Difference between NEN 7510 and ISO 27001: when do you choose which?

Information security is not just about technology or policy, but primarily about demonstrability. Two standards set the direction in this regard: NEN 7510 en ISO 27001. They look very similar, but differ in purpose, scope, and obligation.

NEN 7510 was developed for Dutch healthcare and is explicitly mentioned in the Decision on electronic data processing by healthcare providers. Anyone working with patient data must be able to demonstrate that processes meet this standard. The emphasis is on confidentiality, availability and integrity of healthcare information - including logging, access management and transfer.

ISO 27001 In contrast, it is the international standard for information security across all sectors. It lays the foundation for an Information Security Management System (ISMS) that is globally recognized. Organizations outside of healthcare, or those with international partners, use this standard to audit and certify their management measures.

Although both standards have a lot of overlap, their application is different:

• NEN 7510care-specific, legally recognized in the Netherlands, linked to patient safety.
• ISO 27001generic, internationally applicable, focused on risk management in a broad sense.

Since 2024, NEN 7510:2024 as the current edition, with NCS 7510:2025 as a new certification scheme. For ISO 27001:2022 is the transition to Oct. 31, 2025; after that, all certificates on the older 2013 version will expire.

Scope and Legal Status: Healthcare-Specific Versus International

The main difference is in the legal basis.
NEN 7510 is not a voluntary guideline. The standard has been established by the government as a mandatory reference for healthcare providers and their IT service providers. The Health and Youth Care Inspectorate (IGJ) and the Dutch Data Protection Authority (AP) refer to it during supervision and enforcement. Organizations must demonstrate that they apply the standard or explain why a measure is not appropriate.

ISO 27001, on the other hand, has no legal obligation, but global recognition. The standard is used for suppliers, international audits, and due diligence processes. For Dutch healthcare organizations, this often means forms the basis of ISO 27001 en NEN 7510 accordingly with additional care-specific requirements.

In practice, this results in a hybrid approach: one ISMS compliant with ISO 27001, expanded with additional security measures from NEN 7510. Consider procedures for patient record keeping, logging (NEN 7513), and secure data exchange (NEN 7512).

Structure and Content: NEN 7510-1 / -2 versus ISO 27001 / 27002

Although both standards serve the same purpose – ensuring information security – they differ in structure and level of detail.

NEN 7510 consists of two parts:

• NEN 7510-1 contains the requirements an organization must meet to be certified.
• NEN 7510-2 provides guidelines for implementation, similar to what ISO 27002 does for ISO 27001.

The structure of NEN 7510-1:2024 follows the High-Level Structure (HLS) which is also used by ISO standards. This ensures that the standard aligns well with other management systems, such as quality (ISO 9001) or continuity (ISO 22301).

The difference lies in the care-specific context. Where ISO 27001 describes generic controls, NEN 7510 emphasizes patient information, electronic data exchange (NEN 7512), and logging (NEN 7513).

In practice, this means:
ISO 27001 defines how you organize information security;
NEN 7510 fulfills What what concrete things need to be arranged in healthcare.

The Annex A ISO 27001:2022 has 93 measures, rearranged around themes such as organization, people, physical, and technological controls. NEN 7510 translates these into healthcare processes: access control for electronic health records, verification of healthcare communication, and traceable logging during data transfer.

This setup allows organizations to combine both standards. Thus, an ISMS can be certified against ISO 27001 and comply with NEN 7510-1 at the same time, as long as the healthcare-specific requirements are integrated.

Certification, accreditation and deadlines

The method of certification differs significantly.

NEN 7510 is tested under the Dutch Conformity Scheme (NCS 7510).. Only certifying institutions with accreditation from the Council for Accreditation (RvA). can perform these audits. Since 2025, NCS 7510:2025 in effect; the scheme outlines how auditors test for both the ISO HLS structure and healthcare-specific requirements.

The audit focuses not only on policy, but also on demonstrability in processes. This includes logging, access control, and the transfer of patient information. Each component must be substantiated with evidence, such as process descriptions, system logs, or contractual agreements with suppliers.

For ISO 27001 Does an international framework apply via the International Accreditation Forum (IAF).. The current edition, ISO 27001:2022, completely replaces the 2013 version. The The transition deadline is October 31, 2025: after that, older certificates are no longer valid. So new or renewed certificates must be based on the 2022 structure and the corresponding 93 controls from ISO 27002:2022.

Organizations wishing to combine both certifications often opt for one integrated audit. In this case, ISO 27001 forms the main structure, and NEN 7510 is added as a sector-specific extension. This saves time but requires careful planning, as the NCS scheme imposes additional requirements on auditor competence and reporting.

Best practices and common mistakes

Organizations that combine both standards find that success primarily depends on coherence. Treating NEN 7510 and ISO 27001 as two separate processes quickly leads to duplicated effort. Integrating them into a single management system provides overview and consistency.

A proven approach is to start with the ISO structure as a foundation. ISO 27001 clearly describes how policies, risks, and improvement actions are structured. From that basis, you add the Care-specific measures of NEN 7510. Think of logging requirements from NEN 7513, or rules around secure data exchange from NEN 7512.

What often goes wrong in practice is that care organizations translate the standard into policy, but not into behavior. Auditors, however, test based on auditability. Just having policies is not enough: process steps, responsibilities and evidence (e.g., system logs or change records) must also be available.

A second pitfall is neglecting suppliers. ISO 27001 requires risk assessment throughout the entire chain, and NEN 7510 specifically emphasizes the continuity of care chains. When suppliers are not included in the ISMS scope, an audit gap arises.

Finally, it turns out timing crucial. The ISO transition to the 2022 edition must be completed no later than Oct. 31, 2025 have been completed. At the same time, healthcare auditors have been using the new NCS 7510:2025-schema. Organizations that smartly plan both processes avoid double audit days.

Checklist: audit-proof integration

A compact checklist helps to keep a grip on the requirements:

• Inventory the current certificates and the edition (ISO 27001:2013 or 2022, NEN 7510:2017 or 2024).
• Plan The transition audit well before the ISO deadline of 10-31-2025.
• Use one integrated risk assessment for both ISO and NEN.
• Refer in policy and procedures explicitly to healthcare-specific components (NEN 7512 / 7513).
• Check or if the chosen certifying body is RvA accredited for the NCS 7510 schema.
• Leg audit-evidence vast: log files, training records, and vendor contracts.

These steps form the basis for an audit-proof combination of both standards, without overlap or gaps.

The choice between NEN 7510 and ISO 27001 is not a matter of either/or.
Those who manage patient information benefit from an approach that combines both standards.
Those who want to gain insight into what that integration looks like in their own organization can contact Risguard for a cross-mapping matrix queries that link NEN 7510 requirements to ISO 27001 controls and the upcoming audit deadlines. The two variants of ISAE 3402 reporting are often mentioned in tenders and assurance processes, but in practice, their purpose is regularly confused.
The distinction isn't in the form of reporting, but in the depth of the review en the period to which it relates.