News

ISO 27001 Stappenplan
ISO 27001 Stappenplan: Van Nulmeting Naar Certificaat in 2026
Praktisch ISO 27001 stappenplan in 10 fases: van nulmeting via risicoanalyse en Statement of Applicability...
Read More
Claude
With one update, 500,000 lines of source code leaked. How can this happen? 
Large investments vs. simple mistakes The recent incident at Anthropic,...
Read More
odido
What we can learn from the Odido hack
An ounce of prevention is worth a pound of cure Cyber incidents like ShinyHunters' attack on Odido attract a lot of...
Read More
Difference between ISAE 3402 type 1 and type 2
ISAE 3402 Type 1 vs. Type 2: The Difference and Which One to Choose
The two variants of ISAE 3402 reporting are often mentioned in tenders and assurance processes,...
Read More
Difference between NEN 7510 and ISO 27001
Difference between NEN 7510 and ISO 27001: when do you choose which?
Information security is not just about technology or policy, but especially about demonstrability. Two...
Read More
ISAE 3402 and ISA 3000 are both international standards for assurance engagements, but they are used in different contexts.**ISAE 3402 (International Standard on Assurance Engagements 3402)** is a standard specifically designed for assurance reports on controls at a service organization. This means it's used when a company (the service organization) provides services to other companies (the user entities), and the user entities need assurance that the service organization has adequate controls in place to manage the risks associated with those services. For example, a cloud service provider or a payroll processing company would typically undergo an ISAE 3402 audit. The report is often used by user entities' auditors to understand and rely on the controls at the service organization.**ISA 3000 (International Standard on Auditing 3000)** is a broader standard that applies to assurance engagements other than audits or reviews of historical financial information. This means it can be used for a wider range of assurance services, such as:* Assurance on a company's sustainability reports.* Assurance on the effectiveness of internal controls over financial reporting (when not specifically covered by ISAE 3402).* Assurance on forecasts and projections.* Assurance on compliance with laws and regulations.**Key Differences Summarized:*** **Scope:** ISAE 3402 is specifically for service organizations' controls. ISA 3000 is for a much broader range of assurance engagements.* **Purpose:** ISAE 3402 is primarily used to provide assurance to user entities (and their auditors) about the controls at a service organization. ISA 3000 is used to provide assurance on various non-financial or other types of information.* **Target Audience:** ISAE 3402 reports are typically for user entities and their auditors. ISA 3000 reports can have a wider audience depending on the nature of the assurance engagement.In essence, ISAE 3402 can be seen as a specialized application of the principles found in ISA 3000, tailored for the specific context of service organizations.
ISAE 3402 vs. ISAE 3000: The Difference and Which One to Choose
ISAE 3402 vs ISAE 3000: Who is responsible for assurance within an organization, sooner or later...
Read More
Security awareness: from training to demonstrable behavior
Security awareness: from training to demonstrable behavior
Security awareness is not a mandatory course that you tick off once a year. It is the measurable link...
Read More
NEN 7510 checklist
NEN 7510 checklist: Step-by-step plan for healthcare organizations
What do we mean by an ‘NEN 7510 checklist’? The term NEN 7510 checklist sounds like there's a ready-made...
Read More
Business Continuity Plan
Business Continuity Plan: Need assurance for IT incidents?
When an organization is unexpectedly faced with a cyberattack or a major outage, the...
Read More
NIS2 & BIO
BIO & NIS2: Audit-ready guides for government security
Government cybersecurity regulations are becoming increasingly strict. The new European NIS2 directive and the...
Read More
DORA Checklist 2025
DORA checklist 2025 – Meet all requirements
DORA is an EU regulation that aims to strengthen the digital resilience of financial institutions...
Read More
NIS2 gap analysis
NIS2 gap analysis: preparing for the new cyber law
Starting October 2024, many organizations will have to comply with a new European cyber law: the NIS2 Directive....
Read More
ISO 27001 and NIS2
NIS2 vs ISO 27001: differences and overlap
Cybersecurity regulations are changing rapidly. Many organizations are therefore concerned about NIS2, the new...
Read More
DORA Gap Analysis
DORA Gap Analysis: Action Plan
As of January 2025, the Digital Operational Resilience Act (DORA) will apply within the financial sector. Institutions...
Read More
Business Impact Analysis
Business Impact Analysis: Clear Step-by-Step Plan for IT Risk and Security
If something goes wrong within your organization, for example due to a malfunction or cyberattack, one question is...
Read More
NIS2
NIS2 certification doesn't exist – here's how to demonstrate compliance
Many organizations mistakenly believe they need to obtain a NIS2 certificate. This is understandable, but incorrect...
Read More
NIS2 checklist
NIS2 checklist: implementation, audit, and governance
NIS2, the new European directive on cybersecurity, sets strict requirements for companies and organizations...
Read More
ISO 27001 risk analysis
ISO 27001 Risk Assessment – Step-by-Step Plan, Tools, and Best Practices
Information security risks pose a growing threat to organizations. A risk analysis according to...
Read More
ISO 27001 and ISAE 3402
ISAE 3402 vs ISO 27001: Differences & Which Do You Need?
Many organizations face a choice: ISAE 3402, ISO 27001, or perhaps both? Both standards are...
Read More
ISO 27001 certification costs
ISO 27001 Certification Costs: Complete Overview
An ISO 27001 certification never comes with a fixed price tag. The total cost depends on several factors...
Read More
DigiD Audit Pentest
DigiD Pentest: What it is, why it's necessary, and how to prepare
A fixed part of the DigiD audit is the DigiD Pentest: a technical test where security...
Read More
TPM Statement
What is a TPM statement? 
A TPM statement (Third-Party Management statement) is a formal document drafted by...
Read More
DigiD Audit
The annual DigiD audit: What does that process look like from start to finish?  
The DigiD audit is an annual audit required for organizations with a DigiD connection...
Read More
SOC 2 and ISAE 3402
What is the difference between SOC 2 and ISAE 3402?: Which is right for your organization?
Organizations working with sensitive customer data or financial processes must be able to demonstrate that...
Read More
Writing a correct control measure
Writing a correct control measure 
Describing good controls in your risk and control matrix (RCM) sometimes feels like...
Read More