GDPR, NIS2 & ISO 27001
Information security and legislation on a single solid foundation
Manage information securely
Comply with the law
Future-proof
Companies are facing increasingly stringent requirements in the area of information security, including data protection, cybersecurity, and information management. Whether it’s the GDPR (privacy legislation), NIS2 (network and information security), or ISO 27001 (information security management), one thing is certain: a structured approach is essential. By investing now in robust systems and processes, you can mitigate risks, comply with regulations, and build a stable and reliable organization for the future.
Over 250 companies already rely on our expertise and knowledge
Do these challenges sound familiar to you?
Lack of internal
capacity & expertise
Not every company has the in-house expertise or capacity to properly implement and keep all requirements up to date on its own.
Complexity of laws and regulations
The sheer number of requirements set forth by various standards (including ISO 27001) and laws (GDPR and NIS 2) makes it difficult to know where to start and how to ensure full compliance.
Insufficient oversight of personal data and systems
Without a clear understanding of what data you process, where it is stored, and how long you are legally permitted to retain it, it is difficult to maintain control over your information security.
Uncertainty regarding risks and security incidents
Many organizations lack sufficient insight into their risks or an up-to-date incident response plan to act quickly in the event of a data breach or cyber incident.
These issues can limit and slow down your company’s growth; they often cause stress and unnecessary risks—something you naturally want to avoid within your company.
With the right approach, you can bring structure and certainty.
Start with the basics: GDPR
In today’s digital world, compliance with the General Data Protection Regulation (GDPR) is crucial for every organization. The Service Center offers a simple and structured approach to help you set up a GDPR-compliant system.
The GDPR requires organizations to handle the personal data of customers, employees, and partners with care. Key aspects of the GDPR include:
- Defining policy responsibilities:
Het is belangrijk dat duidelijk is wie binnen de organisatie verantwoordelijk is voor de verwerking en beveiliging van persoonsgegevens. In sommige gevallen is het aanstellen van een Functionaris Gegevensbescherming (FG) verplicht.</span - Secure data processing and storage: Technische en organisatorische maatregelen moeten ervoor zorgen dat gegevens niet zomaar toegankelijk, wijzigbaar of kwijtgeraakt zijn. Denk aan toegangsbeperkingen, encryptie en periodieke beveiligingscontroles.</span
- Rechten van betrokkenen borgen:
Mensen van wie je gegevens verwerkt hebben rechten, zoals het recht op inzage, correctie of verwijdering van hun gegevens. Je moet processen hebben om hier adequaat mee om te gaan.</span - Clear agreements with third parties:
If external parties (such as suppliers or software partners) have access to personal data, data processing agreements must be in place that define their roles and responsibilities.
The GDPR is not a one-time effort but an ongoing process, and at the Service Center, we help organizations implement it. A tailored approach is crucial for GDPR compliance, so click the button if you’d like to learn more about how we can help your business—with no obligation.
Every day, we work successfully with companies such as
NIS2 Requirements
In addition to the GDPR, there is (new) legislation with a much broader scope: the NIS2 Directive. This European directive has been transposed into national law and focuses specifically on network and information security. While the GDPR primarily focuses on personal data, NIS2 covers all critical processes and information systems within your organization.
The scope of NIS2 is broader than you might think. It also applies to suppliers in the supply chain. As a result, more and more companies are being affected by NIS2, either directly or indirectly. Even if you, as a supplier, are not (yet) required to comply, clients will increasingly ask about your cybersecurity measures.
What does NIS2 require of your organization?
The scope of information security within your company depends on various factors. Is your company or are your customers active in one of the designated essential or critical sectors? Who are your stakeholders, and what requirements do they place on your company? What data is processed within your company? These are all factors that influence the extent to which you need to have information security measures in place. In general, the following applies to every company:
• That you must demonstrate a commitment to risk management.
• Take appropriate security measures.
• You are required to report security incidents.
• Fines and penalties apply for non-compliance.
• Audits and inspections are becoming more stringent.
Our NIS2 approach:
We could overwhelm you with all the additional requirements and rules that NIS2 entails. But that’s exactly what we don’t want to do. Instead, we help organizations get a clear overview and, above all, take concrete steps to address what’s truly necessary. Ultimately, your organization will need to take action or seek guidance from a partner who knows how to tackle this in a practical and structured way.
Here’s how we handle it for you:
- We map out your company’s supply chain—including suppliers, customers, and third parties you work with—to gain insight into the requirements your company faces, whether directly or indirectly.
- Next, we begin with a thorough risk analysis to identify vulnerabilities and threats within networks and systems. Based on this analysis, we recommend appropriate security measures to mitigate risks.
- In addition, we ensure that incidents can be resolved quickly by developing an effective incident response plan. Employees are actively involved in this process through targeted training and awareness sessions, as they play a key role in information security.
- Finally, we will continue to monitor and evaluate whether the measures taken remain effective and whether adjustments are needed where necessary.
NIS2 Supply Chain: Additional Proof of Your Cybersecurity
The NIS2 Supply Chain is a cybersecurity quality label specifically designed for small and medium-sized enterprises (SMEs) that supply NIS2 organizations. The label was developed by the Quality Innovation Foundation, a partnership of industry associations (including the KVGO) and cybersecurity specialists such as Samen Digitaal Veilig.
NIS2 Supply Chain has three different levels: Basic (QM-10), Substantial (QM-20), and High (QM-30).
In addition to meeting NIS2 requirements, the NIS2 Supply Chain certification allows you to demonstrate that your organization takes cybersecurity seriously. This certification, which we offer in collaboration with our audit partner, provides customers, supply chain partners, and regulators with immediate insight into your level of maturity in the area of information security. For many companies, it is also an accessible and achievable alternative to the more comprehensive ISO 27001 certification. This allows you to demonstrate your cyber resilience in an efficient and understandable way.
ISO 27001: The Logical Next Step
If you’ve already implemented GDPR and NIS2, or if you want to get your company’s entire security framework in order all at once, ISO 27001 provides exactly that framework.
ISO 27001 is the leading international standard for information security management. This standard helps organizations systematically identify, control, and mitigate risks related to the confidentiality, integrity, and availability of information. It thus provides a coherent framework for continuously managing risks and demonstrating compliance with requirements set by customers, clients, and legislation.
For those who want to learn more about what ISO 27001 entails and how it works in practice, we have a detailed article available on our website that covers all the ins and outs: Read more about ISO 27001
Would you prefer to discuss how ISO 27001 can be applied to your organization? Feel free to schedule a no-obligation consultation. We’d be happy to show you how to implement this in a practical and feasible way.
ISO 27001 Certification in 4 Steps
1. Take inventory
We begin by identifying information security risks and business-specific needs. This forms the basis for determining which measures are necessary to comply with ISO 27001 standards.
2. Analyze
During this phase, we conduct a comprehensive risk analysis and context assessment. We identify vulnerabilities, business processes, and external requirements to ensure that your management system aligns with the ISO 27001 requirements.
3. Implementation
We then implement the necessary management measures and controls (ISMS) within your organization. This ensures that processes are set up securely, risks are managed, and standards are consistently met.
4. certify
Once the internal audit is complete, your organization will be certified by an independent certification body. ISO 27001 requires a comprehensive audit in which all components of the management system are assessed for compliance.
Take the first step toward ISO 27001 certification today and improve your company’s information security.
Schedule a no-obligation consultation with our consultants and discover what ISO 27001 can do for your company.
Frequently Asked Questions
Do you have a question? Here, we answer the questions we hear most often.
An implementation plan for, say, ISO 27001 depends on the company’s own efforts, the frequency of visits by a consultant from the Service Center, and, of course, the company’s preparations. If the company already has procedures, work instructions, policy documents, a consultation structure, and so on, the implementation will proceed more efficiently than if no such information is yet available in writing. The existing knowledge of ISO also influences the duration of an implementation process.
All in all, it can be said that an ISO 27001 implementation process takes about 6 to 9 months on average. However, there are also outliers ranging from 3 to 12 months, depending on how the aforementioned aspects have been addressed.
We understand that you’d like to know this, but we can’t give you a definitive answer right away because it depends on various factors, such as company size, complexity, and the level of support provided during the certification process.
During our no-obligation consultation, we can provide you with more insight into the costs for your specific situation.
It is possible to implement an ISO system without consulting a consultant. We have developed blueprint materials for this purpose, and manuals are available within our StafZekerheidssysteem that provide guidance for companies wishing to proceed on their own. However, it is important to ensure that the relevant employees within the company have some experience with implementing a certification scheme, such as ISO 9001.
When a company takes on the task on its own, the turnaround time will be longer, because experience shows that it becomes “just another task” and the available time has to be divided up.
The blueprint materials are designed to allow you to get started on your own, but can be adapted as needed to include homework assistance (limited remote support), an on-site consultation (an explanation of ISO and the steps to take at your location), or customized support for the entire implementation process.