NEN 7510

NEN 7510 overview

Organizations in the Netherlands that process patient health information must demonstrate control over that data and their organization consistent with the requirements set out in the NEN 7510 standard. Microsoft is not itself subject to NEN 7510, but its cloud customers in the healthcare sector need to establish that they comply with NEN 7510 regarding solutions built on the Microsoft Cloud. Microsoft cloud services undergo various periodic certifications and audits, some of which include elements closely related to requirements specified in NEN 7510.

Microsoft and NEN 7510:2011

Microsoft has analyzed our current certifications and assurance statements and created a NEN 7510 coverage report (available on the Service Trust Platform), which maps those certifications and assurance statements against the NEN 7510 controls for which Microsoft is responsible as a cloud service provider. This document can help customers determine which other controls they must implement to ensure that their use of Microsoft cloud services for the storage or processing of patient health information complies with NEN 7510.

Learn how to accelerate your NEN 7510 deployment with our Azure Security and Compliance Blueprints: Download the Microsoft Cloud: Azure and Office 365 NEN7510-2011 Standard Coverage User Guide

Microsoft in-scope cloud platforms & services

  • Azure and Azure Government
  • Intune
  • Office 365

Office 365 and ISO 27001

Office 365 environments

Microsoft Office 365 is a multi-tenant hyperscale cloud platform and an integrated experience of apps and services available to customers in several regions worldwide. Most Office 365 services enable customers to specify the region where their customer data is located. Microsoft may replicate customer data to other regions within the same geographic area (for example, the United States) for data resiliency, but Microsoft will not replicate customer data outside the chosen geographic area.

This section covers the following Office 365 environments:

  • Client software (Client): commercial client software running on customer devices.
  • Office 365 (Commercial): the commercial public Office 365 cloud service available globally.
  • Office 365 Government Community Cloud (GCC): the Office 365 GCC cloud service is available for United States Federal, State, Local, and Tribal governments, and contractors holding or processing data on behalf of the US Government.
  • Office 365 Government Community Cloud - High (GCC High): the Office 365 GCC High cloud service is designed according to Department of Defense (DoD) Security Requirements Guidelines Level 4 controls and supports strictly regulated federal and defense information. This environment is used by federal agencies, the Defense Industrial Base (DIBs), and government contractors.
  • Office 365 DoD (DoD): the Office 365 DoD cloud service is designed according to DoD Security Requirements Guidelines Level 5 controls and supports strict federal and defense regulations. This environment is for the exclusive use by the US Department of Defense.

Use this section to help meet your compliance obligations across regulated industries and global markets. To find out which services are available in which regions, see the International availability information and the Where your Microsoft 365 customer data is stored article. For more information about Office 365 Government cloud environment, see the Office 365 Government Cloud article.

Your organization is wholly responsible for ensuring compliance with all applicable laws and regulations. Information provided in this section does not constitute legal advice and you should consult legal advisors for any questions regarding regulatory compliance for your organization.

Office 365 applicability and in-scope services

Use the following table to determine applicability for your Office 365 services and subscription:

Applicability In-scope services
Commercial Azure Information Protection, Bookings, Delve, Exchange Online, Exchange Online Protection, Kaizala, Microsoft Analytics, Microsoft Booking, Microsoft Graph, Microsoft Teams, Microsoft To- Do for Web, MyAnalytics, Office 365 Cloud App Security, Office 365 Groups, OneDrive for Business,Planner, Power Apps, Power Automate, Power BI for Office 365, PowerApps, SharePoint Online, Skype for Business, StaffHub, Stream, Sway, Viva Engage

Audits, reports, and certificates

Frequently asked questions

Is a customer that uses Microsoft cloud services compliant with NEN 7510?

Demonstrating NEN compliance is the responsibility of the healthcare organization (the 'customer'). When using a cloud services vendor, customers typically demand assurances from the vendor, and add their own (other) technology and organizational decisions, choices, and processes. This effort results in an overall assessment by the customer on its NEN 7510 compliance, which can be submitted for review or certification to a third-party auditor. The NEN 7510 coverage report provides insight into which NEN 7510 controls are covered by Microsoft cloud services, but, as such, does not cover end-to-end compliance.

Is Microsoft compliant with NEN 7510?

The responsibility for NEN 7510 compliance is applicable to Dutch Healthcare organizations. It requires the organization to implement an information security management system and to address risk with appropriate technical and organizational measures. For Microsoft in its role as cloud service provider, NEN 7510 compliance is not the objective, nor is it technically feasible. When a customer implements or uses Microsoft cloud services, those services may be in scope of a NEN 7510 evaluation. However, the organization must add its own (other) controls, choices, and processes that are part of the overall NEN 7510 evaluation. The objective of the report is to demonstrate that a Healthcare entity can adopt the Microsoft cloud services in a manner that is compliant with NEN 7510.

The report does not show 100% coverage. Is NEN 7510 compliance not feasible?

Microsoft cloud services provide many controls that help organizations within Dutch Healthcare with their NEN 7510 compliance needs. However, an organization needs to complement those vendor assurances with their own implementation choices, other technology controls, and administrative processes. The report shows already over 94% direct coverage of the full list of applicable controls. For the remaining controls, Microsoft provides guidance in the report on how compliance with those controls can be demonstrated.

Note

Implementing the full list of controls is not the primary purpose of NEN 7510 (although the large coverage of Microsoft Online Services does help). NEN 7510 mandates the implementation of a risk-based information security system that can be used by an organization to determine which controls are applicable to them.

Is the NEN 7510 coverage report a legal binding document?

No. It is a supporting tool for the customer's internal NEN 7510 assurance process and helps to establish confidence and trust that NEN 7510 compliance is feasible. The report (created by independent auditor, KPMG) has a descriptive status and includes a legal disclaimer.

Did Microsoft pay for the report?

Microsoft created a mapping between its global assurances to the controls in the NEN 7510 standard. Microsoft then hired KPMG (an independent auditor) to perform an independent review on the control mapping to NEN 7510, which resulted in the report.

Can we share this report?

The report is provided with you under a non-disclosure agreement (NDA), on the basis that it is for customer information only and that it will not be copied or disclosed via other channels than the Microsoft Service Trust Portal.

Customers can share the report with their own internal or external auditor as part of their compliance or assurance processes.

Resources