The 3 "Ifs" and "Buts" About the BIO (Baseline Information Security for the Government)

By Steven Debets

2019 and 2020 are crucial years in the field of information security, especially for municipalities, government agencies, water boards, and provinces in the Netherlands. This is because the Baseline Information Security for the Government (BIO) is making its debut.

Baseline Informatiebeveiliging Overheid

Starting from January 1, 2020, the BIO will replace the existing security standards: Baseline Information Security for Municipalities, Baseline Information Security for the Central Government, Baseline Information Security for Water Boards, and Interprovincial Baseline Information Security. 2019 is a transitional year, allowing organizations to prepare for these new standards. In short, it's a busy year where organizations will be dealing with new standards that will impact their operations.

However, there are some common misconceptions that need to be addressed:

But 1: "I already comply with the current standards!"
Just because you're a municipality, government agency, or water board and have worked on information security doesn't mean you can afford to ignore the BIO. This is particularly important because there's a possibility that you currently don't fully meet the existing standards. If you haven't thoroughly analyzed the BIO and assessed its impact on your organization, you can't just assume that it won't affect you. "Measure to know" is crucial. So, there's every reason to take a closer look at the BIO.

But 2: "There are very few changes!"
Yes and no! Yes, because in reality, the old standards and the BIO don't differ significantly in terms of the controls used. No, because there are differences in the approach and the flexibility that organizations have in selecting measures to implement the controls. This is due to the BIO being based on the most recent versions of NEN-ISO 27001 and 27002. Additionally, the BIO provides more flexibility in taking appropriate measures based on a risk-based approach. The main difference between the BIO and the current standards lies in the number of measures. Furthermore, the BIO has various levels of security based on the protected interest. The BIO has three levels of security (Baseline Security Levels or BSLs) based on the recognized importance of the assets to be protected. So, there are fundamental changes indeed.

But 3: "I still have a few months left!"
Yes, but is that enough? The amount of work required to implement the BIO depends on the current maturity level of the organization. In general, not knowing the exact changes makes it difficult to estimate the time required. Therefore, you need to determine what needs to be done. How much time do you think you'll need for the following activities:

  • Conducting the BSL assessment
  • Aligning current risk analyses with the BIO
  • Assessing the current Baseline Security Levels (BSL) of your systems and processes
  • Defining measures to adequately protect the assets
  • Identifying the extent to which the organization has already implemented the controls and measures
  • Implementing the mandatory measures
  • Defining the roles, tasks, and responsibilities related to the implementation and management of the BIO
  • Reporting on the organization's security level

These are just a few activities that require time and resources to be executed properly. All of this has to be done by January 1, 2020, which means there are only a few months left.

There are more considerations to think about, but the best approach is to get started. Gain insights and assess the impact of the BIO on your organization. From there, you can work concretely and in a risk-based manner to address the BIO. It provides a comfortable feeling.

If you're interested in how we can help you with the BIO, please don't hesitate to contact us!

Related Insights