The differences between ISO 27001 and NEN 7510
Increased digitization is increasing the importance of online information security. Meanwhile it’s also vital to keep offline documents secure. Naturally we don’t want confidential information like personal health details to fall into the wrong hands. ISO 27001 and NEN 7510 are familiar standards that set rules and guidelines for handling this information. Although both standards are very similar, they do differ. This blog offers you more information about ISO 27001 and NEN 7510, and how they differ.
ISO 27001
ISO 27001
is the global standard for information security. It provides guidelines and structure for establishing a management system for information security, for both offline and online information. The information management risks are minimized through measures. Examples include passwords for digital files, or keys for cabinets holding physical files. Measures for controlling these risks can be found in ISO 27002, an annex to ISO 27001.
NEN 7510
NEN 7510
is a national standard in the Netherlands, aimed specifically at organizations working with personal health information. That means the standard is intended particularly for healthcare institutions and suppliers to healthcare companies. This includes not just information that an organization stores internally, but also data that healthcare institutions exchange among themselves. One example might be a general practitioner transferring a patient file to a hospital. The NEN 7510 structure is almost identical to that of ISO 27001. The standard comprises two parts. The first covers the guidelines for a good information management system, while the second expands on the first.
The differences
What variances are there between ISO 27001 and NEN 7510? One of the main differences is the scope of the standards. ISO 27001 is an international standard developed by the ISO (International Organization for Standardization). NEN 7510 however is based on ISO 27799 and was developed by NEN (the Royal Netherlands Standardization Institute) and is only effective in the Netherlands. ISO 27001 is also suitable for many different organizational types. NEN 7510 only applies to healthcare institutions and custodians of personal health information. That concentrates its focus on personal health information, while ISO 27001 focuses on all confidential information within the organization. The more in-depth NEN 7510 also contains extra additions, of measures specific to healthcare.
The standard for your organization
Which standard is most suitable for your organization? As a rule of thumb, if you work at a healthcare organization you should opt for NEN 7510. If you’re not working in healthcare but you do work with personal health information, for example, as an IT organization with a healthcare organization as a client? Then you would do well to comply with both ISO 27001 and NEN 7510. To be certified against NEN 7510 as an administrator, you show the way you handle this health data, and what activities, products or services are involved. One way of doing this is by using a processor agreement. You must also indicate what healthcare-specific control measures you take to manage this information securely. If you don’t have healthcare customers but you do manage confidential information? Then ISO 27001 is appropriate. Want to know more about information security at DEKRA? Find out
here​.