NIS2

Expert

Supporting SMEs in a practical way

Cees van der Wens, ISO/IEC 27001 en NEN7510 auditor, consultant

Cees van der Wens is an expert in the field of information security, especially in auditing and implementing the ISO/IEC 27001 standard. He has conducted numerous audits at various organizations, including hospitals, and helped them achieve certifications. With a background in industrial automation, he primarily supports small and medium-sized enterprises in setting up information security management systems.

Cees often acts as a lead auditor and is the author of books on the implementation and audit of security standards. His work plays an important role in the cybersecurity world, especially in the areas of compliance and risk management.

You’re involved in the NIS2 Quality Mark project as an advisor. What exactly does that involvement entail, and why did you think: ‘I want to do this’?

Cees: ‘I’ve been actively involved with the ISO 27001 standard since 2007 and with the NEN 7510 standard since 2011. Over all those years, and especially when I started auditing, I’ve seen many organizations struggle with this subject matter. I was strongly attracted to the idea of helping companies that have difficulty complying with the heavy requirements of ISO 27001 in one go, to move forward step by step. For many small and medium-sized businesses – SMEs – it’s sometimes really burdensome or too expensive to fully comply with this standard right away. For example, I’m currently helping a self-employed person who has built a fantastic web application and needs to obtain ISO certification from his clients. All by himself. There’s simply a strong need for an alternative. In the Netherlands, there might be a hundred thousand SMEs that will probably never take the full step towards ISO 27001. That’s why it’s important to support them in a practical way.’

What is your specific contribution to this project to ensure it’s well executed?

Cees: ‘Together with the team behind the NIS2 Quality Mark, I’m looking at how we can develop an approach that allows companies to work towards good information security step by step. My role is to incorporate the basic ideas and good concepts from the ISO 27001 standard and other standards in a new way. A way that better aligns with the needs of often smaller SMEs. Not all measures are equally relevant or necessary for everyone, so I’m investigating how we can find a good balance. We need to ensure that the system doesn’t become too heavy but remains valuable for suppliers and their customers. It should provide a level of assurance that is understandable and applicable for SMEs, but also recognized by the market and auditors.’

Can you tell us more about how you’re going to secure this?

Cees: ‘It’s important that we set a clear framework so that SMEs can increase their digital security and prove to their customers after an audit that they are certified. To make that succeed, companies need to know exactly what they need to do and how to do it. The system must represent a certain quality standard that is recognizable and reliable, such as the NIS2 Quality Mark with three levels: NIS2-QM10 Basic, NIS2-QM20 Substantial, and NIS2-QM30 High. We want to ensure that companies that comply with this are valued by the market and that the standard is clear and consistent.’

What’s the biggest challenge in establishing this standard?

Cees: ‘Language use is a major challenge. In the current formulation of standards, the language isn’t always consistent or clear. I’ve learned from experience how much confusion can arise from language. Words like ‘manager’ or ‘system’ can be interpreted in different ways, leading to ambiguity about what exactly is meant. Such ambiguities can cause large differences in how measures are taken or not taken. And also, how they are interpreted by an auditor. That’s why I keep focusing on simplifying and making the formulation of the standards consistent. Moreover, I’ve developed texts that should better clarify the purpose of the measures. So that people understand which cyber risk they’re actually reducing with which measure.’

Given the number of involved parties and industry organizations, do you think it will succeed? And what will be the advantage for SMEs?

Cees: ‘Companies that achieve a certificate are always happy. In this case, it gives them more certainty that they’re working digitally secure, and they can show that to their big clients. For clients, it’s nice to have proof that their supplier works digitally secure. Additionally, NIS2 Quality Mark offers a low-threshold entry with the possibility to grow step by step. The NIS2 Quality Mark has three levels—QM10, QM20, and QM30—and companies can enter at a level that suits them. The idea is that companies can start at a lower level and gradually grow. That makes it accessible for SMEs that would otherwise never be able to comply with a heavy standard.’

In countries like Belgium and England, attempts have already been made with a tiered model for cybersecurity, but it hasn’t really taken off there. What makes this project different?

Cees: ‘I’m aware of those initiatives, but not of all the details. In Belgium, they introduced a step-by-step model that comes from the government. That’s not really working, because the government is a strange party to interfere with standardization; they should really only deal with legislation. In England, it’s different. There, many companies have a very small standard – which have large numbers of users – and a very high standard with very few users. So, there’s a lack of a growth model. This project intrigues me because we’ve been able to learn lessons for the Netherlands. The market will ultimately play a big role. If the market, for example, finds the QM10 standard sufficient, SMEs won’t quickly move to QM20 or QM30. With the NIS2 Quality Mark, we’ve opted for a dynamic, growing standard, so companies will probably have to do something constantly, and there might also be an incentive from the market to move to a higher level.’

Do you think companies will embrace the idea of a tiered model, or will they see this as ‘just another set of rules’?

Cees: ‘I expect many companies will see it as an opportunity. There are certainly companies that will start with QM10 and find that sufficient, but there are also plenty of companies that can immediately enter at a higher level, such as QM20 or QM30. The system is flexible, allowing companies to grow at their own pace. It offers a feasible route for SMEs who want to show their big customers that they’ve obtained certification through an audit.’

Do you think the NIS2 Quality Mark is sufficient for large clients?

Cees: ‘Yes, I think so. Clients don’t want to drive away their suppliers and can thus continue to work with suppliers who have the NIS2 QM. They will also appreciate that there’s more choice than just between companies with or without ISO27001 or NEN7510 certification. As it is now, some clients have very few options; they have to choose from a few parties that have a standard. Soon there will be more options. Anyway, it can be a solution for both clients and smaller companies, who then aren’t forced to bear the heavy burdens of a heavy certification.’

You write books on this subject yourself. Your ‘Handbook ISO27001’ is the most well-known cyber book in the Netherlands. How come success hasn’t gone to your head yet?

Cees: ‘I love my profession. My passion is in standards and audits. I try to do that as well as possible. By writing it down, I also help others with my knowledge and insights. As far as I’m concerned, NIS2 Quality Mark should lead to even better protection of the availability, integrity, and confidentiality of information, including information from people like you and me that is processed daily by countless SMEs. Ultimately, everyone benefits from this approach.’



Scroll to Top