EN 
NL 
DE 
De twee belangrijkste normen voor information security, NEN-EN-ISO/IEC 27001 en NEN 7510-1 hebben een nieuwe versie gekregen. Belangrijk om te weten voor alle consultants, klanten en andere stakeholders van deze normen. Het gaat om een beperkte wijziging, zoals de NEN dit op 21 Februari heeft gemeld op hun website.
Important to note that both standards are now both available in the '2020 version', with the 2017 version without the 2020 addition of the ISO27001:2017 and NEN7510-1:2017 expired with immediate effect.
Actually, you should read these publications as;
NEN 7510-1:2017, including the first adaptation [A1] to the original 2017 version, which was implemented in the year 2020. For ISO27001, you could read; ISO27001 from 2017, with the eleventh adaptation implemented in 2020.
The main change in both standards is that they are now much better connected to the HLS stucture. The well-known generic yellow texts have now been incorporated in both standards. The standard version NEN 7510-1:2017 must still be used for the time being until further notice that the RvA has accepted NEN 7510:2017+A1:2020.
Besides the change mentioned above, a translation error was also fixed in both ISO27001 and NEn7510; Bijlage A – A18.2.2 ‘Naleving van beveiligingsbeleid en ‑normen’:
In the 2017 version, this management measure stated: De Directie should regularly assess compliance of information processing and procedures within its area of responsibility against relevant policies, standards and other security requirements.
In the 2020 version, this management measure states: Leaders should regularly assess compliance of information processing and procedures within their area of responsibility against relevant policies, standards and other security requirements.
The word 'Management' has thus been replaced by 'Leaders’. Deze wijziging heeft plaatsgevonden op basis van de correcte vertaling van de huidige Engelse tekst van NEN-EN-ISO/IEC 27001:2013. In deze tekst is in 18.2.2 het woord ‘Managers’ gebruikt. De juiste vertaling daarvan is ‘Leidinggevenden’. Het gaat hier dus niet om een inhoudelijke wijzigingen van de normeisen.
Impact on practice On A.18.2.2: Being that the apply of the correct translation in Dutch practice leads to adjustments: Whether the management must assess compliance and procedures or that executives have to do so may make some difference in some cases (e.g. in the number of calls during an audit). DigiTrust will take this change into account during its audits.
NEN7510-1 change on management measure A.14.2.9 System acceptance tests:
Management measure: For new information systems, upgrades and new versions, programmes for conducting acceptance tests and related criteria should be established.
CARE-SPECIFIC MANAGEMENT MEASURE; Organisations processing personal health information should establish acceptance criteria for planned new information systems, upgrades and new versions. Prior to acceptance, they should conduct appropriate tests of the system.
[A1>Clinical users should be involved in testing clinically relevant system elements.<A1]
The reason for this change was that this line had 'disappeared' somewhere in NEN7510-1:2017. This sentence did appear in the ISO7510-2:2017.
In practice means that for upgrades and new versions, providers of healthcare-related information systems should involve clinical users in testing the relevant clinical elements.
