Baseline Information Security Government
Since 2013, municipalities have been using the Baseline Information Security Municipalities (BIG) as a standards framework. The national government, provinces and water boards use their own norms, the BIR, BIWA and IBI. All separate government norms come together in the Baseline Information Security Government (BIO). This baseline is now the new framework of norms for all government agencies.
BIG and BIO
All previously mentioned baselines within the government are still based on the NEN/ISO 27001 from 2005 and are lagging behind the NEN/ISO 27001 from 2013. The ISO from 2013 has a different format than the version from 2005 and that makes comparison difficult, especially in the collaboration between organizations that use different versions. The reason for the new baseline comes from the change in the ISO. With the BIO as a joint baseline, it is avoided that all levels of government have to draw up a new baseline for themselves. The BIO is managed jointly, under the direction of the Ministry of the Interior and Kingdom Relations. A change process will be established in which all levels of government can propose changes.
Eventually, BIO will make it easier, but before we get there, we face some major challenges. The biggest change is that ENSIA will also have to be redesigned and there is a lot of work to do there.
More risk management and more explicit
The BIO puts more emphasis on risk management than the BIG, which is more about specific measures. The role of the director and line manager is more explicit with respect to risk management than the BIG indicated. In order to substantiate this, a manual '10 administrative principles for information security' comes into force at the same time as the BIO. These principles support managers in fulfilling their responsibilities.
The BIO differs from the BIG in a number of important ways:
- fewer measures (almost 60% fewer);
- measures are always mandatory;
- more risk management (it starts with a QuickScan, the QIS);
- 3 basic security levels (BBN);
- Selection of missing measures in advance;
- Allocation of measures on final responsibility;
- a baseline test now called QIS that takes into account those 3 levels.
Getting started with BIO
The Baseline Information Security Government (BIO) is now the standard for the entire government for information security. The BIO, based on the ISO 27001 from 2013, is the successor of all standards used within the government for information security where among the BIWA, BIG and BIR. More emphasis on risk management is central to this new standard. Ultimately, the BIO will make things easier. However, as a municipality you first face a number of major challenges. Now you actually have to work according to the BIO and be accountable.
Who do you involve and how?
The BIO does not only concern Citizen Affairs. It is a combination of various specialists such as procurement, application managers, facility managers, ICT specialists and HRM staff. That is why the BIO needs to be implemented across the whole municipality. Make sure you keep it manageable for yourself and colleagues. With realistic timings, you can achieve the goals together and keep the energy up. A practical method is the oil slick method. By starting with a small group you can use that success to involve other employees and perhaps to enthuse them. This requires personal attention and a switch from doing it yourself to coaching.
Where do you start?
Implementing BIO takes a lot of time. Moreover, where do you start? With the tools from Inergy you can get started immediately with the implementation of BIO. The functionality and content of the tools save you a lot of time in implementation. Fortunately, you are not starting from scratch. You have already implemented measures from the BIG that partly come back in the BIO.
How do Inergy's tools help with implementing BIO?
Before we move on to the support that the tools offer per step in the IBD's implementation roadmap, we will first outline how each tool works and how it connects to the BIO. There are two cycles for becoming fully in control in the areas of information security and privacy.
30 dagen gratis trial
Ervaar zelf de voordelen van LIAS ISMS
Ontdek de kracht en het gemak van LIAS ISMS met onze gratis 30-daagse trial. Neem de controle over jouw informatiebeveiliging en privacy en start vandaag nog met onze gratis trial – geen verplichtingen, alleen resultaten.
At the strategic level
The first cycle is at the strategic and tactical level. At this level, policy is made. The policy indicates the ambition level of the organization and how it will ensure that the ambition level is achieved. At this level, it is important for the CISO to have insight into the extent to which the requirements are being met. The tooling that provides this insight is also known as GRC tooling. This actually supports the continuous maintenance of a gap analysis and helps to identify and deal with threats.
Risk management is central to the BIO. With the gap analysis in LIAS ISMS, you can immediately determine where the GAP is in your organization. The risk analysis in LIAS ISMS makes your risks transparent in an accessible way by identifying and analyzing them. This gives you insight into the assurance of controls and makes the risks transparent to your colleagues, management and board. You will also find a description of the business processes. Measures from the 270002 are already linked to the standards for you.
At the operational level
The second cycle is at the operational level. At this level it is important that the policy is translated into concrete guidelines and procedures. The translation of the measures of the BIO can be found in LIAS ISMS. The LIAS ISMS includes an Information Security Policy focused on the BIO and a translation of the BIO standards framework into procedures and other tools, so you can get started right away. The biggest challenge is to check compliance with the guidelines and procedures and to keep the procedures up to date. The tool enables process owners and subject specialists to keep the guidelines and procedures up to date.