Cees van der Wens

Cees van der Wens (1965) studied industrial automation in the Netherlands. In his role as Lead Auditor, he has conducted more than a hundred ISO/IEC 27001 audits at a wide range of organizations. In addition, as a consultant he has helped many organizations, including several hospitals, to obtain the ISO/IEC 27001 certificate. In 2019, Cees van der Wens published the worldwide bestseller "ISO 27001 Handbook". Cees van der Wens: Section 0.1 of the ISO27001 standard tells you that “the order in which the requirements are presented does not reflect their importance or imply the order in which they are to be implemented.” That sounds like a cookbook telling you that the order in which the ingredients are presented in the recipes does not reflect their importance or imply the order in which they are to be used. Besides the fact that the order of requirements can be confusing, the requirements themselves are generally perceived as vague. This vagueness often raises many questions. Why doesn’t the Standard tell me more precisely what to do? Why do I have to find out for myself? The main cause of the “vagueness” is that the Standard is intended for all types of organizations and that the requirements cannot be too specific. For example, the Standard requires that there must be an information security policy, but not what it must contain. That depends, after all, on what policy is needed within your organization. Nor can the Standard prescribe specific technical and organizational measures because what is necessary depends on your specific information security risks. This is why you must implement an information security management system that meets the Standard, that fits your activities, obligations, risks, and objectives, and that can be integrated with your business processes and management structure. That is quite a bit, and in practice, this is not always easy. My books are intended to help you with it.