GUIDE

NEN 7510, without the consultant.

The Dutch security standard for organisations that handle health data, explained in plain language and built into a tool your team can run.

Request a demoTake the check

What NEN 7510 actually is.

NEN 7510 is the Dutch standard for information security in healthcare. It takes the structure of ISO 27001, the same idea of running an information security management system, and adds requirements specific to health data: how you handle patient records, who may access them, and how you prove it. Like ISO 27001, an accredited auditor can certify that your system works.

Why it matters

Health data is special-category data under the GDPR, and care providers, their suppliers and many digital health vendors are expected to demonstrate NEN 7510. For a lot of healthcare contracts, it is simply required.

Who it is for.

  • Care providers. Hospitals, clinics, GP practices and care institutions that hold patient records.
  • Healthcare suppliers and software. If you build or host systems that touch patient data, your healthcare customers will ask you to prove NEN 7510.
  • Digital health and eHealth vendors. Apps, platforms and devices that process health data fall squarely in scope.
  • Anyone processing health data. Even outside core healthcare, handling medical or health information brings you into scope.

What the standard asks for.

  • An ISMS, as in ISO 27001. The same management-system foundation: scope, risk assessment, controls and continual improvement.
  • Strict access to patient data. Only the people involved in someone's care may see their record, and you must be able to show it.
  • Logging and traceability. Who looked at which record, and when. NEN 7513 details the logging expectations.
  • Health-data handling. Clear rules for storing, sharing and transferring patient information safely.
  • Availability and continuity. Care cannot stop because a system is down. Continuity is treated as a security concern.
  • Supplier assurance. Every vendor that touches patient data has to meet the same bar, and you have to manage that.

The road to certification.

  • Set the scope. Define which care processes, systems and data the ISMS covers.
  • Run the risk assessment. Assess the risks to patient data specifically, not just general IT risk.
  • Select controls and write the SoA. Map the ISO 27002 controls plus the NEN 7510 healthcare additions to your environment.
  • Implement and document. Put access rules, logging, continuity and policies in place and collect the evidence.
  • Run an internal audit. Test your own ISMS against NEN 7510 and close the gaps first.
  • Pass the certification audit. An accredited body reviews your documents in stage 1, then tests them in practice in stage 2.
  • Keep it alive. Annual surveillance audits and continual improvement keep the certificate valid.

How AIR-Tools gets you there faster.

  • Scope and asset discovery. Clair scans your stack, finds where patient data lives and drafts the scope and asset inventory.
  • Health-focused risk assessment. Risks are framed around patient data and care continuity, with a recommended control for each.
  • Statement of Applicability, drafted. ISO 27002 controls and the NEN 7510 additions come pre-mapped to your environment.
  • Healthcare policies, drafted. Access to records, logging, incident response and supplier management, written for a care setting.
  • Audit-ready evidence. Access logs, approvals and documents sit in one place, linked to the control they prove.
  • Stays current. Drift, lapsed reviews and new risks are flagged before a surveillance audit finds them.
Not in healthcare?

If you do not handle health data, the broader international standard is probably what you need. ISO 27001 is the foundation NEN 7510 is built on, and it applies to any sector.

Read the ISO 27001 guide

The short version.

NEN 7510 is ISO 27001 with healthcare rules on top. The hard part is proving how patient data is accessed and logged, and that is exactly the evidence Clair gathers with you.

FAQ

What is the difference between NEN 7510 and ISO 27001?
NEN 7510 is built on ISO 27001 but adds requirements specific to healthcare, especially around access to patient records, logging and the handling of health data. If you work in Dutch healthcare, NEN 7510 is the standard you are usually asked for; outside healthcare, ISO 27001 is the general equivalent.
Is NEN 7510 mandatory?
It is the recognised norm for information security in Dutch healthcare, and many care organisations require it from themselves and their suppliers by contract. In practice, if you want to work with healthcare data in the Netherlands, you are expected to demonstrate it.
How long does it take?
For most organisations, three to six months of preparation before the certification audit, depending on what is already in place. The platform shortens the preparation, which is where almost all of the time goes.
Do we need a consultant?
No. The standard is understandable; the slow part is the documentation, the access logging and the evidence. AIR-Tools drafts the documents and organises the evidence so most healthcare organisations can reach certification without one.
What about NEN 7512 and 7513?
They are companion standards. NEN 7512 covers trust in electronic communication between care parties, and NEN 7513 covers logging access to patient records. NEN 7510 is the overarching management standard, and good logging under 7513 is part of meeting it.
What is the fastest way to start?
Request a demo and run the scan on your real stack. You will see where patient data lives, a starting scope and a first set of gaps in the first session, instead of a blank template.

Skip the consultant. Protect the data.

See your road to NEN 7510 mapped against your actual stack, in a short demo.

Request a demoTake the check