For organizations striving for ISO 27001 certification, developing and implementing an integrated internal framework is a crucial step. This framework ensures that internal controls are seamlessly integrated into daily business processes, making them an essential part of the organization’s normal operations. But how do you tackle this and integrate existing control mechanisms?

What is an integrated framework for internal controls?

Let’s first define what we mean by an integrated framework for internal controls, before going into the integration of existing controls. This is basically a set of controls that are implemented in the business processes, incorporating them as an essential part of the daily activities of the organization.

Main frameworks for information security

Several frameworks are available to help organizations integrate controls. Some well-known examples are COSO, COBIT and ISO/IEC 27001. These frameworks provide guidance on identifying, implementing and maintaining effective internal control measures.

Approach to setting up an ISO 27001 framework

The approach to setting up an ISO 27001 framework largely follows the principles of COSO, with a strong focus on risk assessment and implementing policies, procedures and control activities. ISO 27001 certification focuses not only on implemented controls, but also on setting up an information security management system (ISMS).

Integration of existing control frameworks

For organizations that already have control frameworks in place, it’s important to integrate this framework with the requirements of ISO 27001. Full utilization of the existing framework is strongly recommended, as it minimizes effort and facilitates management acceptance.

Approach to integration

Make the most of what is already implemented in your organization

It is essential to make full use of the existing frameworks. It would be a shame to ignore the investments in the current control framework. It is advisable to use the ISO 27001 Annex A control set as a guide, considering all relevant controls and implementing them if applicable. Appropriate Governance Risk and Compliance tooling can also help you in putting the initial structure in place. This simplifies the performance, monitoring and reporting of control tasks and ensures unambiguous communication on controls.

Do a mapping based on a GAP analysis

By comparing the existing control framework with the ISO 27001 control set at the control test/supervisory level, GAPs can be identified. This simplifies the process of aligning existing controls with the ISO 27001 control set.

Filling in following your GAP analysis

Where the existing framework shows GAPs against the ISO 27001 control set, new controls should be defined and implemented. The aim is to ensure that all risks are adequately addressed by the control framework, this supports the functioning of the ISMS.

Management buy-in and the benefits of integration

Keeping the existing framework simplifies management acceptance and facilitates the integration of controls into business processes. Moreover, a GAP analysis at the internal testing/supervisory levels helps identify gaps in the information security policy and ISMS, enabling continuous improvement.

In conclusion, developing an ISO 27001-compliant integrated internal controls framework is a crucial step for organizations striving to achieve a high level of information security and certification in line with international standards. By integrating existing control frameworks and continuously striving for improvement, organizations can build a solid foundation for effective information security and risk management.

Need more information or help developing an ISO 27001-compliant integrated framework for internal controls?

Then contact us, no commitment necessary. At OpenSight, we are happy to help!

From January 2023, new European directives for cybersecurity, the Network and Information Security 2 (NIS2), will apply. These guidelines have major implications for companies and organizations in Europe, including the Dutch business community. This is because the NIS2 guidelines apply to a wide range of sectors, not just the vital sectors as with the predecessor NIS.

It’s important that companies comply with the NIS2 directives. Not just to avoid high fines that amount to 2% of annual sales, but more importantly, to ensure digital security and prevent cyber attacks. The NIS2 directives require companies and organizations to take their digital security to a higher level and adapt to increasing cybercrime threats.

On this page (and in more detail in our brochure at the bottom of this page) you can read about what the NIS2 entails, which sectors are covered by the directives, the consequences of non-compliance and how to prepare for the NIS2 as a company or organization.

What’s NIS?

The NIS regulation is the first cybersecurity regulation in Europe (and has been in effect in the Netherlands since 2018). The purpose of the NIS is to ensure a common level of security for network and information systems within the European Union. This is achieved by requiring member states to adopt and implement appropriate security measures that reduce the risks of cyber attacks and limit their consequences.

NIS focuses on companies and organizations operating in vital sectors, such as energy, transportation, healthcare, and financial services. Sectors that are critical to keeping our economy and society running and therefore need a higher level of security.

Another goal of the NIS is to strengthen cooperation among EU member states on cyber security. The directive requires member states to designate a national NIS authority and have it cooperate with other European authorities.

In short, the purpose of the NIS directive is to improve the cyber security of the EU’s vital sectors and strengthen cooperation among member states in the field of cyber security. But with the increase in cyber attacks, the NIS no longer appears to provide sufficient security. Therefore, in 2020, the European Commission introduced NIS2 as the new EU security strategy.

To whom does the NIS2 apply?

The NIS2 is intended for all member states of the European Union. So all organizations and companies based in these member states that offer digital services or provide essential services must start complying with the NIS2. This covers a wide range of sectors, including energy, transportation, healthcare, finance, digital infrastructure and more. Unlike the original NIS directive, the NIS2 has a much broader scope and applies to a wide variety of organizations and businesses including:

1. Providers of essential services (e.g., energy, transportation, banking, healthcare, drinking water supply, digital infrastructure).
2. Digital service providers (e.g., online marketplaces, search engines and cloud computing providers).
3. Government agencies (both national and local).

The specific criteria for which organizations and companies are covered by the NIS2 vary by state. The specific criteria for which organizations and companies are covered by the NIS2 vary by state. In the Netherlands, the central government has defined the sectors to which NIS2 applies; these can be found online Download the brochure to discover the full list of sectors.

An important difference from the first NIS Directive is that organizations are automatically covered by the NIS2 Directive if they are active in any of the above sectors and can be characterized as an “essential” or “significant” entity according to the criteria below. Unlike the CER Directive, the NIS2 Directive does not involve designation by ministries.

Transitioning to NIS2

The National Cyber Security Centre (NSCS) has drawn up a timeline for translating the CER and NIS2 guidelines into national legislation. You can see this full timeline in our brochure at the bottom of the page.

Why OpenSight ?

Calling in a specialist is the wisest choice and saves a lot of time. The knowledge and experience of a specialist ensure a worry-free process. By taking OpenSight as a partner, you can be sure that the knowledge and experience is there to ensure the best possible process.

Knowledge
OpenSight has been dealing with cybersecurity for companies for years. Originated out of an interest, developed into a passion and eventually formed into a company with helping services.

Experience
Numerous companies have previously partnered with OpenSight and as a result have achieved great successes regarding cybersecurity. From improved business processes to certifications and from consulting to implementations.

Documentation
Clear and accurate documentation is the foundation of cybersecurity. From the plan of action to checkpoints to recording calamities that have occurred and been resolved. In fact, most documentation is necessary for achieving and maintaining certifications. It also increases visibility into the progress and status of the management system.

Time Saving
With compliance software and help from OpenSight, you can minimize the pressure on the organization which saves an enormous amount of time. For example, the scheduling of regular tasks that happen automatically according to the set frequency and other automations.

Integrations
Integrations with Microsoft Teams or Slack are frequently requested options. This allows tasks arising from management to be distributed within the organization. Uit onze ervaring blijkt dat veel organisaties baat hebben bij het gebruik van dergelijke integraties en het onderhouden van bijvoorbeeld hun NIS2 managementsysteem. NIS2 is one of the frameworks that can be chosen to guide monitoring. OpenSight can provide these valuable integrations.

Download the NIS2 brochure

With OpenSight’s service you can easily follow the NIS2 guidelines. You get access to experienced experts, independent advice and practical support in implementing security measures and management systems. Enter your details below to download the brochure and find out how our NIS2 service can help your organization.

The transition to ISO 27001:2022. What is changing and what does it mean for your organization?

Why an ISO 27001 certificate?

Within the ISO standards world, it is customary to assess every five years whether a standard should be revised. The ISO 27001 standard, considered the standard for information security, was last updated in terms of content in 2013. The time for an update has finally come, and we will tell you all about the new ISO 27001.

De ISO 27001:2013, as we know ’em

ISO 27001 is one of the most highly regarded and globally used standards for information security. It is an international standard that describes the requirements for an Information Security Management System (ISMS). An ISMS is a structured framework of policies, procedures, processes and systems used to manage and protect information security.

The now outdated version, ISO/IEC 27001:2013, has special requirements that an ISMS must meet. These include identifying information security risks, establishing security measures and monitoring performances. By complying with the ISO/IEC 27001:2013 standard, organizations can improve their
information security processes, ensure data security and increase customer confidence. The standard applies to all types of organizations, regardless of size, location or industry.

The new ISO 27001 standard

As developments in the field of security continue at a rapid pace, it is customary to update security standards every few years. It’s therefore
striking that the current version of the ISO 27001 standard dates from 2013 and has not been updated for ten years. But, now exactly ten years later, a new update has been announced. Meet the ISO 27001:2022.

Transition period ISO/IEC 27001:2022

In short, with the new changes going into effect with the advent of ISO/IEC 27001:2022, organizations must re-evaluate their risk assessments and reset security measures. What does that mean for your organization?

On Oct. 25, 2022, the new version of ISO/IEC 27001 was released. During the 3-year transition period, existing certificates must be transitioned to the new version by Nov. 1, 2025. After October 2023, you cannot recertify for the 2013 version. From then on, the transition audit must take place during the next scheduled audit, but can also be performed earlier as a special transition audit.

Does your organization need to re-evaluate risk assessments and re-establish security controls? If so, you have a transition period of 3 years. The transition to ISO 27001:2022 can be done either at recertification or at the annual follow-up or control audit. At OpenSight, we are happy to help you certify for the new standards.

5 steps you can take to transition to ISO/IEC 27001:2022

1. Become familiar with the content and requirements of the new version:
   It is critical that you familiarize yourself with the new version of ISO/IEC 27001 and understand what the changes are and mean in content from the previous version. Does your organization already have the 2013 ISO 27001 version? Then you should focus mainly on the changes that the revision brings. These are mainly in ISO 27002, or ISO 27001 Annex A.
2. Train your staff:
   We can’t say it often enough. Make sure all employees in your organization are trained and understand the key changes and requirements. This will ensure that the entire team is up to speed on the new guidelines and practices.
3. Peform a GAP analysis:
   To meet the new requirements, it is important to use a GAP analysis to identify where your organization is already meeting them and where adjustments or additions are needed.
4. Establish an implementation plan:
   Based on the findings from Step 3, you can create a plan to meet the new requirements. Do set concrete actions and make clear deadlines for implementing these actions. Talk the talk, walk the walk.
5. Update your management system:
   After implementing the actions laid out in the new action plan, update your management system to meet the new requirements. This may mean modifying existing processes or implementing new ones. Make sure you properly document and communicate these changes within your organization.

To make the transition to the new ISO as smooth as possible, it is very important to start preparing on time. By following these steps you ensure that you meet the new requirements and that your certification is renewed on time. In doing so, the experts at OpenSight are always ready to help you with questions or for advice.

OpenSight

Calling in a specialist is the wisest choice and saves a lot of time. The knowledge and experience of a specialist ensure a worry-free process. Moreover, an
independent auditor should be appointed. By taking OpenSight as a partner, you can be sure that the knowledge and experience is there to ensure the best possible process. Because of the specialized knowledge and experience in cybersecurity, you are guaranteed to obtain the ISO 27001 certificate.

Knowledge
OpenSight has been dealing with cybersecurity for companies for years. Originated out of an interest, developed into a passion and eventually formed into a company with helping services.

Experience
Numerous companies have previously partnered with OpenSight and as a result have achieved great successes regarding cybersecurity. From improved business processes to certifications and from consulting to implementations.

Documentation
Clear and accurate documentation is the foundation of cybersecurity. From the plan of action to checkpoints to recording calamities that have occurred and been resolved. In fact, most documentation is necessary for achieving and maintaining certifications. It also increases visibility into the progress and status of the management system.

Time Saving
With compliance software and help from OpenSight, you can minimize the pressure on the organization which saves an enormous amount of time. Consider, for example, the scheduling
of regular tasks that happen automatically according to the set frequency and other automations.

Integrations
Integrations with Microsoft Teams or Slack are frequently requested options. This allows tasks arising from management to be distributed within the organization. From our experience, many organizations benefit from using such integrations and maintaining, for example, their ISO 27001 management system. OpenSight can provide this.

Download the ISO 27001:2022 transition brochure

In short, with OpenSight’s service you can easily complete your certification or transition to ISO 27001:2022. You get access to experienced experts, independent advice and practical support in implementing security measures and management systems. Fill in your details below to download the brochure and find out how our ISO service can help your organization.

As of January ’23, all companies and organisations within Europe have to comply with the new NIS2 directives. A major difference with previous legislation is that the NIS2 includes sanctions and the board can be held accountable if insufficient action has been taken in the area of Cyber Security. Because the guidelines of the NIS2 apply to considerably more sectors and branches, it’s important that SMEs in the Netherlands and in other European countries get their act together. In this blog you can read what you as a company must comply with and what exactly the NIS2 entails.

What is NIS?

NIS is short for Network and Information Security and is the first legislation in Europe in the field of cyber security. (The NIS has also been in force in the Netherlands since 2016 and has been converted in the Netherlands into the Wet Beveiliging netwerk- en informatiesystem [WBNI]. This guideline motivates companies and organizations to organize and tighten their digital security.) With the sharp increase in cyber-attacks, the European Commission presented a new EU security strategy in 2020: the NIS2.

Where the NIS is limited to only the large companies in vital sectors, like drinking water supplies and telecom, the NIS2 goes a step further. The NIS2 definitely will have a bigger impact on EU business. This mature version of the NIS focuses on three pillars of security:

• Security risk mapping;
• Protection and detection to mitigate risks;
• Limiting the consequences of cyber incidents.

With the NIS, many companies still get away with complying with the GDPR (AVG in the Netherlands) and other ‘basic rules’. But now that the NIS2 guidelines are in force, many companies really have to pull out all the stops when it comes to cybersecurity.

Do you want to know more about how to approach this, or are you curious how compliant your organization is at the moment? Our experts are ready to answer your questions!
Or download the NIS2 brochure.

We often get questions about the ISO 9001 certification. In this article we’ll explain what an ISO 9001 certification is, why it is valuable to get a certification and how to get it.

What is ISO 9001?

ISO 9001 is a globally recognized standard in the field of quality management. With this certification you as an organization show that all products and services meet all the needs, requirements, wishes and specifications of stakeholders. By complying with ISO 9001 organizations show that they work transparently and reliably.

Why OpenSight ?

For an ISO certification process to succeed, the management system must fit in well with business operations and monitor the operational impact. With over 10 years of experience, our team has helped hundreds of organizations with designing and implementing different ISO standards. We work from the perspective of human and organization. Our consultants advise in a pragmatic manner and support in the design and implementation of policies and measures. Projects will run more smoothly, and we’ll answer all your technical questions. If you choose OpenSight, you choose the guaranteed technical support and knowledge that your organization needs.

Other benefits:

• Technical consulting, implementation and maintenance; all-in-one.
• A pragmatic approach with attention to people and business.
• Flexible input allows you to set the pace yourself.
• Personal support with the technical implementation of security measures.

Check out this page for more information about our certifications.

We regularly get questions about the ISO 27001 certification. In this article, we explain what an ISO 27001 certificate is, why it is valuable to obtain this certification and how to get it.

What is ISO 27001?

ISO stands for International Organization for Standardization, a global institute that develops standards for products and systems. The ISO 27001 certificate is an international standard for information security. It describes how organizations can secure information in a process-oriented way. The goal? Ensure the confidentiality, integrity and availability of vulnerable details within an organization.

Why an ISO 27001 certificate?

Why an ISO 27001 certificate? For many organizations, data is essential. Necessary steps such as optimizing crucial processes and improving customer experience are often made based on this data. Having to deal with a data breach or failure can have a massive impact on the organization. This makes it all the more important that third parties such as service providers and suppliers handle data responsibly: how do they guarantee information security? ISO 27001 provides an answer to that question.

When customers have specific security requirements, an ISO 27001 certification helps to build trust. This certification shows that you comply with independent security policies and measures. In short, the ISO 27001 certificate shows that your company handles data responsibly.

Why OpenSight ?

For an ISO certification process to be successful, the management system must be a good fit with the business operations and reduce the operational impact. With over ten years of experience, our team has already helped hundreds of organizations set up and implement various ISO standards. We believe that people are central in this process. Our consultants provide pragmatic advice and support in designing and implementing policies and measures. This makes projects a lot easier, answering any technical questions you may have. If you choose OpenSight, you are assured of the technical support and knowledge your organization needs.

Other benefits:

• Technical consulting, implementation and maintenance; all-in-one.
• A pragmatic approach with attention to people and business.
• Flexible input allows you to set the pace yourself.
• Personal support with the technical implementation of security measures.

Want to be advised? Conntact us directly or request a quote.