IT services are rapidly moving to the cloud. Assets on the balance sheet are turning into subscriptions. Ransomware has executive-level attention. Data breaches cost companies millions in fines, customer retention and hidden costs.
If technology is changing rapidly, IT Due Diligence should too
Unless the acquisition concerns a technology company, IT Due Diligence usually does not play a major role. IT is complex and the integration can be dealt with after the deal. But because the future of non-tech companies also relies on digitisation, and because information security and privacy can no longer be ignored, they must be included in the Due Diligence process. IT Due Diligence should focus on assessing the technology backlog in the deal, and the risks that lie beneath the surface. Technological backlog slows down the realisation of a digitisation strategy. Risks can be quantified. This provides information that you want to include in valuing the deal.
The real focus of IT Due Diligence is to assess the technological debt that is included in the deal, and the risks that are hiding under the surface.
IT Due Diligence requires a different approach
IT is not a regulated industry. There is no set way of organising or a reporting regime that must be met. There are best practices and ISO standards, but they leave a lot of room for interpretation. And with trends like virtualisation and cloud contracts, what is an 'asset' anyway? IT Due Diligence is no longer an exercise where a junior in the team simply processes a meaningless checklist. The result being a list of acronyms and network diagrams that suggest detail and expertise, but lacking interpretation.
IT is no longer about technology, but much more about data and security
IT gaat niet langer over technologie, maar veel meer over data en beveiliging. Het is zo abstract geworden dat het vaardigheid en vakkennis vergt om te weten waarnaar je moet zoeken.
Real risks and technology gaps can be exposed by looking at:
- Software
- Contracts and licences
- Information Security
- Privacy and GDPR
- Planned IT Investments
- Human Capital
- Hardware and Network Design
What should IT Due Diligence look for in 2022?
Risk-based, tailored to the transaction, this should include at least:
Software
With off-the-shelf software, the emphasis is on software compliance; is all software licensed? Custom software may require a Quick Scan of the code or a thorough code review. Is the software built to last, or a bunch of spaghetti that is only understood by the local hero who built it? The one who will retire in a year. Also determine the ownership of the intellectual property. Who actually owns the code? With SaaS software, it is all about the contract terms.
Contracts and licences
Start with an overview of all current contracts (...), determine the renewal dates of contracts, and check the General Terms and Conditions for selected contracts for clauses referring to transfer of ownership. This is not self-evident. Also, most software products and cloud services are dependent on underlying Big Tech services. This results in sometimes undetected back-to-back contracts. Are these aligned?
Information Security
Estimate the risk profile of the organisation by applying one of the many available frameworks, such as the NIST Cyber Security Framework, the SANS Top 20 Critical Controls or ISO27002. This is still a desk research approach. If critical, a RED team or ethical hackers could test the practical strength of the security controls.
Privacy and GDPR
This is one of the most misunderstood and misinterpreted topics around information systems. Many have an opinion about the GDPR, few have taken the time to read the EU and local legislation. But it is not that complicated. The GDPR prescribes a series of measures and controls that must be implemented to secure personal data. These can be checked in a structured way. No wizardry required.
Planned IT investments
Assess the current IT architecture and project portfolio. Are the planned investments delivering value, or is it "keeping the lights on"? How big is the gap between the As-Is and To-Be IT landscape. Be wary of ERP implementations and Integration Layer projects. These are notorious for creating too little value.
Human Capital
Assess the professionalism of the IT department. IT is only as good as the people who organise it. A quick look is enough as a starting point; identified positions and average seniority, internal training materials and procedures, certificates and formal training courses. Who are the key people and are they on the payroll or freelance?
Hardware and network design
A list of all assets should be easily retrievable from the inventory system or the CMDB. A simple analysis will quickly give an impression of their completeness and accuracy. Remember that if you don't have all the assets in view, you can't know whether they are adequately protected. The IT department, by the way, should frown when asked about hardware. Most IT hardware will have been virtualised (and then run on other, more powerful computers).
How the network is designed says a lot about the maturity level of the IT organisation. Modern networks are, like the hardware, also virtual, the so-called 'software defined network'. An assessment of this topic gives a clear indication of any technological debt.
If an overview of all assets cannot be provided quickly, there is smoke and therefore fire...
I have managed IT departments and IT programmes in various sectors for many years. I am a certified Information Architect and a Certified Information Systems Security Professional (CISSP). With an extensive network of specialised professionals and companies to call on, I keep the team small and dedicated. A small organisation without overhead to ensure short turnaround times.
If you want to assess the risk and technology debt in your next M&A deal and need it done quickly, I can help.
English 
Dutch
Business Continuity Management Event i.s.m. UNO op 30 oktober 2025
/in Blog, Information Security/by Ronald van der MeulenDe harde realiteit van ransomware: leren van praktijkervaring
Cyberaanvallen zijn geen toekomstmuziek, maar dagelijkse realiteit. Bedrijfscontinuïteit en informatiebeveiliging zijn daarom belangrijker dan ooit. Tijdens het UNO Business Continuity Management Event ontdek je hoe je organisatie veerkrachtig blijft wanneer het écht misgaat. Ontmoet experts, hoor praktijkverhalen en krijg praktische handvatten om direct toe te passen.
Bedrijfscontinuïteit waarborgen gaat verder dan alleen back-ups en firewalls. Het vraagt om een structurele aanpak, gedragen door zowel technologie als mensen. Tijdens het UNO Business Continuity Management Event ontdek je hoe je die aanpak vormgeeft in jouw organisatie.
Je krijgt inzichten van experts die de dreiging van dichtbij hebben meegemaakt en hun praktijkervaringen openhartig delen. Hun verhalen maken duidelijk welke rol IT-partners, bestuurders en CISO’s spelen op het moment dat een cyberaanval realiteit wordt.
Na afloop ga je niet alleen naar huis met nieuwe kennis, maar ook met een Business Continuity Management Checklist: een praktisch hulpmiddel om jouw organisatie direct te toetsen en sterker te maken.
NTS behaalt hercertificering NEN7510
/in Blog, Information Security, Healthcare/by Ronald van der MeulenOp 12 mei 2025 heeft de Nederlandse Transplantatiestichting haar nieuwe certificaat voor de NEN7510 ontvangen. Dit was geen gelopen race. Door omstandigheden was het ISMS achterop geraakt en daar boven op had de auditor in de afgelopen audit een aantal serieuze opmerkingen meegegeven.
Bijdrage als Adviseur Informatiebeveiliging/CISO
Medio december 2024 ben ik gestart om orde op zaken te stellen. Medio januari een interne audit uitgevoerd, de structuur teruggebracht en samen met de organisatie de achterstanden ingelopen. De hercertificering vond plaats in de laatste week van februari 2025. De NTS heeft deze met vlag en wimpel doorlopen waardoor het nieuwe certificaat inmiddels aan de muur hangt.
Vliegende start voor de nieuwe CISO
In de tussentijd is een nieuwe vaste CISO geworven. Deze heeft het staartje van de certificering meegelopen en heb ik in de nieuwe structuur kunnen inwerken. Een vliegende start!
Lead Auditor ISO27001 gecertificeerd
/in Blog, Information Security/by Ronald van der MeulenOp 14 november 2024 heb ik het certificaat Lead Auditor ISO27001 behaald bij het PECB. Via Credly kun je hieronder de authenticiteit controleren, want een claim moet je wel kunnen onderbouwen!
Certificaatnummer: ISLA1163240-2024-11
Veilige introductie van netautomatisering
/in Energy/by Ronald van der MeulenRENDO is de regionele netbeheerder (gas, electra en glasvezel) in Zuid-Drenthe en Noord-Overijssel.
The challenge
Begin 2024 is Rendo opnieuw gecertificeerd voor ISO27001. De beveiliging van de IT is goed op orde. Rendo scoort hoog op compliance en op technische weerbaarheid. De manager ICT/CISO en de Security Lead vervolgen hun carriere elders.
Bijdrage CISO
RENDO grijpt dit moment aan om de rol van manager ICT en CISO te scheiden. Ik zet de CISO rol neer en werk de nieuw geworven Security Engineer in. Qua beveilging is dit tevens het moment om beveiliging van Operationele Technologie (OT) op te pakken. Dit doen we in een team van 5 medewerkers.
Netautomatisering
Het opwekken en gebruiken van energie is sterk aan verandering onderhevig. Zowel gebruik als decentrale opwek fluctueert sterk. Er is sprake van netcongestie. Dit betekent dat netbeheerders steeds dichter manoeuvreren tegen de capaciteitsgrenzen van hun netwerk. Hiervoor is het nodig om real-time in het netwerk te kunnen observeren en om te kunnen sturen in het energienet. Bijvoorbeeld door een aangesloten zonnepark af te sluiten als er sprake is van overproductie waardoor het net instabiel kan worden. Dit heet netautomatisering en hier is veel digitalisering voor nodig. Dit moet veilig zijn, want vijandige staten of criminele organisaties moeten we buiten de deur houden. Voor de beveiliging vallen we terug op de IEC62443 standaard.
Aanbesteding SCADA systeem
2025 Staat in het teken van de aanbesteding van een SCADA systeem dat het hart gaat worden van netautomatisering bij RENDO. De gunning wordt verwacht begin juni 2025.
Digitale dijkverzwaring voor het waterschap
/in Blog, Information Security, Government/by Ronald van der MeulenWaterschap Drents Overijsselse Delta
Het werkgebied van Drents Overijsselse Delta loopt van Assen tot Deventer en beslaat 7.001 kilometer aan rivieren, kanalen, wetering en sloten, 16 rioolwaterzuiveringen, 363 gemalen, 1.972 stuwen en ruim 1.000 kilometer aan dijken en kades.
NIS2 en BIO2
Het Nederlandse waterbeheer is van vitaal belang voor onze samenleving en economie. Waterschappen spelen een cruciale rol in het waarborgen van de waterveiligheid, het beheer van waterkwaliteit en de bescherming van onze natte infrastructuur. In dit digitale tijdperk zijn waterschappen echter ook blootgesteld aan toenemende cyberdreigingen. De Europese NIS2 (Network and Information Security) wetgeving en de daarvan afgeleide BIO2 (oktober 2024) zijn ontwikkeld om deze uitdagingen aan te pakken en de digitale weerbaarheid van essentieel aanbieders te versterken.
Bijdrage als Interim CISO
Na onvoorzien verloop in de CISO en ISO rol is het zaak om in korte tijd informatiebeveiliging als competentie op niveau te krijgen.
Beleidsontwikkeling: Robuust beleid ontwikkelen en implementeren dat voldoet aan de NIS2 vereisten.
Risicobeheer: Risicoanalyses om kwetsbaarheden te identificeren en te evalueren, en maatregelen implementeren om deze risico’s te verminderen of te elimineren. Starten met continuïteit- uitwijk en herstel.
Incident Response: Het coördineren van de respons en herstelinspanningen om een operationele verstoring tot een minimum te beperken.
Bewustwording en Training: Ervoor zorgen dat het bestuur en medewerkers van het waterschap zich bewust zijn van de risico’s van cyberaanvallen.
Samenwerking: Ik werk samen met relevante overheidsinstanties, het Waterschapshuis en partners in de watersector om informatie en expertise uit te wisselen en de algehele cyberweerbaarheid van Waterschap Drents en Overijsselse Deltta te versterken.
Van actieplan naar een beheerst proces
/in Blog, Information Security, Government/by Ronald van der MeulenVroeg of laat krijgt iedere organisatie te maken met een cyber event van de buitencategorie. Voor Senzer was dat moment 9 maart 2021. Een ransomware aanval legde de organisatie lam. Gelukkig was een backup voorhanden en door adequaat handelen en ondersteuning van Northwave bleef de schade beperkt. Een omvangrijk actieplan is in de steigers gezet en tot uitvoering gebracht.
De vraag aan Takeshape: “Help ons het actieplan af te ronden en leidt de transitie naar een beheerst proces”.
Het actieplan hangt op de samenwerking met Northwave. Northwave verzorgt de Managed Detection en Response diensten voor Senzer. Het actieplan is medio 2023 afgerond en omgezet in een geplande beheerste meerjarige aanpak.
Focus – “Er is meer dan compliance”
Overheidsorganisaties zoals Senzer zijn onderhavig aan een streng compliance regime. De BIO, die wordt aangepast aan NIS2, zal meer verplichtend worden. Jaarlijkse externe audits zoals op het gebruik van de DigiD aansluiting en inzage in Suwinet zullen blijven doorgaan. Maar dit moet niet leiden tot het idee dat als de vinkjes zijn gehaald de organisatie ook daadwerkelijk veilig is.
De focus ligt daarom om het realistisch en continu in beeld hebben van de mate van informatieveiligheid en de risico’s (de security posture). Vervolgens die maatregelen nemen die de hoogste bijdrage leveren. De invoering van een ISMS moet bijdragen aan het overzicht en de werklast van het rapporteren sterk verminderen. In plaats van alles inzetten op het voorkomen van risico’s zal vooral aandacht worden besteed aan weerbaarheid en veerkracht van de organisatie.
Senzer – Gemeenschappelijke Regeling in Helmond en omgeving
Senzer voert de Participatiewet uit in opdracht van 7 gemeentes: Helmond, Laarbeek, Gemert-Bakel, Geldrop-Mierlo, Someren, Asten, Deurne met in totaal 250.000 inwoners. Er werken ruim 2000 mensen en Senzer is verantwoordelijk voor de maatschappelijke participatie voor honderden mensen en inkomensondersteuning voor 4800 bijstandscliënten.
Advising Start Up - Lifelong Learning Portfolio
/in Blog, Higher Education, Information Security/by Ronald van der MeulenA veterinarian is a veterinarian? Not quite. Besides the fact that there are various specialisations in education, there are numerous follow-up courses that ensure further specialisation. However, everything that takes place after graduation is not centrally registered anywhere. Nor does an examination mark provide any insight into how skilled a professional is in an procedure. What if every graduated veterinarian could carry an online portfolio to have all this information together?
Contribution Takeshape: From POC to Platform
A first version of this online portfolio platform has been published and is slowly but surely being expanded. I was able to help the founders make a plan to scale from proof of concept to a fully-fledged IT platform. This sometimes involves technology, but often not. Small matters, such as the use of freeware, which is permitted in a personal sense but not in a commercial sense, is such an example.
Advising Start Up - Zero Emission Last Mile Delivery
/in Higher Education/by Ronald van der MeulenThe Last Mile... In logistical terms, this refers to the transport of products to their final destination, usually from a distribution centre in a city. This logistic chain is still hopelessly inefficient. For example, on the Dutch motorway 25% of the trucks are empty. The average load factor is 45%. So we mainly transport air. What if these large and mostly empty trucks unload their cargo at the edge of a city and small emission-free vehicles deliver these goods in the city? That would save a lot of transport movements of empty and polluting trucks into the city. Cleaner and safer. Such a 'hub' is planned around Utrecht, in Bilthoven.
One would think this is all about physical goods, delivery vans and parcels. However, the beating heart is an IT system that controls this complex chain. Complex because there are 6,000 transporters in the Netherlands and many parties use their own Wharehouse Management and Transport Management System.
The software that the Utrecht Hub will be working with is a fairly new development that can be layered on top of all Warehouse Management and Transport Management systems in order to maintain a total overview.
The question to Takeshape: "Is this software a solid basis for further growth?".
The following aspects were evaluated:
Based on this analysis, the hub's management team was able to make a well-founded decision.
IT Due Diligence - know what to look for in 2022
/in Blog, M&A/by Ronald van der MeulenIT services are rapidly moving to the cloud. Assets on the balance sheet are turning into subscriptions. Ransomware has executive-level attention. Data breaches cost companies millions in fines, customer retention and hidden costs.
Unless the acquisition concerns a technology company, IT Due Diligence usually does not play a major role. IT is complex and the integration can be dealt with after the deal. But because the future of non-tech companies also relies on digitisation, and because information security and privacy can no longer be ignored, they must be included in the Due Diligence process. IT Due Diligence should focus on assessing the technology backlog in the deal, and the risks that lie beneath the surface. Technological backlog slows down the realisation of a digitisation strategy. Risks can be quantified. This provides information that you want to include in valuing the deal.
IT Due Diligence requires a different approach
IT is not a regulated industry. There is no set way of organising or a reporting regime that must be met. There are best practices and ISO standards, but they leave a lot of room for interpretation. And with trends like virtualisation and cloud contracts, what is an 'asset' anyway? IT Due Diligence is no longer an exercise where a junior in the team simply processes a meaningless checklist. The result being a list of acronyms and network diagrams that suggest detail and expertise, but lacking interpretation.
IT gaat niet langer over technologie, maar veel meer over data en beveiliging. Het is zo abstract geworden dat het vaardigheid en vakkennis vergt om te weten waarnaar je moet zoeken.
Real risks and technology gaps can be exposed by looking at:
What should IT Due Diligence look for in 2022?
Risk-based, tailored to the transaction, this should include at least:
Software
With off-the-shelf software, the emphasis is on software compliance; is all software licensed? Custom software may require a Quick Scan of the code or a thorough code review. Is the software built to last, or a bunch of spaghetti that is only understood by the local hero who built it? The one who will retire in a year. Also determine the ownership of the intellectual property. Who actually owns the code? With SaaS software, it is all about the contract terms.
Contracts and licences
Start with an overview of all current contracts (...), determine the renewal dates of contracts, and check the General Terms and Conditions for selected contracts for clauses referring to transfer of ownership. This is not self-evident. Also, most software products and cloud services are dependent on underlying Big Tech services. This results in sometimes undetected back-to-back contracts. Are these aligned?
Information Security
Estimate the risk profile of the organisation by applying one of the many available frameworks, such as the NIST Cyber Security Framework, the SANS Top 20 Critical Controls or ISO27002. This is still a desk research approach. If critical, a RED team or ethical hackers could test the practical strength of the security controls.
Privacy and GDPR
This is one of the most misunderstood and misinterpreted topics around information systems. Many have an opinion about the GDPR, few have taken the time to read the EU and local legislation. But it is not that complicated. The GDPR prescribes a series of measures and controls that must be implemented to secure personal data. These can be checked in a structured way. No wizardry required.
Planned IT investments
Assess the current IT architecture and project portfolio. Are the planned investments delivering value, or is it "keeping the lights on"? How big is the gap between the As-Is and To-Be IT landscape. Be wary of ERP implementations and Integration Layer projects. These are notorious for creating too little value.
Human Capital
Assess the professionalism of the IT department. IT is only as good as the people who organise it. A quick look is enough as a starting point; identified positions and average seniority, internal training materials and procedures, certificates and formal training courses. Who are the key people and are they on the payroll or freelance?
Hardware and network design
A list of all assets should be easily retrievable from the inventory system or the CMDB. A simple analysis will quickly give an impression of their completeness and accuracy. Remember that if you don't have all the assets in view, you can't know whether they are adequately protected. The IT department, by the way, should frown when asked about hardware. Most IT hardware will have been virtualised (and then run on other, more powerful computers).
How the network is designed says a lot about the maturity level of the IT organisation. Modern networks are, like the hardware, also virtual, the so-called 'software defined network'. An assessment of this topic gives a clear indication of any technological debt.
I have managed IT departments and IT programmes in various sectors for many years. I am a certified Information Architect and a Certified Information Systems Security Professional (CISSP). With an extensive network of specialised professionals and companies to call on, I keep the team small and dedicated. A small organisation without overhead to ensure short turnaround times.
If you want to assess the risk and technology debt in your next M&A deal and need it done quickly, I can help.
More efficient project collaboration with TenneT
/in Blog, Energy/by Ronald van der MeulenTenneT manages the Dutch high-voltage grid and in Germany, TenneT is the largest electricity transmission system operator (TSO) and manages a route from the North Sea to the Alps. TenneT serves around 40 million households. The energy transition calls for an accelerated strengthening and expansion of the current infrastructure. TenneT's investment programme will amount to tens of billions of euros in the coming decades. Executing these programmes requires enormous coordination between TenneT and its contractors.
The challenge
Through a European tender, the contract was awarded in May 2021 to an Indian party to provide software and support for project collaboration. The SaaS software is now considered a crucial part of the application landscape. Both the project organisation and the application landscape are developing rapidly. The project collaboration system must fit in seamlessly and connect to the developing data standards. Meanwhile, the evolution from document-driven to data-driven working is progressing much faster than anticipated. The system must be able to handle both worlds.
Takeshape contribution - Seamless transition from tendering to contract and realisation
A European tender is a project in itself. It is not unusual for the project team to fall apart after the winner has been contracted and for an entirely new team to be set up for the implementation. By supervising both the tendering process and the implementation, there has been no light between the intention of the tender and the execution of the contract. In this respect TenneT retained maximum control.
The SaaS software is an off-the-shelf package. This is not where the challenge lies. Some of the characteristics of this assignment: