EN 
NL 
DE 
The two main standards for information security, NEN-EN-ISO/IEC 27001 and NEN 7510-1 have received a new version. Important to know for all consultants, customers and other stakeholders of these standards. This is a limited change, as NEN reported on 21 February on their website.
Important to note that both standards are now both available in the '2020 version', with the 2017 version without the 2020 addition of the ISO27001:2017 and NEN7510-1:2017 expired with immediate effect.
Actually, you should read these publications as;
NEN 7510-1:2017, including the first adaptation [A1] to the original 2017 version, which was implemented in the year 2020. For ISO27001, you could read; ISO27001 from 2017, with the eleventh adaptation implemented in 2020.
The main change in both standards is that they are now much better connected to the HLS stucture. The well-known generic yellow texts have now been incorporated in both standards. The standard version NEN 7510-1:2017 must still be used for the time being until further notice that the RvA has accepted NEN 7510:2017+A1:2020.
Besides the change mentioned above, a translation error was also fixed in both ISO27001 and NEn7510; Annex A - A18.2.2 'Compliance with security policies and standards':
In the 2017 version, this management measure stated: The Executive Board should regularly assess compliance of information processing and procedures within its area of responsibility against relevant policies, standards and other security requirements.
In the 2020 version, this management measure states: Leaders should regularly assess compliance of information processing and procedures within their area of responsibility against relevant policies, standards and other security requirements.
The word 'Management' has thus been replaced by 'Leaders'. This change has taken place based on the correct translation of the current English text of NEN-EN-ISO/IEC 27001:2013. In this text, the word 'Managers' was used in 18.2.2. The correct translation of this is 'Managers'. This is therefore not a substantive change to the standard requirements.
Impact on practice On A.18.2.2: Being that the apply of the correct translation in Dutch practice leads to adjustments: Whether the management must assess compliance and procedures or that executives have to do so may make some difference in some cases (e.g. in the number of calls during an audit). DigiTrust will take this change into account during its audits.
NEN7510-1 change on management measure A.14.2.9 System acceptance tests:
Management measure: For new information systems, upgrades and new versions, programmes for conducting acceptance tests and related criteria should be established.
CARE-SPECIFIC MANAGEMENT MEASURE; Organisations processing personal health information should establish acceptance criteria for planned new information systems, upgrades and new versions. Prior to acceptance, they should conduct appropriate tests of the system.
[A1>Clinical users should be involved in testing clinically relevant system elements.<A1]
The reason for this change was that this line had 'disappeared' somewhere in NEN7510-1:2017. This sentence did appear in the ISO7510-2:2017.
In practice means that for upgrades and new versions, providers of healthcare-related information systems should involve clinical users in testing the relevant clinical elements.
