Knowledge Base

Articles, whitepapers and insights into IT audit, information security, compliance and risk management.

Compliance7 min read

ISO 42001 certification: 7 lessons from the field

More organizations pursue ISO 42001 certification for AI governance. But the practice is tougher than the theory. These are the seven things we encounter.

By Kees van der Vlies
Read more
IT-audit5 min read

SOC 2 report explained: everything you need to know

SOC 2 is an essential audit report for service organizations. Learn what a SOC 2 report entails and why it matters for your business.

By Kees van der Vlies
Read more
IT-audit6 min read

ISAE 3402 vs SOC 2: which audit do you need?

ISAE 3402 and SOC 2 are both assurance standards for service organizations. But they differ in scope, audience and application. Here is how to choose.

By Kees van der Vlies
Read more
Security8 min read

ISO 27001 certification: a practical roadmap

Planning your ISO 27001 certification? This step-by-step roadmap covers scoping, risk assessment, implementation and the certification audit itself.

By Kees van der Vlies
Read more
IT-audit6 min read

Continuous auditing: real-time assurance for modern organizations

Traditional audits look back. Continuous auditing looks forward. Learn how real-time monitoring and automated testing are transforming IT audit.

By Kees van der Vlies
Read more
IT-audit5 min read

SOC 2 Type 1 vs Type 2: what is the difference?

SOC 2 Type 1 and Type 2 reports serve different purposes. Understand the key differences to choose the right report for your organization.

By Kees van der Vlies
Read more
IT-audit6 min read

What is ISAE 3402? A complete guide for service organizations

ISAE 3402 is the international standard for assurance reports on controls at service organizations. This guide explains what it means for your business.

By Kees van der Vlies
Read more
Security5 min read

Pentest vs vulnerability scan: what is the difference?

Both pentests and vulnerability scans identify security weaknesses. But they differ fundamentally in approach, depth and value. Here is how to choose.

By Kees van der Vlies
Read more
Compliance7 min read

ISO 9001 quality management for IT service providers

ISO 9001 provides a solid quality management foundation that integrates naturally with ISO 27001 and other standards. Here is why it matters for IT services.

By Kees van der Vlies
Read more
Compliance7 min read

ISO 22301 business continuity: building organizational resilience

ISO 22301 provides the framework for business continuity management. From business impact analysis to continuity testing, here is what you need to know.

By Kees van der Vlies
Read more
Security6 min read

ISO 27017: cloud security controls beyond ISO 27001

ISO 27017 adds cloud-specific security controls to your ISO 27001 framework. Learn about shared responsibility, the seven new controls, and practical implementation.

By Kees van der Vlies
Read more
Compliance6 min read

ISO 27018: protecting personal data in the public cloud

ISO 27018 sets the standard for PII protection in cloud environments. Learn how it connects to GDPR, ISO 27001, and ISO 27017.

By Kees van der Vlies
Read more
Compliance7 min read

ISO 27701: bridging information security and privacy management

ISO 27701 extends ISO 27001 with a Privacy Information Management System. Learn how it supports GDPR compliance and what certification involves.

By Kees van der Vlies
Read more
Compliance8 min read

eIDAS regulation: electronic identification and trust services explained

The eIDAS regulation governs electronic identification and trust services across the EU. With eIDAS 2.0 and the European Digital Identity Wallet on the horizon, understanding this framework is essential.

By Kees van der Vlies
Read more
IT-audit8 min read

Internal audits for ISO certification: requirements and best practices

Internal audits are a mandatory component of every ISO management system. Done well, they drive real improvement. Done poorly, they become a compliance checkbox.

By Kees van der Vlies
Read more
IT-audit7 min read

Preparing for your first SOC 2 audit: a practical checklist

Your first SOC 2 audit does not have to be overwhelming. This practical checklist covers scope definition, control design, gap remediation and evidence collection.

By Kees van der Vlies
Read more
IT-audit7 min read

ISAE 3402 Type II: understanding the observation period

The ISAE 3402 Type II observation period requires a minimum of six months. Learn why this period matters, what auditors test, and how to manage evidence collection.

By Kees van der Vlies
Read more
IT-audit7 min read

DigiD assessment for SaaS providers: scope and requirements

SaaS providers in the DigiD chain face specific assessment requirements. From network segmentation to multi-tenant challenges, here is what you need to know.

By Kees van der Vlies
Read more
Compliance8 min read

DORA compliance for ICT providers: obligations and opportunities

DORA creates new obligations for ICT providers serving financial institutions. Understanding the requirements early turns compliance into a commercial advantage.

By Kees van der Vlies
Read more
IT-audit7 min read

IT audit evidence management: from chaos to control

Good evidence management can make or break an audit engagement. Learn the fundamentals of audit evidence, common pitfalls, and how to organize evidence efficiently.

By Kees van der Vlies
Read more
Compliance9 min read

EU AI Act 2026: high-risk AI classification and conformity assessment guide

The EU AI Act takes full effect for high-risk AI systems in August 2026, with fines up to 35 million euros. How to classify your AI systems, meet compliance requirements, and prepare for conformity assessment.

By Kees van der Vlies
Read more
Security8 min read

Cyber Resilience Act (CRA): cybersecurity requirements for digital products

The Cyber Resilience Act introduces mandatory cybersecurity requirements for all digital products on the EU market. From IoT devices to software: what manufacturers, importers, and distributors need to know.

By Kees van der Vlies
Read more
Compliance8 min read

ISO 27001:2022 transition: what if you are still on the 2013 version?

The transition period to ISO 27001:2022 expired on 31 October 2025. Organizations still certified to the 2013 version need to take action. Here is what changed and how to approach the transition audit.

By Kees van der Vlies
Read more
IT-audit7 min read

Integrated audits: multiple ISO standards in one engagement

More organizations combine ISO 27001, ISO 42001, NEN 7510, or ISO 9001 in a single management system. An integrated audit saves time and cost. But how does it work in practice?

By Kees van der Vlies
Read more
Security8 min read

Supply chain security: auditing and improving your vendor ecosystem

The biggest cyberattacks of recent years came through the supply chain: SolarWinds, Kaseya, MOVEit. NIS2 mandates supply chain management. How do you audit the security of your supply chain?

By Kees van der Vlies
Read more
Security8 min read

Post-quantum cryptography: preparing for the quantum threat

Quantum computers threaten the cryptography that protects virtually all digital communication. NIST has published the first post-quantum standards. What does this mean for your organization?

By Kees van der Vlies
Read more
Compliance7 min read

ISO 42005: the new standard for AI impact assessments

ISO/IEC 42005:2025 is the first international standard dedicated specifically to conducting AI system impact assessments. It helps organizations map how their AI systems affect individuals, groups, and society in a structured way. Not a certifiable standard, but a practical guide that aligns seamlessly with ISO 42001 and the EU AI Act.

By Kees van der Vlies
Read more
Compliance6 min read

AI literacy: the obligation under Article 4 of the EU AI Act

Since 2 February 2025, Article 4 of the EU AI Act requires every organization that uses AI to ensure a sufficient level of AI literacy among its staff. It is the first concrete obligation already in force, and it affects almost every organization. What exactly does the requirement entail and how do you meet it?

By Kees van der Vlies
Read more
Compliance7 min read

GPAI: obligations for general-purpose AI models under the EU AI Act

Since 2 August 2025, the EU AI Act imposes specific obligations on providers of general-purpose AI models, the models behind tools like GPT, Claude, and Gemini. Transparency, documentation, copyright and, for the most capable models, requirements around systemic risk. What does this mean for those who provide or embed such models?

By Kees van der Vlies
Read more
Risk7 min read

NIST AI RMF vs ISO 42001: which framework for AI governance?

Two leading frameworks for AI governance: the NIST AI Risk Management Framework and ISO 42001. One is a voluntary risk model with the functions Govern, Map, Measure, and Manage; the other a certifiable management system standard. They do not compete, they complement each other. Here is how to choose and combine them.

By Kees van der Vlies
Read more
Compliance6 min read

Shadow AI: why an AI inventory is the foundation of AI governance

Employees use AI tools nobody approved, vendors quietly add AI features, and the organization has no overview. That is shadow AI, and it is the biggest blind spot in any AI governance. A complete AI inventory is the first and indispensable step, whether you are implementing ISO 42001 or preparing for the EU AI Act.

By Kees van der Vlies
Read more
Compliance6 min read

EU AI Act delayed: the Digital Omnibus and the new deadlines for high-risk AI

In May 2026 the EU institutions reached an agreement on the Digital Omnibus, the first amendment package to the EU AI Act since its adoption. The obligations for high-risk AI systems shift to December 2027 and August 2028. What changes, what stays, and why is a delay no reason to sit still?

By Kees van der Vlies
Read more
Security9 min read

Broken Access Control: why it remains OWASP number one

Broken Access Control has topped the OWASP Top 10 for years and produces the most impactful findings in pentests. We explain how we attack it and how to prevent it.

By Kees van der Vlies
Read more
Risk8 min read

Information security risk assessment: a practical step-by-step guide

The risk assessment is the foundation of ISO 27001, yet it often stalls in practice. This guide shows how to build a risk assessment that stays usable.

By Kees van der Vlies
Read more
Compliance7 min read

NIS2 directive

The NIS2 directive introduces strict cybersecurity requirements for Dutch organisations. Read everything about the implementation and your obligations.

By Kees van der Vlies
Read more
Compliance6 min read

DORA digital resilience

DORA (Digital Operational Resilience Act) sets strict requirements for digital resilience in the financial sector. Read what this means for your organisation.

By Kees van der Vlies
Read more
Security6 min read

ISO 27001:2022 update

ISO 27001:2022 introduced significant changes. Discover the latest updates and what this means for your information security.

By Kees van der Vlies
Read more
IT-audit5 min read

DigiD assessment checklist

DigiD assessments are mandatory for organisations that offer government services. Here is your checklist for compliance.

By Kees van der Vlies
Read more
Risk7 min read

How do you build an effective IT internal control framework?

A strong IT internal control framework is essential for reliable operations. This article guides you through COSO and COBIT.

By Kees van der Vlies
Read more
Compliance5 min read

ISO 42001: the new standard for AI management

ISO 42001 provides guidelines for managing AI systems in a safe and responsible way. Discover what this means for your organisation.

By Kees van der Vlies
Read more
Security5 min read

BIO: information security in government

BIO (Baseline Information Security Government) sets cybersecurity requirements for Dutch government organisations. Learn what this involves.

By Kees van der Vlies
Read more
Risk6 min read

IT risk management under the scrutiny of regulators

DNB, AFM and other regulators scrutinise IT risk management closely. Discover what they are looking for.

By Kees van der Vlies
Read more
Security8 min read

ScanZeker.nl: a free security scan for your domain

ScanZeker.nl scans your domain in 30 seconds across twelve security modules. From SSL/TLS and security headers to open ports, data breaches, subdomain takeover and attack paths. Free, without an account and without storing results.

By Kees van der Vlies
Read more
Compliance8 min read

NIS2 compliance in 2026: what do you need to do now, concretely?

The NIS2 directive is in force and the Dutch implementation act is approaching. Many organisations know they have to do something, but not what. This article describes the concrete steps that organisations must take now to become compliant.

By Kees van der Vlies
Read more
Security7 min read

AI-driven cyber threats in 2026: what every organisation needs to know

Attackers are using AI to scale up phishing, deepfakes and automated attacks. At the same time, AI offers new defensive capabilities. How do you, as an organisation, navigate this rapidly changing threat landscape?

By Kees van der Vlies
Read more
Security8 min read

Testing domain security: a practical guide

How do you test the security of your website without being a security expert? From HTTP headers and SSL configuration to email security and DNS. A step-by-step approach for IT managers and business owners.

By Kees van der Vlies
Read more
IT-audit8 min read

DigiD assessment 2026: these are the new requirements

Logius has once again tightened the ICT security assessment for DigiD. What is changing in 2026 and how do you prepare your organisation?

By Kees van der Vlies
Read more
Compliance9 min read

ISO 42001 and the EU AI Act: how they connect and why you need both

The EU AI Act is in force and ISO 42001 provides the management system to comply with it. But how do they relate to each other? And where are the gaps?

By Kees van der Vlies
Read more
IT-audit10 min read

SOC 2 for SaaS companies: from first question to report

More and more enterprise customers require a SOC 2 report. But how exactly does the process work, what does it cost, and when do you choose Type I or Type II?

By Kees van der Vlies
Read more
Compliance9 min read

The Cybersecurity Act (Cbw): what does the Dutch NIS2 law mean for your organisation?

The Cybersecurity Act is the Dutch implementation of the European NIS2 directive. Adopted by the House of Representatives on 15 April 2026, with entry into force on 1 July 2026. This article explains what the law entails, who falls under it and what you need to arrange now.

By Kees van der Vlies
Read more

Stay informed

Get our latest articles and insights on IT audit, compliance and information security.