How do I tell whether an ISO 27001-certified vendor really has its house in order?
The certificate says an external party reviewed an ISMS, not which risks and controls were in scope. Always probe on scope, Statement of Applicability and certifying body.
Try this first
- 1Ask for the certificate itself, not just the logo. Check that an accredited body issued it and that the version is ISO 27001:2022.
- 2Read the scope statement. Does it cover the whole company and the service you buy, or only one office or a different product?
- 3Request the Statement of Applicability or a summary. It states which controls apply and which are excluded with justification.
- 4Ask whether they have recent audit findings or pen-test reports they will share under NDA. A healthy ISMS has open items; perfection is suspect.
- 5Combine the certificate with your own contractual requirements: SLA, security annex, breach notification, audit right where relevant.
When to bring us in
High-risk processing or sensitive sectors (health, finance) need more than ISO. Ask additionally for SOC 2 Type II or a NEN 7510 report.
See also
- Does NIS2 apply to my company?Two questions decide it: are you in a listed sector, and do you meet the threshold from Recommendation 2003/361/EC (more than 50 FTE and more than EUR 10M turnover or balance sheet). Below that you are only indirectly in scope, via your customers. The threshold determines whether you are an important or essential entity depending on sector.
- What changes with the Dutch Cyber Security Act?The Cyberbeveiligingswet is the Dutch implementation of NIS2. Track NCSC for the exact effective date and the lower regulations.
- Am I personally liable as a director under NIS2?Yes. The board is accountable for approving and overseeing the cyber measures. Severe negligence can become personal.
None of the above fits?
Describe your situation below. We pass your input plus the steps you already saw to our AI and return tailored next-step advice. If it's too risky to DIY, we'll say so.
Or skip the DIY entirely
Our Managed IT clients do not look these things up. One point of contact, a fixed monthly price, resolved within working hours.