Co-founder of ISOPlanner Ivar van Duuren on the practical application of ISO standards

ISO certification sounds like a logical step toward better risk management and stronger information security for many organizations. However, anyone who thinks this is simply a matter of filling out documents and checking boxes will be disappointed.Ivar van Duuren, founder of ISOPlanner (ISO 27001 certified themselves), offers a candid insight into what is really involved in implementing ISO standards. And where, in his opinion, things often go wrong.

Getting started with ISO certification: the art of simplicity

“What advice would I give my younger self?” Ivar thinks for a moment. “Try to keep things simple. Especially with something like ISO 27001, there is a risk of doing too much.” The standard is often abstract, and with an abundance of opinions and interpretations, the danger of over-implementation lurks around every corner.His advice: start small, keep it practical, and above all, don't do too much at once. “The less you do at first, the better. And if you do end up doing a lot, then at least you know that it's important.”

ISO policy, procedures, and instructions: what's that all about?

The ISO standard itself rarely specifies explicitly what you need to document, however: “What you really need is limited. What is useful to have is a lot more.”Many organizations struggle with the difference between policy, procedures, and work instructions. Ivar explains it clearly:

• Policy: Agreements about your goals. For example, make a backup every day.
• Procedures: How you organize that process, who does what.
• Work instructions: Step-by-step explanation of how you do something. For example: log in to system X, click button Y.

What are the truly crucial ISO measures?

“You don't have to implement all the measures mentioned in ISO 27001 Annex A, for example,” explains Ivar. “You have to demonstrate that you manage risks and choose appropriate measures.”But some measures are almost always present: “Access management, for example. You simply have to be sure that only the right people have access to sensitive information. You always want to have that well organized.”

And how do you demonstrate effectiveness?

However, having a policy alone is not enough. An organization must also demonstrate that measures are working. This can be done through spot checks, for example. “If you say that every new employee must undergo awareness training, you can periodically check whether this has actually happened,” says Ivar.Documentation plays a key role here: not only what you do, but also how you record it. According to him, this is where the value of specialized software lies: “It helps enormously if you can record the relationships between documents, measures, and risks. With just folders in SharePoint, things quickly become confusing.”

ISO certification is a lot of work, even for experts

Although ISOPlanner specializes in supporting ISO implementations, the internal process was anything but easy for Ivar. “Despite our knowledge, it took more time than expected to formulate a good policy and monitor its consistency.”This is because information security touches on several levels of abstraction at the same time: policy, measures, risks, and requirements. “You're constantly jumping between those layers. A measure is included in the policy, touches on a risk, and then comes back into procedures. It takes a lot of structure to maintain that consistency.”

AI and ISO certification: a promise and a challenge

AI is also playing an increasingly important role in the world of information security. “We have already added AI functionality to ISOPlanner,” says Ivar. “For example, to simplify documentation or identify risks more quickly.”However, he warns against hasty expectations: “AI promises a lot, but it has to be practical to implement. It's not a magic solution. You have to maintain a balance between innovation and applicability.”Also read: ISOPlanner AI Assistant

The rise of NIS2 and the power of accessibility

What makes Ivar currently enthusiastic is the trend in the market regarding NIS2. “More and more organizations are getting started with it. What I particularly like is that initiatives such as the NIS2 Quality Mark from Samen Digitaal Veilig make the subject concrete and accessible. For organizations for which ISO 27001 still seems a bridge too far, this is a good intermediate step.”

Finally: a paper ISO standard still requires the human touch

Overall, ISO certification is more than just a checklist. It requires reflection, communication, setting priorities, and continuous adjustment. “No matter what tools or support you have, it ultimately remains a project that has to be implemented in your organization.”So, do you really want ISO certification to work? Start simple. Know what you are doing. And above all: make sure everyone in your organization knows why you are doing it.