How to transition from NEN 7510-1:2017+A1 2020 to NEN 7510-1:2024
Introduction
The NEN 7510 standard for information security in healthcare is being updated. This guide describes the steps that healthcare organizations need to take to successfully transition from the 2017/2020 version to the 2024 version, including practical implementation in ISOPlanner.
Important Considerations for the Transition in ISOPlanner
Preserving Implementation Information for Deprecated Controls
A critical aspect of this transition is that many healthcare-specific controls from the 2017/2020 version will be deprecated in the 2024 version. This has important implications for using ISOPlanner. During the upgrade, the system will not create new controls for these deprecated items, which means that their associated implementation information will not be automatically transferred.
When the old standard is deactivated after the upgrade, these controls – and with them all documentation about how they were implemented – will disappear from the system. It is therefore essential that organizations decide before the upgrade how they want to handle this information. Possible strategies include:
- Exporting and archiving all implementation information for deprecated controls. You can do this by generating the “Control details” report, in menu Administration – Reports.
- Documenting relevant implementation aspects in new, related controls
- Setting up a separate documentation system for historical implementations
Changes in Standard Structure in ISOPlanner
A second important consideration concerns the structure of the standard in ISOPlanner. In the 2017/2020 version, the NEN 7510 implementation only contained the healthcare-specific controls, with general controls being managed through the ISO 27001 standard. The 2024 version changes this: all controls, both healthcare-specific and general, are now included within the NEN 7510 standard.
This means that many new controls will appear during the upgrade. These will come without implementation information, unless ISO 27001:2022 is active. In that case, the new NEN 7510 controls will share implementation texts with the corresponding ISO 27001 controls. A separate implementation task will be created for all new controls.
Timeline
The transition period runs from December 2024 to December 2026. During this period, organizations can adapt their systems to meet the new requirements. After December 2026, certification will only be possible against the new standard. It is advisable to start the transition early, given the complexity of the changes.
Transition Step-by-Step Guide
Preparation and Gap Analysis
General Approach
Before starting the technical upgrade in ISOPlanner, thorough preparation is essential. Begin by mapping your current situation. Inventory which healthcare-specific controls you currently have implemented and document their current status. Also determine whether you use ISO 27001 and how you want to approach the integration with the new NEN 7510 controls.
Practical Steps in ISOPlanner
ISOPlanner has a built-in upgrade procedure for transitioning to NEN 7510-1:2024. To start this:
- Go to the ‘Administration’ section of Standards
- Click the ‘Edit’ button next to the currently activated NEN 7510-1:2017 standard
- At the bottom of the panel, you’ll find an ‘Upgrade’ button
- This opens a new panel where an automatic analysis of your situation is started
- Follow the steps on the screen
After the upgrade, you’ll receive:
- A new dashboard with the status of all tasks
- Automatically created tasks for new controls
- Tasks for reviewing modified controls
- Warnings for deprecated healthcare-specific controls
- Tasks for reviewing the risk analysis
Tip: You can first test the upgrade in a separate environment by purchasing a Premium subscription. You can downgrade after the project if needed.
Develop Action Plan
General Approach
Based on the gap analysis, you should create a detailed action plan that considers all aspects of the transition. It’s important to focus not only on technical implementation but also on organizational aspects and knowledge preservation.
Practical Steps in ISOPlanner
For each identified task in ISOPlanner:
- Open the task and review the details
- Add specific action points to the checklist
- Create follow-up tasks for larger changes if needed
- Assign responsible persons
- Set realistic deadlines
- Use the tag ‘NEN7510-transition’ for all related tasks
- Monitor progress via the dashboard
For deprecated controls:
- Open the old control
- Copy or export the implementation information
- Determine where this information should be stored
- Create a specific task for ensuring functionality is maintained
Update Risk Analysis and Treatment Plan
General Approach
The transition to the new standard requires a thorough revision of the risk analysis. Specific attention must be paid to the impact of deprecated healthcare-specific controls and the introduction of new general controls.
Practical Steps in ISOPlanner
- First create a ‘Risk treatment plan’ report and archive it as baseline
- Find and complete the automatically created ‘Check updated risks’ task
- Review each risk and check:
- If the controls mitigating the risk are still correct
- If new controls need to be linked
- If adjustments are needed due to deprecated controls
- Make adjustments where necessary
- Generate a new report
- Have risk owners approve the changes
Adjust Controls
General Approach
The implementation of controls must be carefully managed to ensure all aspects of information security remain covered. Special attention is needed for the transition from healthcare-specific to general controls.
Practical Steps in ISOPlanner
For each type of control:
- New controls (previously ISO 27001):
- Open the new control
- Copy implementation from ISO 27001 if applicable
- Complete the implementation information
- Set PDCA status to ‘Doing’
- Modified controls:
- Review the automatically created task
- Adjust implementation as needed
- Update PDCA status
- Deprecated healthcare-specific controls:
- Document how functionality will be maintained
- Create new procedures if needed
- Update related documentation
Update Statement of Applicability
General Approach
The Statement of Applicability must be updated to reflect the new standard structure. This is a crucial document for certification and must be carefully prepared.
Practical Steps in ISOPlanner
- Generate the ‘SoA NEN 7510-1:2024’ report
- Review all new and modified controls
- Document rationale for changes
- Ensure management approval
- Archive the old SoA
Internal Audit
General Approach
An internal audit is essential to verify that all changes have been correctly implemented and are effective. Special attention should be paid to ensuring the functionality of deprecated controls is maintained.
Practical Steps in ISOPlanner
- Use the existing audit tasks from the annual plan
- Add specific checkpoints for:
- Implementation of new controls
- Phase-out of deprecated controls
- Effectiveness of modified controls
- Document findings directly in the system
- Create tasks for identified shortcomings
Management Review
General Approach
The management review should provide a complete picture of the transition status and remaining challenges.
Practical Steps in ISOPlanner
- Pull all relevant reports:
- Transition progress report
- Current SoA
- Risk overview
- Audit findings
- Prepare presentation with:
- Transition status
- Key changes
- Impact on organization
- Required resources
- Document decisions and action points
Prepare for External Audit
General Approach
The external audit requires thorough preparation where all aspects of the transition can be demonstrated.
Practical Steps in ISOPlanner
- Gather evidence:
- Complete transition task list
- Before/after comparison of controls
- Documentation of decisions around deprecated controls
- Current risk analysis
- Prepare presentations
- Plan interviews with stakeholders
- Ensure availability of all documentation
Conclusion
A successful transition to NEN 7510-1:2024 requires a careful approach with special attention to preserving important implementation information and managing the transition to a new standard structure. By utilizing ISOPlanner’s capabilities and following a systematic approach, the transition can be effectively managed. Start preparation early to allow sufficient time for all aspects of the transition.