Schedule a free introductory call
Heading 1
Heading 2
Heading 3
Heading 4
Heading 5
Heading 6
Lorem ipsum by sit amet, consectetur adipiscing elit, sed do eusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Dis aute irure door in reprehenderit in voluptate velit se cillum dolore eu fugiat nulla pariatur.
Block quote
Ordered list
- Item 1
- Item 2
- Item 3
Unordered list
- Item A
- Item B
- Item C
Bold text
Emphasis
Superscript
Subscript



Internal Audits: A Fresh Perspective on ISO 27001 at NOBEARS
Heading 1
Heading 2
Heading 3
Heading 4
Heading 5
Heading 6
Lorem ipsum by sit amet, consectetur adipiscing elit, sed do eusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Dis aute irure door in reprehenderit in voluptate velit se cillum dolore eu fugiat nulla pariatur.
Block quote
Ordered list
- Item 1
- Item 2
- Item 3
Unordered list
- Item A
- Item B
- Item C
Bold text
Emphasis
Superscript
Subscript
Highlights of this success story

The reason
Blind spots in a mature ISMS
NOBEARS has been working with ISO 27001 for years, has its own information security team, and is certified. Yet, the digital agency chooses to have Fendix conduct their internal audits. In this success story, you'll read why and what tangible benefits this yields. NOBEARS calls itself a business accelerator where strategy, creation, development, and marketing converge. Information security is not an afterthought: the organization has been working with an ISMS for years, has an internal information security team that monitors risks, and systematically addresses improvement actions. However, precisely when a system runs smoothly for years, there's a risk that certain things might be overlooked.
"Even if your foundation is solid and you comply with regulations, blind spots can emerge at some point. The world changes, threats evolve, and the standard itself continues to develop. It's then valuable to have an external party critically re-examine your system," says Toon van Overbruggen, Security Officer and Operations Manager at NOBEARS' Amersfoort branch.
The transition to the updated ISO 27001 standard also played a role. New standard components require practical application within one's own organization. It's then beneficial to have someone at the table who has made that translation multiple times and knows where organizations typically get stuck.
Independence and Expertise
Conducting internal audits entirely in-house was never a serious option for NOBEARS. When you evaluate your own work, you tend to miss certain things. You're simply too close to it. Moreover, information security is a field that is constantly evolving: new threats, new legislation, new interpretations of the standard. This demands specialized knowledge that an organization doesn't always possess internally.
The Choice for Fendix
In the search for a suitable audit partner, NOBEARS researched and compared several parties. Besides substantive expertise, personal chemistry also played an important role. The way Fendix presents itself, shares knowledge, and collaborates aligned well with NOBEARS' culture.
Toon: "The team's energy, dynamism, and commitment immediately appealed to us. Furthermore, the case studies, success stories, and the way Fendix presents itself (including online) gave us confidence that we were dealing with a party truly specialized in information security."


Download the ISO 27001 Checklist
Heading 1
Heading 2
Heading 3
Heading 4
Heading 5
Heading 6
Lorem ipsum by sit amet, consectetur adipiscing elit, sed do eusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Dis aute irure door in reprehenderit in voluptate velit se cillum dolore eu fugiat nulla pariatur.
Block quote
Ordered list
- Item 1
- Item 2
- Item 3
Unordered list
- Item A
- Item B
- Item C
Bold text
Emphasis
Superscript
Subscript
Our approach
Defining the scope: where do we focus?
Every audit begins with a clear agreement on the scope. Not all standard components need to be examined in equal depth every year. Fendix, together with NOBEARS, determines where the focus lies. For this, we review the internal audit program (in accordance with ISO 27001 requirement 9.2.2) and the corresponding 3-year plan detailed within it. Based on this, we jointly decide which standard components will be covered and how deeply we will delve into them.
Looking beyond documentation
During the audit itself, we look beyond policy documents and procedures. We also assess what actually happens in practice: how are systems set up, do procedures still align with daily reality, and are responsibilities clearly assigned? Take access management, for example. Internally, it might seem well-regulated, but an independent auditor can discover that the procedure no longer matches how systems are managed in practice. You pick up on these kinds of things when you look at them with fresh eyes. This is one of the reasons why NOBEARS views the annual audit as a dress rehearsal for the external certification audit.
"It's a great opportunity to thoroughly review the ISMS again. It also helps colleagues understand what an audit entails and what is expected of them," says Toon.
For every finding, Fendix also explains how it relates to the standard, what the risk is if left unaddressed, and what a logical next step would be. This also proved valuable during the transition to the new ISO 27001 version. Fendix actively contributed to the interpretation of new standard components and their application within NOBEARS' ISMS.
Reporting: not just what, but also why
Afterwards, NOBEARS receives a clear report including a management summary and a detailed substantiation of all findings. For each standard component, it states:
- which controls were performed;
- which documentation was reviewed;
- with whom discussions were held;
- which samples were taken;
- and on what basis conclusions were drawn.
This way, NOBEARS knows exactly what was found, why it was found, and what the logical next step is.
- 01
- 02
- 03
- 04
- 05
- 06
- 07
- 08
Next-Gen Consultant speaking

Heading 1
Heading 2
Heading 3
Heading 4
Heading 5
Heading 6
Lorem ipsum by sit amet, consectetur adipiscing elit, sed do eusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Dis aute irure door in reprehenderit in voluptate velit se cillum dolore eu fugiat nulla pariatur.
Block quote
Ordered list
- Item 1
- Item 2
- Item 3
Unordered list
- Item A
- Item B
- Item C
Bold text
Emphasis
Superscript
Subscript

The results
Increased confidence for external audits
In recent years, NOBEARS has grown significantly. And growth doesn't make maintaining an ISMS any easier. Growth means onboarding new colleagues, introducing new systems, and changing processes. Especially during such periods, it's valuable to periodically assess whether the ISMS has truly evolved with the organization.
The most recent internal audit confirmed to NOBEARS that this was indeed the case. The audit went smoothly, and only a few areas for improvement were identified. "That primarily provided a sense of confirmation. The organization had grown rapidly, so it was reassuring to see that the foundation was still solid. That gave us confidence for the external audit. And that confidence proved justified, as we've been recertified," says Toon.
Engagement that goes beyond the report
The collaboration with Fendix doesn't end with the delivery of the report. We regularly inquire about the follow-up to findings and the outcomes of external audits. Current developments in the field are also discussed: standard changes, new threats, or practical experiences from other organizations. For a Security Officer who performs this role alongside other responsibilities, this offers tangible added value. You don't have to keep up with the entire field yourself when you have a partner who does it for you.
"The fact that you remain so engaged with clients and want to stay informed about the process, I find positive and refreshing," says Toon.
Heading 1
Heading 2
Heading 3
Heading 4
Heading 5
Heading 6
Lorem ipsum by sit amet, consectetur adipiscing elit, sed do eusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Dis aute irure door in reprehenderit in voluptate velit se cillum dolore eu fugiat nulla pariatur.
Block quote
Ordered list
- Item 1
- Item 2
- Item 3
Unordered list
- Item A
- Item B
- Item C
Bold text
Emphasis
Superscript
Subscript


Heading 1
Heading 2
Heading 3
Heading 4
Heading 5
Heading 6
Lorem ipsum by sit amet, consectetur adipiscing elit, sed do eusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Dis aute irure door in reprehenderit in voluptate velit se cillum dolore eu fugiat nulla pariatur.
Block quote
Ordered list
- Item 1
- Item 2
- Item 3
Unordered list
- Item A
- Item B
- Item C
Bold text
Emphasis
Superscript
Subscript

The landscape changes, does your ISMS?
An ISO 27001 certificate is not a final destination. Cyber threats are becoming more sophisticated, the Cybersecurity Act (NIS2) is becoming relevant for an increasing number of organizations, including digital service providers. Additionally, AI introduces new security risks that many ISMSs have not yet incorporated. Anyone who believes a one-time implementation is sufficient will find that their ISMS slowly falls behind reality.
"Standards change, threats evolve, and organizations continuously develop. That's why, during an internal audit, we don't just look at compliance, but also at whether the ISMS still aligns with today's risks and ambitions," says Gijs Nabuurs, Consultant at Fendix.
For NOBEARS, internal audits have therefore become an integral part of the ISMS, rather than an annual obligation they'd rather skip.
Ready for a fresh perspective on your ISMS?
As NOBEARS experienced, internal audits can yield much more than just compliance. They help organizations uncover blind spots, improve processes, and confidently face external audits.
Curious what an independent audit could mean for your organization? [SEG 8]
Curious what an independent audit could mean for your organization?
Involved consultants

Kilian Houthuijzen
Commercial Manager
Kilian
Houthuijzen
Commercial Manager & Partner

Success Story: Why digital agency NOBEARS chooses independent internal audits
Heading 1
Heading 2
Heading 3
Heading 4
Heading 5
Heading 6
Lorem ipsum by sit amet, consectetur adipiscing elit, sed do eusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Dis aute irure door in reprehenderit in voluptate velit se cillum dolore eu fugiat nulla pariatur.
Block quote
Ordered list
- Item 1
- Item 2
- Item 3
Unordered list
- Item A
- Item B
- Item C
Bold text
Emphasis
Superscript
Subscript


























