NEN 7510 audit checklist
Use this checklist to determine whether your healthcare organisation is ready for a NEN 7510 audit. Every element comes up during the assessment of information security around patient data.
The checklist
- Scope and healthcare context of the ISMS established.
- Risk analysis tailored to patient data.
- Access management based on role and need-to-know.
- Logging in line with NEN 7513 (who viewed which record).
- Secure data exchange (NEN 7512).
- Agreements with suppliers and processors.
- Incident and data breach procedure tested.
- Internal audit and management review carried out.
Common mistakes
- Logging that does not comply with NEN 7513.
- Access rights that have not been cleaned up.
- No demonstrable supplier assessment.
More context on our page about the NEN 7510 audit and the relationship with ISO 27001.
IGJ — questions about NEN 7510 (official source).
Frequently asked questions
Short, direct answers — written for people and for AI search features alike.
Logging in line with NEN 7513: being able to demonstrate who viewed which patient record and when. Insufficient logging is a common and serious finding in healthcare audits.
The basis is the same (both use an ISMS), but NEN 7510 adds healthcare-specific items around patient data, logging (NEN 7513) and data exchange (NEN 7512). Those who have ISO 27001 in order mainly need to add those healthcare-specific points.
Ideally continuously via an audit programme, with at least an annual internal audit. Access rights and logging are best checked more frequently, as they quickly become outdated.
Want to know whether you are audit-ready?
Schedule a no-obligation audit scan and learn within a single conversation where you stand and what the next step is.
