ISO 27001 en NEN 7510 voor het MKB — zonder consultants
Wat certificeringen écht van je vragen, hoe je je voorbereidt op een audit, en waarom 80% van de winst in de eerste 20% van het werk zit.
Alle artikelen in deze categorie
12 artikelenNIS2 and SMEs: does your business fall under the directive?
NIS2 is the successor to NIS1 and significantly widens the scope. Many SMEs in "ordinary" sectors now suddenly qualify as essential or important entities.
ComplianceDORA for SMB Suppliers to Financial Institutions
From January 2025, every bank, insurer, or investment fund expects its suppliers to be DORA-compliant. As an SMB supplier, those requirements will land in your contracts.
ComplianceISO 27001 costs: from initial gap analysis to certificate
A realistic budget breakdown for a 30-person SMB. Internal hours, external audit, consultancy (kept to a minimum), and annual maintenance. No marketing fluff.
ComplianceISO 27001 or SOC 2? Which one fits your Dutch SMB?
ISO 27001 is Europe-oriented, SOC 2 is American. Which one do your clients actually need — and can you combine them? Here's the practical difference for an SMB.
ComplianceNEN 7510 for healthcare businesses: a step beyond ISO 27001
Do you work in or with healthcare? Then NEN 7510 — alongside or instead of ISO 27001 — is a real requirement. The overlap is significant; the differences lie in patient data and specific Annex controls.
ComplianceThe management review: what goes in it and who takes part?
One of the clause-9 requirements of ISO 27001. Annual, with senior management, 2 hours. Here is the agenda that an auditor will accept — and that works as a practical exercise for you.
ComplianceThe PDCA Cycle Explained for Managers
Plan-Do-Check-Act sounds bureaucratic. In practice it means: write down what you do, do it, check whether it works, adjust accordingly. Here's the shortest useful explanation.
ComplianceSetting up an incident log that auditors trust
An empty incident log is a red flag for auditors. It doesn't mean nothing went wrong — it means you're not recording it. Here's how to set up a log that actually works.
ComplianceISO 27001 pre-audit checklist: 2 weeks before Stage 2
Stage 2 is two weeks away. This 22-point checklist covers everything auditors typically ask for — if even one box is missing, fix it now.
ComplianceAn ISO risk register that works (and doesn't look like a consultant export)
A risk register doesn't have to be a 300-row spreadsheet. For an SMB, 30–60 risks is realistic. Here's a format that survives an audit and is actually useful day to day.
ComplianceWhat is an ISMS and where do you start?
Information Security Management System — it sounds bigger than it is. For an SMB, it's a set of documents and routines, not a platform you install somewhere.
ComplianceISO 27001 Annex A.9: What the Auditor Really Wants to See
Annex A.9 — Access Control — is the most demanding of the 14 sections. Here's a practical breakdown per sub-control: A.9.1 through A.9.4, with what actually works as evidence in an SMB context.