Information security is a complex topic for many organizations, especially when it comes to standards and certifications. NEN standards provide a clear framework: they describe what good information security looks like and how an organization can demonstrate it. In this article, we answer the most frequently asked questions about NEN standards for information security, so you know exactly where you stand.
Which NEN standards exist for information security?
The most important NEN standards for information security are NEN-ISO/IEC 27001, NEN-ISO/IEC 27002, and NEN 7510. NEN-ISO/IEC 27001 is the international standard for information security management systems (ISMS) and applies to all sectors. NEN-ISO/IEC 27002 provides additional guidelines for security controls. NEN 7510 was developed specifically for the Dutch healthcare sector.
In addition to these three standards, there is also a range of supplementary standards within the ISO/IEC 27000 family, such as NEN-ISO/IEC 27005 for risk management and NEN-ISO/IEC 27017 for cloud security. Each standard focuses on a specific aspect of information security, but they are all built around the same principle: systematically protecting information against unauthorized access, loss, and misuse.
For most organizations outside of healthcare, NEN-ISO/IEC 27001 serves as the starting point. This standard describes the requirements for establishing, implementing, maintaining, and continuously improving an ISMS. NEN-ISO/IEC 27002 is often used alongside it as a practical guide for selecting and implementing concrete security controls.
How does NEN-ISO/IEC 27001 differ from NEN 7510?
The key difference lies in the target audience: NEN-ISO/IEC 27001 is a universal standard applicable to all organizations worldwide, while NEN 7510 was developed specifically for organizations that handle patient data in the Dutch healthcare sector. NEN 7510 builds on the principles of ISO/IEC 27001 but adds sector-specific requirements aligned with Dutch healthcare legislation.
In practice, this means the following:
- NEN-ISO/IEC 27001 is broadly applicable and internationally recognized. Any organization — from a manufacturing company to a technology firm — can obtain certification against this standard.
- NEN 7510 applies exclusively to the healthcare sector and imposes additional requirements around the protection of medical and personal health data.
- Healthcare organizations that implement NEN 7510 will, in doing so, largely meet the requirements of NEN-ISO/IEC 27001 as well, since the two standards overlap significantly in content.
For organizations outside of healthcare, NEN 7510 is not relevant. Those active in industry, logistics, or manufacturing look to NEN-ISO/IEC 27001 as the leading standard for information security.
Why are NEN standards for information security important?
NEN standards for information security are important because they provide organizations with a proven framework for systematically protecting information, managing risks, and demonstrably complying with laws and regulations such as the GDPR. They build trust with customers and partners and help prevent costly data breaches and disruptions.
Specifically, NEN standards offer the following benefits:
- Risk reduction: A structured approach ensures that vulnerabilities are identified and addressed in a timely manner.
- Legal compliance: Many laws and regulations, including the GDPR and the NIS2 Directive, closely align with the requirements of NEN-ISO/IEC 27001.
- Competitive advantage: Certification demonstrates that an organization takes information security seriously — something that is increasingly required in tenders and partnerships.
- Internal structure: Standards compel organizations to clearly document responsibilities, processes, and procedures.
In 2026, the pressure on organizations to demonstrably have their information security in order will continue to increase. Both clients and regulators expect companies to be able to show how they handle the protection of sensitive information. NEN standards provide a widely recognized and credible reference framework for doing so.
How do you obtain NEN certification for information security?
NEN certification for information security is obtained by establishing an information security management system (ISMS) that meets the requirements of the relevant standard, implementing that system, and having it assessed by an accredited certification body. The process consists of multiple phases and requires a structured approach.
The steps to obtain NEN-ISO/IEC 27001 certification are as follows:
- Define the scope: Determine which parts of the organization fall within the ISMS.
- Conduct a risk assessment: Identify information security risks and determine which controls are needed to manage them.
- Implement security controls: Apply the selected controls at the technical, organizational, and procedural level.
- Prepare documentation: Record policies, procedures, and responsibilities in ISMS documentation.
- Conduct an internal audit: Verify internally that the ISMS is functioning as intended.
- Request an external audit: An accredited certification body conducts a Stage 1 and Stage 2 audit.
- Receive and maintain the certificate: Upon successful completion, you receive the certificate, which is maintained through annual surveillance audits and renewed every three years.
Achieving certification takes time and effort, but building a well-functioning ISMS also delivers significant internal benefits: greater awareness, clearer processes, and better control over security risks.
Who is responsible for information security within an organization?
Information security is a shared responsibility, but ultimate accountability rests with the board or senior management of an organization. They set policy, allocate resources, and ensure that information security is structurally embedded in business operations. Operational execution is typically assigned to an Information Security Officer (ISO) or Chief Information Security Officer (CISO).
In practice, multiple roles are involved in information security:
- Senior management: Bears ultimate responsibility, sets policy, and demonstrates leadership in the area of information security.
- ISO or CISO: Coordinates the day-to-day implementation of the information security policy and monitors compliance with NEN standards.
- IT department: Implements and manages technical security controls.
- Employees: Everyone within the organization has a role in adhering to security policies and reporting incidents.
- Process owners: Owners of business processes are responsible for information security within their own domain.
NEN-ISO/IEC 27001 explicitly requires that senior management be involved in the ISMS and that responsibilities be clearly assigned. A standard like NEN-ISO/IEC 27001 works best when information security is seen not merely as an IT issue, but as an organization-wide priority supported at every level.
How BKRS helps with NEN certification for information security
The path to NEN certification requires the right knowledge, structure, and guidance. BKRS supports organizations at every step of this process: from the initial gap assessment through to the successful completion of the external audit.
What BKRS can do for your organization:
- Baseline assessment and gap analysis: Gain insight into the current state of your information security and what is still needed to meet the NEN standard.
- Implementation support: Practical assistance with setting up and configuring an ISMS tailored to your organization.
- Documentation and policy: Drafting the required policy documents, procedures, and accountability structures.
- Preparation for the external audit: Internal audits and guidance so you enter the certification audit fully prepared.
- Ongoing support: Even after certification, BKRS helps you maintain and improve your ISMS.
Want to know how BKRS can guide your organization toward NEN certification? Get in touch and discuss the possibilities with no obligation.
Frequently Asked Questions
How long does it typically take to become NEN-ISO/IEC 27001 certified?
The timeline varies considerably depending on the organization, but you should generally allow between 6 and 18 months. This depends on the size of the organization, the current maturity of its information security, and the available capacity. Thorough preparation and support from an external advisor can significantly speed up the process.
What does NEN-ISO/IEC 27001 certification cost?
The costs consist of two components: the internal costs of implementation (time, personnel, and any external guidance) and the external audit fees charged by the certification body. For a mid-sized organization, total costs typically range between €15,000 and €50,000, depending on the scope and complexity. Be sure to also account for annual surveillance audit costs to maintain the certificate.
Is every organization legally required to be NEN certified?
A legal obligation to obtain certification does not exist for most organizations, but pressure from clients, tender requirements, and regulators is growing rapidly. Organizations that fall under the NIS2 Directive or work with sensitive (health) data have little choice in practice. For other organizations, certification is strongly recommended as proof of demonstrable information security.
What is the difference between NEN-ISO/IEC 27001 and the GDPR?
The GDPR is legislation that requires organizations to protect personal data, while NEN-ISO/IEC 27001 is a standard that describes a management system for broader information security. The two complement each other well: a properly implemented ISMS based on ISO/IEC 27001 helps organizations demonstrably meet many GDPR requirements, but does not fully replace GDPR obligations.
