Action in the taxi: Check out this awesome landing page!

Internal Audits: A Fresh Perspective on ISO 27001 at NOBEARS

Although NOBEARS has its own security team and is ISO 27001 certified, they outsource internal audits to Fendix. In this success story, you'll discover exactly why and what benefits it brings.

Heading 1

Heading 2

Heading 3

Heading 4

Heading 5
Heading 6

Lorem ipsum by sit amet, consectetur adipiscing elit, sed do eusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Dis aute irure door in reprehenderit in voluptate velit se cillum dolore eu fugiat nulla pariatur.

Block quote

Ordered list

  1. Item 1
  2. Item 2
  3. Item 3

Unordered list

  • Item A
  • Item B
  • Item C

Text link

Bold text

Emphasis

Superscript

Subscript

Highlights of this success story

Fresh look
Prevents blind spots
The nes rehearsal
Approaching the external audit with full confidence
Always up-to-date
Proactive sparring partner
Client
NO
Standards
Involved consultants

The reason

This is a body. Lorem ipsum by sit amet, consecteur adipising elite. Suspendisse varius enim in eros elementum tristique. German course, mi quis viverra ornare

Blind spots in a mature ISMS

NOBEARS has been working with ISO 27001 for years, has its own information security team, and is certified. Yet, the digital agency chooses to have Fendix conduct their internal audits. In this success story, you'll read why and what tangible benefits this yields. NOBEARS calls itself a business accelerator where strategy, creation, development, and marketing converge. Information security is not an afterthought: the organization has been working with an ISMS for years, has an internal information security team that monitors risks, and systematically addresses improvement actions. However, precisely when a system runs smoothly for years, there's a risk that certain things might be overlooked.

 

"Even if your foundation is solid and you comply with regulations, blind spots can emerge at some point. The world changes, threats evolve, and the standard itself continues to develop. It's then valuable to have an external party critically re-examine your system," says Toon van Overbruggen, Security Officer and Operations Manager at NOBEARS' Amersfoort branch.

 

The transition to the updated ISO 27001 standard also played a role. New standard components require practical application within one's own organization. It's then beneficial to have someone at the table who has made that translation multiple times and knows where organizations typically get stuck.

Independence and Expertise

Conducting internal audits entirely in-house was never a serious option for NOBEARS. When you evaluate your own work, you tend to miss certain things. You're simply too close to it. Moreover, information security is a field that is constantly evolving: new threats, new legislation, new interpretations of the standard. This demands specialized knowledge that an organization doesn't always possess internally.

 

The Choice for Fendix

In the search for a suitable audit partner, NOBEARS researched and compared several parties. Besides substantive expertise, personal chemistry also played an important role. The way Fendix presents itself, shares knowledge, and collaborates aligned well with NOBEARS' culture.

 

Toon: "The team's energy, dynamism, and commitment immediately appealed to us. Furthermore, the case studies, success stories, and the way Fendix presents itself (including online) gave us confidence that we were dealing with a party truly specialized in information security."

Download the ISO 27001 Checklist

The new ISO 27001:2022 requirements clearly mapped out, including all Annex A controls, directly applicable and free to download as a PDF.

Heading 1

Heading 2

Heading 3

Heading 4

Heading 5
Heading 6

Lorem ipsum by sit amet, consectetur adipiscing elit, sed do eusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Dis aute irure door in reprehenderit in voluptate velit se cillum dolore eu fugiat nulla pariatur.

Block quote

Ordered list

  1. Item 1
  2. Item 2
  3. Item 3

Unordered list

  • Item A
  • Item B
  • Item C

Text link

Bold text

Emphasis

Superscript

Subscript

Our approach

This is a body. Lorem ipsum by sit amet, consecteur adipising elite. Suspendisse varius enim in eros elementum tristique. German course, mi quis viverra ornare

Defining the scope: where do we focus?

Every audit begins with a clear agreement on the scope. Not all standard components need to be examined in equal depth every year. Fendix, together with NOBEARS, determines where the focus lies. For this, we review the internal audit program (in accordance with ISO 27001 requirement 9.2.2) and the corresponding 3-year plan detailed within it. Based on this, we jointly decide which standard components will be covered and how deeply we will delve into them.

 

Looking beyond documentation

During the audit itself, we look beyond policy documents and procedures. We also assess what actually happens in practice: how are systems set up, do procedures still align with daily reality, and are responsibilities clearly assigned? Take access management, for example. Internally, it might seem well-regulated, but an independent auditor can discover that the procedure no longer matches how systems are managed in practice. You pick up on these kinds of things when you look at them with fresh eyes. This is one of the reasons why NOBEARS views the annual audit as a dress rehearsal for the external certification audit.

 

"It's a great opportunity to thoroughly review the ISMS again. It also helps colleagues understand what an audit entails and what is expected of them," says Toon.

 

For every finding, Fendix also explains how it relates to the standard, what the risk is if left unaddressed, and what a logical next step would be. This also proved valuable during the transition to the new ISO 27001 version. Fendix actively contributed to the interpretation of new standard components and their application within NOBEARS' ISMS.

 

Reporting: not just what, but also why

Afterwards, NOBEARS receives a clear report including a management summary and a detailed substantiation of all findings. For each standard component, it states:

 

  • which controls were performed;
  • which documentation was reviewed;
  • with whom discussions were held;
  • which samples were taken;
  • and on what basis conclusions were drawn.

 

This way, NOBEARS knows exactly what was found, why it was found, and what the logical next step is.

This is a body. Lorem ipsum by sit amet, consecteur adipising elite. Suspendisse varius enim in eros elementum tristique. German course, mi quis viverra ornare
  • 01

  • 02

  • 03

  • 04

  • 05

  • 06

  • 07

  • 08

This is a body. Lorem ipsum by sit amet, consecteur adipising elite. Suspendisse varius enim in eros elementum tristique. German course, mi quis viverra ornare

Next-Gen Consultant speaking

"While an internal team might get tunnel vision regarding their own system, we offer the fresh perspective of someone who has audited countless others. This independence immediately uncovers blind spots."

Heading 1

Heading 2

Heading 3

Heading 4

Heading 5
Heading 6

Lorem ipsum by sit amet, consectetur adipiscing elit, sed do eusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Dis aute irure door in reprehenderit in voluptate velit se cillum dolore eu fugiat nulla pariatur.

Block quote

Ordered list

  1. Item 1
  2. Item 2
  3. Item 3

Unordered list

  • Item A
  • Item B
  • Item C

Text link

Bold text

Emphasis

Superscript

Subscript

Gijs
Nabuurs
Information Security Consultant & Marketing Specialist

The results

This is a body. Lorem ipsum by sit amet, consecteur adipising elite. Suspendisse varius enim in eros elementum tristique. German course, mi quis viverra ornare

Increased confidence for external audits

In recent years, NOBEARS has grown significantly. And growth doesn't make maintaining an ISMS any easier. Growth means onboarding new colleagues, introducing new systems, and changing processes. Especially during such periods, it's valuable to periodically assess whether the ISMS has truly evolved with the organization.

 

The most recent internal audit confirmed to NOBEARS that this was indeed the case. The audit went smoothly, and only a few areas for improvement were identified. "That primarily provided a sense of confirmation. The organization had grown rapidly, so it was reassuring to see that the foundation was still solid. That gave us confidence for the external audit. And that confidence proved justified, as we've been recertified," says Toon.

 

Engagement that goes beyond the report

The collaboration with Fendix doesn't end with the delivery of the report. We regularly inquire about the follow-up to findings and the outcomes of external audits. Current developments in the field are also discussed: standard changes, new threats, or practical experiences from other organizations. For a Security Officer who performs this role alongside other responsibilities, this offers tangible added value. You don't have to keep up with the entire field yourself when you have a partner who does it for you.

 

"The fact that you remain so engaged with clients and want to stay informed about the process, I find positive and refreshing," says Toon.

"The fact that you remain so engaged with clients and want to stay informed about the process, I find positive and refreshing."

Heading 1

Heading 2

Heading 3

Heading 4

Heading 5
Heading 6

Lorem ipsum by sit amet, consectetur adipiscing elit, sed do eusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Dis aute irure door in reprehenderit in voluptate velit se cillum dolore eu fugiat nulla pariatur.

Block quote

Ordered list

  1. Item 1
  2. Item 2
  3. Item 3

Unordered list

  • Item A
  • Item B
  • Item C

Text link

Bold text

Emphasis

Superscript

Subscript

Toon van Overbruggen
Security Officer and Operations Manager
Twee mensen met koffiekopjes in een kantoor met een bruine leren bank en planten.
"The fact that you remain so engaged with clients and want to stay informed about the process, I find positive and refreshing."

Heading 1

Heading 2

Heading 3

Heading 4

Heading 5
Heading 6

Lorem ipsum by sit amet, consectetur adipiscing elit, sed do eusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Dis aute irure door in reprehenderit in voluptate velit se cillum dolore eu fugiat nulla pariatur.

Block quote

Ordered list

  1. Item 1
  2. Item 2
  3. Item 3

Unordered list

  • Item A
  • Item B
  • Item C

Text link

Bold text

Emphasis

Superscript

Subscript

Toon van Overbruggen
Security Officer and Operations Manager
This is a body. Lorem ipsum by sit amet, consecteur adipising elite. Suspendisse varius enim in eros elementum tristique. German course, mi quis viverra ornare

The landscape changes, does your ISMS?

An ISO 27001 certificate is not a final destination. Cyber threats are becoming more sophisticated, the Cybersecurity Act (NIS2) is becoming relevant for an increasing number of organizations, including digital service providers. Additionally, AI introduces new security risks that many ISMSs have not yet incorporated. Anyone who believes a one-time implementation is sufficient will find that their ISMS slowly falls behind reality.

 

"Standards change, threats evolve, and organizations continuously develop. That's why, during an internal audit, we don't just look at compliance, but also at whether the ISMS still aligns with today's risks and ambitions," says Gijs Nabuurs, Consultant at Fendix.

 

For NOBEARS, internal audits have therefore become an integral part of the ISMS, rather than an annual obligation they'd rather skip.

 

Ready for a fresh perspective on your ISMS?

As NOBEARS experienced, internal audits can yield much more than just compliance. They help organizations uncover blind spots, improve processes, and confidently face external audits.

Curious what an independent audit could mean for your organization? [SEG 8]

Curious what an independent audit could mean for your organization?

Involved consultants

Gijs
Nabuurs
Information Security Consultant & Marketing Specialist
This is a body. Lorem ipsum by sit amet, consecteur adipising elite. Suspendisse varius enim in eros elementum tristique. German course, mi quis viverra ornare

Kilian Houthuijzen

Commercial Manager

Kilian

Houthuijzen

Commercial Manager & Partner

Success Story: Why digital agency NOBEARS chooses independent internal audits

Contact us for a free introduction.

Heading 1

Heading 2

Heading 3

Heading 4

Heading 5
Heading 6

Lorem ipsum by sit amet, consectetur adipiscing elit, sed do eusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Dis aute irure door in reprehenderit in voluptate velit se cillum dolore eu fugiat nulla pariatur.

Block quote

Ordered list

  1. Item 1
  2. Item 2
  3. Item 3

Unordered list

  • Item A
  • Item B
  • Item C

Text link

Bold text

Emphasis

Superscript

Subscript

Other success stories

ICT & Media
TAGGRS

How TAGGRS implemented ISO 27001 in 4 months

Healthcare
GGZ Western Noord-Brabant

How GGZ Westelijk Noord-Brabant structured information security

Enterprise
Heras

Heras achieves ISO 27001 certification within one year with worry-free implementation

Enterprise
Total Energies

How Total Energies Charging Solutions Netherlands obtained more than one certificate with the implementation of ISO 27001

Healthcare
Stap & Care Group

Towards ISO 27001 and NEN 7510 certification with Stap & Care Group

ICT & Media
Now Online

NowOnline's Choice for an Interim Security Officer from Fendix

ICT & Media
Nedscaper

With Nedscaper to an ISO 9001 and ISO 27001 certificate in 12 weeks

ICT & Media
SPL

From start-up to ISO 27001 and NEN 7510 certificate in 6 months

Healthcare
Aivory

How Aivory Achieved ISO 27001 and NEN 7510 in Three Months with Zero Findings

Enterprise
Goose VPN

Interactive cybersecurity week at GOOSE VPN