ISO 27001 certification
From scope to certification audit: a practical route to a workable ISMS that auditors can follow.
Read moreISO certification, explained clearly
Practical guidance for teams building an audit-ready ISMS and navigating ISO 27001, NIS2, GDPR, and information security expectations.
Readiness preview
Indicative
Scope80%
Risk analysis60%
Evidence42%
Audit readiness28%
Where do you want clarity?
Pick your route — primary topics for certification and regulation; compact links for hosting, supply chain, and the scan.
NIS2 obligations
Governance, supply chain, and incident notification: what NIS2 means for your organisation and vendors.
Read moreGDPR & privacy
Align privacy, data flows, and processors with your security narrative and audit evidence.
Read moreBuild an ISMS
Policy, roles, risks, and evidence: the building blocks every certification audit expects.
Read moreFrom orientation to audit-ready
A clear path: less noise, more evidence — aligned with how auditors assess an ISMS.
- 1
Understand the requirements
Translate the standard, laws, and contract clauses into concrete obligations for your scope.
- 2
Define scope and risks
Document scope, stakeholders, and risk treatment as the backbone of your ISMS and SoA.
- 3
Implement policy and controls
Connect policy to roles, processes, and controls — workable in the line, not only on paper.
- 4
Collect documentation and evidence
Traceable decisions, registers, and examples that match how you actually operate.
- 5
Prepare for the audit
Sampling, storyline, and evidence pack: show the ISMS runs and improves (PDCA).
Compare the core topics
What is it, when does it matter, and where do you start?
- What is it?
- A certifiable information security management system (ISMS) aligned with the international standard.
- When is it relevant?
- When you need demonstrable control over confidentiality, integrity, and availability — often required by customers and contracts.
- Where do you start?
- Start with context and scope, then risk assessment and Annex A control selection.
- What is it?
- EU legislation focused on cyber risk, governance, and the supply chain.
- When is it relevant?
- Relevant for essential/important entities and frequently for vendors bound by contractual chain requirements.
- Where do you start?
- Confirm applicability, roles (e.g. CISO/accountable executive), and a proportionate control set with evidence.
- What is it?
- The EU GDPR: rules for personal data processing and data subject rights.
- When is it relevant?
- Always relevant when you process personal data; often combined with ISO 27001 for security and privacy.
- Where do you start?
- Document processing activities and retention; map processors and DPIAs to your risks.
- What is it?
- The information security management system: policy, processes, roles, and evidence.
- When is it relevant?
- When you must show the “system” works — not only isolated documents or tools.
- Where do you start?
- Move from context and stakeholders to risks, objectives, and a controlled control baseline (e.g. Statement of Applicability).
Practical tools and checklists
Concrete next steps: scan, checklist, or quick scan — each with a clear follow-up.
Readiness scan
Understand maturity and priorities on the path to ISO 27001 and audit.
Start scan ↗Internal audit checklist
Work systematically towards sampling, interviews, and a coherent evidence pack.
Open checklistNIS2 quick scan
Fast view on applicability, roles, and the highest-impact obligations.
View topicVendor check
Due diligence, contracts, and monitoring: keep supply-chain risk under control.
Open checklistWant to move beyond reading and start working toward certification?
ISO Ready helps you manage actions, evidence, risks, and audit prep in one place so you can progress with intent.
Insights
News and analysis on ISO, NIS2, EU regulation and audit readiness.
Data sovereignty in 2026: more than “data is in the EU”
Customers and supervisors ask for data sovereignty. What must you prove about regions, logging, support access and subprocessors?
Read article →
ISO 27001 surveillance in 2026: where auditors look harder
Recertification and surveillance are about proof of operation. These themes show up more often in Dutch audits in 2026.
Read article →
EU AI Act and ISO 42001: a practical route for Dutch organisations
AI governance is becoming a board topic. How to align EU AI Act duties with ISO 42001 and your existing ISMS.
Read article →
Cyber Resilience Act: impact on Dutch suppliers and customers
The CRA embeds product security in the EU supply chain. What does that mean for software vendors, integrators and buyers in the Netherlands?
Read article →
NCSC and SMEs: baseline controls remain the fastest win in 2026
Threat levels stay high, yet many SMEs gain ground by applying NCSC-style baselines with clear ownership per risk area.
Read article →
NIS2 in 2026: what essential and important entities must demonstrate now
NIS2 implementation deadlines are here. What do regulators and supply-chain partners expect from Dutch organisations in 2026?
Read article →