is asked too little, and what is actually needed

Too low a bar - An “evaluation” without concrete improvement actions, or only technical actions without governance/communication lessons. [29]

Strong evidence - PIR document + action tracking in ISMS + proof of implementation (config changes, training material, adjusted runbooks) and a second moment at which it was determined that things are now better. [28]

Recommendations and practical tips

Tip: “Max 3 improvements, but actually finish them” - Otherwise SMEs drown in improvement lists. Choose the 3 most risk-reducing actions (for example MFA for admins, expand logging, backup recovery test), and complete them. [79]

Tip: create a quarterly routine - Every quarter 30 minutes: trend overview of incidents/events + status of improvement actions. This is cheap, but keeps it alive. [43]

Tooling: use helpful applications where possible that support the processes (and also send reminders).

Relevant audit questions and red flags

Interview questions - “What structural change resulted from the last serious incident, and how do you prove that the change was implemented?” [29]

Red flags - PIR exists only for major incidents (“the rest is not important”). A.5.27 explicitly also covers learning from smaller incidents and trends. [78]

Control A.5.28 Collection of evidence

Scope and purpose

A.5.28 requires that you have procedures to identify, safely collect, preserve and transfer evidence around security events/incidents. The goal is twofold: - solve the incident (technically and organizationally), - and support legal/contractual steps where needed. [80]

For SMEs, this is one of the most forgotten controls, but also one of the easiest improvements to make: a simple evidence checklist + retention agreements prevents you from later being unable to defend yourself (“we do not know what happened” or, legally even worse: “we cannot prove that the evidence was not tampered with”). [81]

Concrete implementation requirements

Evidence playbook - What do you collect for which incident types (ransomware, BEC, data breach, insider, misconfiguration). - In what order (evidence freeze before cleanup). - Where do you store it (segregated, restricted access). - Who may view/share it. [82]

Chain of custody (practical) - A log with: item, source, time, collector, storage location, transfers, integrity characteristics (for example hash where relevant). It remains especially important if legal action may follow. [83]

Log retention and integrity - Without minimum log retention, “collecting evidence” is practically impossible. This is not just technical, but also governance (which logs, how long, and who can access them). [84]

GDPR implications: evidence is often personal data too

In many incidents, logs, emails and IDs contain personal data. Practically for SMEs this means: - restrict access to evidence (need-to-know), share externally only what is necessary (data minimization), - record why you share information (accountability), and make sure your data breach documentation is in order (that documentation duty exists explicitly). [85]

Common SME shortcomings

“We already threw it away” - Endpoint reinstalled without exports; mailbox cleaned up; logs overwritten due to short retention; cloud audit logs not enabled. Then only sentiment remains, no facts. [75]

Evidence contaminated - SMEs let responders log in immediately, run tools, move files without recording it. Later it is no longer provable what was original and what was changed by response. [86]

Audit shortcomings: what is asked too little, and what is actually needed

Too low a bar - “We keep logs” without retention period, procedure, access restriction and without an example of an evidence set. [87]

Strong audit approach (practical) - Take one incident and ask: “What evidence was secured, where is it stored, who had access, and how do you show integrity/chain of custody?” [88]

Recommendations and practical tips

Tip: evidence checklist per scenario (start small) - Ransomware minimum set: domain controller logs, EDR alerts, backup logs, snapshots, list of encrypted systems, ransom note, netflow/firewall logs if available. [89]

Tip: use an “evidence vault” - A separate, restricted storage location (for example a protected SharePoint/drive) with access logging and version control. This is already a major step for SMEs. If possible, apply integrity measures such as hashing.[55]

Relevant audit questions and red flags

Interview questions - “What is your minimum log retention per core system, and how do you prevent overwriting during incidents?” [33]
- “Can you show how the chain-of-custody template is used?” [90]

Red flags - No “freeze evidence first” procedure. [33]
- Evidence is shared via email/WhatsApp without controls or a minimum set. [91]

Thematic patterns, cases and SME checklist

Preparation and governance

An SME implementation only works if governance is right: who decides, who pays, who communicates. NCSC emphasizes preparing for incidents as a basic principle, including planning, practicing and tested recovery. [92]

Implementation patterns (SME) - “Virtual IR team” (no SOC): fixed core + fixed external responder (MSP/forensics firm) with contractually agreed response times and deliverables. [93]
- Management decision log: every S3/S4 incident has a management decision log (even if it is short). This is auditable and speeds up reporting decisions. [51]

Typical case (NL): ransomware and governance failure - In the case around Hof van Twente[94] (ransomware), administrative evaluations strongly highlighted how large the impact on services can be and which administrative lessons emerged (including around monitoring, steering and resilience). [95]
How better A.5.24–A.5.27 would have helped: pre-practiced escalation + recovery scenarios, sharper steering on risk reduction and demonstrable follow-up of improvement points.

Detection and triage

Without a SOC, you need to outsource triage wisely: use cloud-native alerts (M365/Google/EDR), create a reporting channel for employees (phishing/suspicious emails) and create a simple severity matrix that speeds up decisions. [96]

Typical case (NL): late detection → severe impact - In the report on the cyberattack at Maastricht University[97], it was described, among other things, that insufficient detection/monitoring and follow-up after phishing played a role in the later execution of ransomware. [98]
How better A.5.25 would have helped: earlier event→incident escalation, documented triage and prioritization, and faster containment.

Response and escalation

For SMEs, the first-hour phase (“first 60 minutes”) is often decisive. NCSC explicitly offers guidance on incident response and communication. [99]

The biggest practical tip here is to use specific tooling that works for you.

Learning and improvement

Learning is not “post-mortem if there is time,” but a control (A.5.27). ISO/IEC 27035-2 explicitly mentions plan/prepare and lessons learned as part of incident response guidance. [101]

Practical pattern - PIR template + improvement action register + quarterly management review (30 minutes). [29]

Evidence and forensics

Practical depth: chain of custody and log retention (SME-proof)

- NIST emphasizes the importance of documented evidence handling when evidence may also be needed for legal processes. [75]

- ENISA provides guidance for first responders on handling electronic evidence and the importance of an audit trail/chain of custody. [103]

What you should arrange at minimum in an SME

- Evidence freeze: export logs + snapshots before cleanup.

- Chain-of-custody template (1 page).

- Minimum log retention for core systems (auth, email, endpoint, firewall) aligned with risk. [70]

Suppliers, BCP and privacy

Suppliers - Contractually require: incident notification, support with investigation, response times, and access to relevant logs. The Kaseya VSA supply-chain ransomware case shows that many (SME) organizations can be hit at the same time through management chains; this makes supplier agreements a priority. [40]

Business continuity - NCSC emphasizes recovery, MTPD-like thinking (maximum outage duration) and testing backups as core to recovery capability. [104]

Privacy/reporting obligation - The Dutch DPA provides step-by-step guidance on reporting data breaches and criteria for whether or not to report and inform affected individuals. [105] - The DPA has also published guidance and “10 tips” to make data breach registration more professional; this is directly relevant to audit evidence around incident documentation. [106] - The fine for a late notification (Uber) underscores that timeliness and compliance are actually enforced. [107]

Closing checklist for SME managers

This checklist is intended as the “audit-ready minimum” for A.5.24–A.5.28:

Governance & preparation - IRP (≤3–5 pages) with roles, scope, call tree and external contact points. [14]
- Severity matrix + escalation criteria (S1–S4) + event→incident decision tree. [21]
- 2 tabletop exercises per year + demonstrable improvement actions. [43]

Triage & decision-making - Triage template + decision log mandatory for S2+. [55]
- Data breach assessment workflow (who, when, what information is needed). [105]

Response - Runbooks for the top 3 incident types (ransomware, BEC/phishing, data breach due to misconfiguration). [45]
- Internal/external communication plan (incl. customers/suppliers). [39]
- Backup recovery test frequency recorded and carried out. [76]

Learning - PIR within 10 working days + action owners/deadlines + quarterly review. [29]

Evidence/forensics - Evidence checklist + “freeze first” procedure. [70]
- Chain-of-custody template and secure evidence storage (need-to-know). [108]
- Minimum log retention for core systems (auth/email/endpoint/firewall) aligned with risk. [33]

Suppliers/contracts - Contractual incident notification, response times, forensic support and log access with MSP/cloud suppliers. [48] 

Sources and references

[1] [2] [5] [9] [14] [15] [16] [17] [22] [23] [34] [42] [44] [73] [74] [99] NCSC - Incident response plan

https://www.ncsc.nl/incidenten-en-herstellen/incident-response-plan

[3] [13] [28] [29] [77] [78] [101] ISO/IEC 27035-2:2023 - Information technology

https://www.iso.org/standard/78974.html

[4] [11] [26] [27] [35] [38] [41] [43] [79] [92] Basic Principle 5. Prepare for incidents

https://www.ncsc.nl/basisprincipes/basisprincipe-5-bereid-je-voor-op-incidenten

[6] [20] [52] [54] [58] [60] [69] [105] How to report a data breach

https://www.autoriteitpersoonsgegevens.nl/themas/beveiliging/datalekken/zo-meldt-u-een-datalek

[7] [47] [76] How do I test a backup?

https://www.ncsc.nl/back-up/hoe-test-ik-een-back-up

[8] [39] [46] [72] External communication after an incident

https://www.ncsc.nl/incidenten-en-herstellen/externe-communicatie-na-een-incident

[10] [40] [48] [68] [93] CISA-FBI Guidance for MSPs and their Customers Affected ...

https://www.cisa.gov/news-events/alerts/2021/07/04/cisa-fbi-guidance-msps-and-their-customers-affected-kaseya-vsa-supply-chain-ransomware-attack

[12] NEN-EN-ISO/IEC 27001:2023 nl

https://www.nen.nl/nen-en-iso-iec-27001-2023-nl-314206

[18] [36] [37] [49] [50] [57] [96] [100] Incident response: where do I start?

https://www.ncsc.nl/incidenten-en-herstellen/incidentresponse-waar-begin-ik

[19] [51] [56] [59] [85] [106] The Dutch DPA provides guidance on registering data breaches...

https://www.autoriteitpersoonsgegevens.nl/uploads/imported/handreiking_verbeteren_registratie_datalekken.pdf

[21] Plan: Your cyber incident response processes

https://www.ncsc.gov.uk/collection/incident-management/cyber-incident-response-processes

[24] [62] [65] [67] [71] [104] How do I recover from a cyber incident?

https://www.ncsc.nl/incidenten-en-herstellen/herstel-van-een-cyberincident

[25] [45] [64] [94] NCSC - Incident response plan ransomware

https://www.ncsc.nl/incidenten-en-herstellen/incidentresponsplan-ransomware

[30] [32] [81] [82] [97] Good Practice Guide for Incident Management - ENISA

https://www.enisa.europa.eu/sites/default/files/publications/Incident_Management_guide.pdf

[31] [63] [66] [75] [80] [84] [87] [89] [102] Computer Security Incident Handling Guide

https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-61r2.pdf

[33] [70] [86] NIST SP 800-86, Guide to Integrating Forensic Techniques ...

https://nvlpubs.nist.gov/nistpubs/legacy/sp/nistspecialpublication800-86.pdf

[53] [98] CYBERATTACK MAASTRICHT UNIVERSITY

https://www.onderwijsinspectie.nl/site/binaries/site-content/collections/documents/2020/06/12/rapport-cyberaanval-universiteit-maastricht/Rapport%2BCyberaanval%2BUniversiteit%2BMaastricht.pdf

[55] [61] [91] 10 tips for professional data breach registration

https://www.autoriteitpersoonsgegevens.nl/uploads/imported/10_tips_datalekregistratie.pdf

[83] [88] [90] [108] Electronic evidence - a basic guide for First Responders

https://syntheticdrugs.unodc.org/uploads/syntheticdrugs/res/library/cybercrime_html/Electronic_Evidence_A_Basic_Guide_for_First_Responders_ENISA.pdf

[95] The perfect storm

https://gemeenteraad.hofvantwente.nl/Vergaderingen/Gemeenteraad/2022/25-oktober/19%3A30/Eindrapport-rekenkamercommissie-Informatiebeveiligingsbeleid-Hof-van-Twente-De-perfecte-storm-1.pdf

[103] Electronic evidence - a basic guide for First Responders - ENISA

https://www.enisa.europa.eu/publications/electronic-evidence-a-basic-guide-for-first-responders

[107] AP fines Uber for late reporting of data breach

https://www.autoriteitpersoonsgegevens.nl/actueel/ap-legt-uber-boete-op-voor-te-laat-melden-datalek