NAALA | Not An Average Legal Advisor

Menu

The new NEN 7510: What you need to know

Sofie Geurts

Legal Consultant

Published on 28 October, 2024

Sofie Geurts – Legal consultant

Published on : 28 October, 2024

Introduction

With the recent release of ISO 27001:2022, NEN 7510 is gearing up for a significant update. Final adjustments are currently underway, and the new version is expected to roll out by the end of this year or early next year. Whether your organisation is already certified or planning to be in future, it’s important to understand the updates to remain compliant and ensure your information security management practices are up to date.

In this blog, we’ll guide you through the major changes and how to smoothly transition to the new version of NEN 7510.

About NEN 7510

Often referred to as the Dutch version of ISO 27001, NEN 7510 is a standard for information security in healthcare. Designed for healthcare organisations, it helps safeguard sensitive patient data and other medical information. In the Netherlands, healthcare providers are required to comply with NEN 7510, as well as NEN 7512 and 7513. For more details, see the AVG Helpdesk Zorg website.

Although ICT suppliers are not legally required to comply, they are often contractually bound by their clients to adhere to or certify against NEN 7510 if they process personal health information. This is frequently a requirement in data processing agreements (DPA). For more information on crafting effective DPA’s, read our blog about DPA’s.

Simply put – whether you’re a healthcare provider or an ICT supplier in the Netherlands processing personal health information – NEN 7510 compliance is essential.

Key Changes in NEN 7510

NEN 7510 is made up of two parts: NEN 7510-1, which aligns with the Harmonised Structure (HS) and ISO 27001, and NEN 7510-2, which corresponds to ISO 27002. Below are the key changes in both sections.

  • From High-Level Structure (HLS) to Harmonised Structure (HS): The structure has shifted to HS, aligning with ISO 27001:2022, making the implementation and auditing of multiple standards easier.
  • Climate change consideration: Organisations must now factor in climate change when analysing the context of their ISMS (4.2), addressing both risks and stakeholder expectations. This requirement stems from an amendment that has been implemented internationally across all HS standards, such as the ISO 27001 amendment: ISO 27001 Amendment.
  • Planned changes: All changes to the ISMS must now be systematically planned and documented (6.3). The process for this must be documented.

  • New structure: The number of chapters has been reduced from 15 to 8, aligning the structure with ISO 27001:2022. Additionally, NEN 7510-2 now presents healthcare-specific controls using the HLT (HeaLTh) structure instead of [healthcare-specific].
  • Consolidation of controls: To avoid overlap and make the standard more practical, several controls have been merged. Each control now includes an objective and characteristics, which attempt to make implementation and monitoring more efficient.
  • NIS2 directive alignment: NEN 7510-2 now incorporates stricter security requirements in line with the NIS2 directive. This directive emphasises improving the resilience of critical infrastructures, including healthcare. The standard includes a mapping of NIS2 measures, making it easier for organisations to comply with both NEN 7510 and the broader NIS2 directive.
  • “Comply-or-explain” principle: organisations are now required to implement specific controls unless they can provide a valid justification for non-compliance. This principle allows for some flexibility, but organisations must document why a control is not applicable and how they still manage related risks.
  • New organisational controls: Several new controls have been introduced:
    • Organisations must now actively gather and document information on potential threats. This helps them stay informed about emerging risks and improve their readiness to handle such threats effectively (5.7).
    • Both internal and external information flows, including interfaces, must be properly inventoried. This is important for ensuring transparency and maintaining control over how data is managed and transferred (5.9).
  • Management training: To ensure effective oversight of information security practices, the updated standard mandates that management undergo regular training tailored to their specific roles in information security (HLT 6.9).
  • Zero trust principles: The zero trust model, a modern security concept, has been formally introduced (HLT 8.35). This approach assumes no one – inside or outside the organisation – is automatically trusted. Key elements of zero trust include:
    • Strong identity verification for all users.
    • Device validation before access is granted.
    • Access is limited to explicitly authorized resources with the least privilege necessary.
    • Mutual authentication of both users and devices, regardless of their location.
  • Emergency communication: An important addition to NEN 7510-2 is the requirement for emergency communication channels (HLT 5.42). Organisations must establish and maintain communication channels that can be activated during ICT outages, ensuring that they can still operate during crises. These channels must be tested regularly to guarantee their effectiveness in real-world scenarios.

Getting ready for certification old version

Already started implementing NEN 7510 based on the older version? No worries! You’re not doing unnecessary work.

NAALA’s toolkit is built on ISO 27001:2022 and NEN 7510:2017. Since the new version of NEN 7510 is also based on the 2022 edition of ISO 27001, most of the updated requirements are already being met. While there are some changes that haven’t been fully addressed yet, these are minor and won’t require a complete overhaul of your processes.

Don’t know where to start? Start with the performance of a gap analysis once the formal text is released.

Not sure how to handle the new version or have questions? Feel free to reach out to us. We’re happy to help and work with you to navigate compliance with the updated version.

How to transition to the new version

If your organisation is certified under the current version of NEN 7510, it’s time to plan for the transition. The revised NEN 7510 is expected to be published by the end of 2024. Once the new standard is officially released, organizations will have one year to implement it. For those already certified, a transition period will likely be set, requiring re-certification within two years of publication.

Here’s how to approach the transition:

  1. Understand the new requirements: Carefully review the new controls and changes to assess how they impact your current ISMS. Conduct a gap analysis between the old and new standards to identify areas requiring updates. This analysis is crucial for transitioning smoothly.
  2. Create a transition plan: Based on the gap analysis, develop a transition plan. This plan should outline what needs updating, who is responsible, deadlines, and a tracking system to monitor progress. Make sure to document everything, so you can show auditors that you’re actively working on the transition.
  3. Update your ISMS: Implement the necessary adjustments to your policies and procedures as outlined in your transition plan to align with the new version of NEN 7510.

Tip: While conducting your gap analysis, take the opportunity to evaluate your entire ISMS, not just the new requirements. This will ensure that your ISMS is fully ready for the upcoming version and audit.

If managing the transition feels overwhelming, you can also engage and external party, like NAALA, to perform a full gap analysis and develop a concrete plan. This ensures that you’re fully prepared to meet the new version’s requirements. 

NAALA to the rescue

Transitioning to a new standard can be challenging, but NAALA is here to guide you through every step. We offer:

  • Performance gap analysis and transition plans: NAALA can conduct a gap analysis that not only evaluates your compliance with the new NEN 7510 requirements but also ensures your entire ISMS meets the standard. From there, we’ll create a phased transition plan to help you implement the new standard and help you get ready for the transition audit.
  • NAALA’s DIY-ISMS toolkit: NAALA offers a DIY-ISMS toolkit. Our comprehensive toolkit includes all the documentation and guidance needed to implement an ISMS according to NEN 7510. It integrates seamlessly into your workflows, making compliance easier.
  • Officer-as-a-Service: Get ongoing support from our dedicated Information Security Officer who can oversee your compliance, conduct audits, and ensure your ISMS stays up-to-date with the latest regulations. Additionally, this service will assist with the transition to the new version of NEN 7510. Our Information Security Officer provides clear insights into what needs to be changed for compliance with NEN 7510 and ensures that these changes are effectively implemented and overseen by an expert with in-depth knowledge of information security in the healthcare sector.

Interested in learning more? Visit NAALA Information Security

Questions? We are happy to discuss your specific case.

Contact us

Related

How do you prepare for your ISO 27001 phase 1 audit?

The first part of this series. Basic arithmetic tells us that every 2 needs a 1. In this blog we discuss how to approach a phase 1 ISO 27001 audit. 

Read more
Anonymity and GDPR - Defining the Boundaries

What exactly constitutes anonymous data under the GDPR, and when can data be considered truly anonymous?

 

Read more