ISO 27001 & NEN 7510: the ins and outs

ISO 27001 is the international standard for information security and describes how information can be secured in a process-oriented way. In principle, ISO 27001 is relevant to every organization, especially those that handle a lot of data. This is the case, for example, in the information technology sectors of finance, healthcare, telecom and government. You would expect these sectors to have at least an ISO 27001 certification because of the multitude and susceptibility of information that is exchanged and stored in these sectors. The standard sets requirements for establishing, implementing, verifying, assessing, maintaining, and improving the ISMS.

The ISMS is a management system for information security. An ISMS contains policies, procedures and the strategy of your organization. It should be implemented into business processes. The goal of the ISMS is to better secure (confidential) information. The basis of the ISMS contains an analysis of the risks that the organization faces, with a view to the information that is being handled. To control those risks, safeguards have been established. Those safeguards are referred to as controls and are included in Annex A of the ISO 27001 standard. Organizations should implement these controls to comply with ISO 27001. It depends on every organization how it is implemented, depending on the working method of the specific organization. It can be stated that ISO 27001 is the fundament of a successful ISMS.

Even though it is not a legal requirement to have an ISO 27001 certification, it certainly improves the market position of an organization. Namely, customers want to be assured that their information is safe with the organization. Otherwise, e.g. trade secrets may be disclosed inappropriately, and end users’ (e.g. patients) data must be protected. Besides, ISO 27001 certification is often required in the marketplace by customers, grant providers or investors.
Curious about how to become ISO 27001 certified? We already set up a step-by-step plan with eight clear steps on how to obtain your certification, which you can read here.

NEN 7510 is a standard developed by the Dutch institute ‘Nederlandse Norm’ (NEN). NEN 7510 is applicable within the Dutch borders. NEN 7510 is an addition to ISO 27001, containing a specification of ISO 27001 for the Dutch healthcare sector. NEN 7510 knows the same safeguards as ISO 27001 regarding the availability, integrity and confidentiality of information by applying a risk management process. NEN 7510 describes the way every organization handles personal data should give substance to internal processes to comply with information security requirements. The NEN 7510 structure is almost identical to ISO 27001, but there is a slight difference: the NEN 7510 standard consists of two parts, where part 1 is comparable to ISO 27001 and explains the risk controls. Part 2 can be seen as an additional part and adds extra controls for healthcare organizations and other providers of personal health data.

NEN 7510 is an extension of ISO 27001; therefore, several similarities regarding information security can be stated. With a view to overall similarities, it is relevant to scrutinize the differences between the two standards. To create a clear overview, five differences will be listed below.

• Whereas ISO 27001 applies to various organizations, NEN 7510 is only applicable to every organization handling patient data.
• NEN 7510, as the abbreviation shows, is a specific Dutch standard and therefore not suitable for cross-border information security.
• ISO 27001 contains 114 controls, divided into 14 categories (Annex A of the Standard). NEN 7510 adds healthcare-specific implementation controls for 33 of the existing 114 controls. Categories are, for example, physical access, communication and development.
• In addition to the previous point, NEN 7510 also applies three extra controls regarding personal health data.

As mentioned, NEN 7510 is specifically applicable to health data. ISO 27001 is applicable for all data, in the light of information security. Therefore, the type of information is the most important factor when it comes to choosing ISO 27001 or NEN 7510. In case no health data has to be secured, NEN 7510 is not applicable, so you can choose ISO 27001. When information security does concern health data, you can choose NEN 7510.
It is important to determine whether your organization processes patient data within the view of the European General Data Protection Regulation (“GDPR”). If an organization, whether or not on behalf of, and for the benefit of another party (as a processor), processes personal data relating to health, the organization is eligible for NEN 7510 certification. If not, the auditor will not approve certification under NEN 7510, and the ISO 27001 certification will suffice.

If your organization processes both general data and healthcare data and operates within Dutch borders: both standards are applicable. The scope of your certification is important at this point. If your organization deals with international stakeholders regarding the information to which your certification applies, a NEN 7510 certification may not be sufficient. As mentioned before, this standard is only useable in the Netherlands. If you cross national borders, ISO 27001 will be the better option. As such, if the scope of your desired certification is international, including the Netherlands, a combination of both certificates can be beneficial.