#iso-27001
14 artikelen met dit onderwerp
Evidence for access reviews: what to keep and where
A review without evidence is, as far as an auditor is concerned, a review that never happened. Here's what to retain, in what format, and for how long.
PDF redactieAudit trail for redaction: what to log, why, and how long?
An auditor walks in and asks: "show us how you anonymised client data for report X." Without an audit trail, you have nothing to show. Here's what to log.
ComplianceISO 27001 costs: from initial gap analysis to certificate
A realistic budget breakdown for a 30-person SMB. Internal hours, external audit, consultancy (kept to a minimum), and annual maintenance. No marketing fluff.
ComplianceISO 27001 or SOC 2? Which one fits your Dutch SMB?
ISO 27001 is Europe-oriented, SOC 2 is American. Which one do your clients actually need — and can you combine them? Here's the practical difference for an SMB.
Access reviewsPeriodic access reviews: process, frequency, and audit evidence
An access review is an audit requirement that nearly every SMB struggles with. Once you set it up properly the first time, the second round won't cost you a whole week.
ComplianceNEN 7510 for healthcare businesses: a step beyond ISO 27001
Do you work in or with healthcare? Then NEN 7510 — alongside or instead of ISO 27001 — is a real requirement. The overlap is significant; the differences lie in patient data and specific Annex controls.
ComplianceThe management review: what goes in it and who takes part?
One of the clause-9 requirements of ISO 27001. Annual, with senior management, 2 hours. Here is the agenda that an auditor will accept — and that works as a practical exercise for you.
ComplianceThe PDCA Cycle Explained for Managers
Plan-Do-Check-Act sounds bureaucratic. In practice it means: write down what you do, do it, check whether it works, adjust accordingly. Here's the shortest useful explanation.
ComplianceSetting up an incident log that auditors trust
An empty incident log is a red flag for auditors. It doesn't mean nothing went wrong — it means you're not recording it. Here's how to set up a log that actually works.
ComplianceISO 27001 pre-audit checklist: 2 weeks before Stage 2
Stage 2 is two weeks away. This 22-point checklist covers everything auditors typically ask for — if even one box is missing, fix it now.
ComplianceAn ISO risk register that works (and doesn't look like a consultant export)
A risk register doesn't have to be a 300-row spreadsheet. For an SMB, 30–60 risks is realistic. Here's a format that survives an audit and is actually useful day to day.
ComplianceWhat is an ISMS and where do you start?
Information Security Management System — it sounds bigger than it is. For an SMB, it's a set of documents and routines, not a platform you install somewhere.
ComplianceISO 27001 Annex A.9: What the Auditor Really Wants to See
Annex A.9 — Access Control — is the most demanding of the 14 sections. Here's a practical breakdown per sub-control: A.9.1 through A.9.4, with what actually works as evidence in an SMB context.
ComplianceISO 27001 for SMBs without €50k in consultancy fees
ISO 27001 is manageable once you understand the structure. Here's the minimum work a 30-person SMB needs to pass a Stage 2 audit, what it costs, and where consultants actually add value.