ISO 27001 Certification
In the Dutch business landscape of 2026, ISO 27001 is no longer just a "nice-to-have" certificate for your lobby. With the Cyberbeveiligingswet (CbW) now in force, ISO 27001 has become the primary defensive shield for directors. It is the most robust way to prove you have met your legal "duty of care."
Whether you are certifying for the first time or finalizing your transition to the ISO 27001:2022 standard, ensure that you are focusing on the controls that actually move the needle for your security, and your auditors.
The "Management Clauses" are the heartbeat of your Information Security Management System (ISMS). If these are weak, the rest of your security is just "theater."
Forget simply signing a policy. Auditors in 2026 are looking for active leadership.
Forculus Pro-Tip: Don't let your ISMS live in a silo. Integrate your Information Security Policy into your broader business strategy. When the board reviews quarterly financial targets, they should also be reviewing your Residual Risk levels. If security isn't part of the business reporting cycle, you aren't truly ISO-compliant.
The 2022 update streamlined 114 controls into 93, organized into four themes. Forculus identifies these "High-Impact" areas Dutch firms often miss:
Organizational & People Controls
· Threat Intelligence (A.5.7): You are now required to collect and analyze information about threats.
· Cloud Services Security (A.5.23): You must have specific security requirements for your cloud providers (Azure, AWS, or local Dutch hosts).
· Screening (A.6.1): Ensure your VOG (Verklaring Omtrent het Gedrag) processes are documented for all personnel in sensitive roles.
Technological & Physical Controls
· Configuration Management (A.8.9): You must actively manage the security "baseline" of your hardware and software. No more "default" settings.
· Data Masking & Leakage Prevention (A.8.11 & A.8.12): Essential for maintaining AVG (GDPR) compliance alongside your ISO certification.
Forculus Pro-Tip: Use the Statement of Applicability (SoA) as your "Why" document. Don't just list what you do; explain why you chose specific controls. A well-reasoned SoA is an auditor's favorite document and can significantly speed up your Stage 1 audit.
The Path to the Audit (Certification)
In the Netherlands, your certification must be issued by a body accredited by the Raad voor Accreditatie (RvA). You cannot skip this. Before a body like DigiTrust or Kiwa steps through your door, you must audit yourself.
Stage 1 (Documentation) - Consistency Check: Is your paperwork aligned with Dutch legal requirements?
Stage 2 (Implementation) - Evidence Review: Can you prove your employees follow the "Clean Desk" policy?
Surveillance - Maturity Growth: Are you better today than you were 12 months ago?
In 2026, the question isn't whether you can afford to get ISO 27001 certified, but whether you can afford not to. With the supply chain requirements of the CbW/NIS2, your clients will soon be asking for your Statement of Applicability before they sign a contract.
