What is the most current BIO version?

To date, BIO version 1 (specifically, version 1.04zv of 17-06-2020) remains valid. It is related to ISO/IEC 27002:2017. A guidance document 'mapping BIO v1.0.4zv to ISO/IEC 27002:2022' is already available. In it, the BIO controls and government measures are renumbered to the most recent ISO/IEC 27002 version. A completely new BIO version 2.0 was planned for October 2024.

What is a BBN assessment?

BBN stands for Basic Security Level, a classification of security risks used by the government. The BIO includes a BBN assessment to determine the appropriate basic security level (BBN) for a government process. The BBN level (1, 2, or 3) then determines which controls must be implemented. BBN 2 is always the starting point. If that proves too heavy for a particular process, then BBN 1 suffices. If highly confidential data is processed or a system outage would cause major damage, then BBN 3 may apply.

Baseline Information Security for Government (BIO)

Q: What does Baseline Information Security for Government (BIO) mean?

The Baseline Information Security for Government (BIO) provides guidelines for information security in public-sector institutions. The guideline is derived from ISO 27001 and 27002 and replaces earlier baselines that were developed for specific government layers, such as central government and municipalities. Thanks to the BIO, there is now a common set of security controls.

What is Baseline Information Security for Government (BIO)?

The Baseline Information Security for Government (BIO) is a standards framework for information security within government, from ministries to municipalities and water authorities. The BIO includes many guidelines that align with widely used general security standards, such as ISO 27001. However, the BIO is tailored to the specific requirements and conditions of public-sector institutions.

What Are The Benefits of The Government BIO?

Security standards help organizations organize their information security more efficiently and effectively. There is no need to reinvent the wheel; such a standard provides a structured overview of everything your organization must consider. You can also more easily explain to partners, vendors, and customers how your information security is configured.

A general standard is ISO 27001, which is widely applied worldwide and for which many organizations obtain certification. Some sectors go a step further and have defined sector-specific guidelines. Healthcare uses the NEN 751x standard; there is now also a framework for education, and for government, the BIO was developed. If you are the manager or professional responsible for digital security at a public-sector organization, the BIO provides clear guidelines you can apply immediately.

informatiebeveiligingswet overheid BIO

An extra advantage is that the BIO is usable across all levels of government. Until 2020, there were different security standards for specific layers, such as municipalities and the central government. Those standards were configured slightly differently, even though many security risks and controls were comparable. The BIO now replaces earlier standards such as the BIG, BIWA, IBI, and BIR, ensuring that all public organizations address security risks consistently.

Although the BIO is intended specifically for government, it is derived from the ISO 27001 and 27002 standards. That not only makes the development and maintenance of the BIO relatively straightforward. Many companies and experts are already familiar with those ISO standards. This facilitates collaboration with other organizations and enables people to get started with the BIO relatively quickly.

Baseline Information Security for Government (BIO) At A Glance

As noted, ISO 27001 and 27002 form the basis for the BIO. Within government, these standards are also on the so-called 'apply or explain' list:

ISO 27001 provides guidelines for establishing an information security management system. In addition to the governance and process approach to your security, the standard includes an extensive annex with suitable management and security controls.
ISO 27002 is primarily informative and provides additional guidance on those controls to enable optimal implementation.

An important aspect of this standard, and therefore also for the BIO, is that it is risk-driven. You should not simply implement the entire list of controls. As an organization, you must first assess security risks for each process, because that determines which controls have priority. You must also conduct regular risk analyses to adjust or add controls as needed.

After the risk analysis, you then set up your information security. The described controls range from segregation of duties within organizations and the design of your password policy to your approach to data classification and the structure of your incident management.

The core of the BIO consists of the so-called 'BIO Framework' with 14 categories, each with a list of management and security controls.

Verschil BIo en ISO 27002

Difference Between BIO and ISO 27002

Where do ISO 27001 and ISO 27002 differ from the BIO? Two important differences are risk management and the level of detail in the controls.

The BIO first simplifies risk management. Within government, information security is organized per process using three Basic Security Levels (BBN):

BBN 1 focuses on protecting the basic integrity and availability of information.
BBN 2 applies to more confidential data where the impact of security incidents is significantly higher.
BBN 3 is used in scenarios where the consequences of security incidents can be very severe, such as when processing classified state information.

The BIO includes several mandatory government controls and, in addition, requires a BBN assessment for each business process. That assessment yields a BBN level, which determines the additional security controls required. Risk identification and the determination of required controls are structured much more clearly in the BIO than in the general ISO standard.

The BIO is then further specified using ISO 27002 controls. The ISO 27002 standard consists of 114 controls, and the BIO follows the same structure. Where necessary, the BIO supplements these with detailed or additional government-specific requirements. An example of a control that is more specific in the BIO:

ISO 27002, in control 9.3.1 on secret authentication information, states: 'Users should be required to follow the organization's practices when using secret authentication information.' That control applies to all BBN levels.
The BIO adds control 9.3.1.1, which applies specifically where BBN 2 or higher applies: 'Employees are supported in managing their passwords by making a password vault available.'

In short, with ISO 27002, you may still need to interpret policies and make decisions accordingly. The BIO often makes the controls much more concrete, and with the BBN classification, it is immediately clear when a control is actually required. An update to the BIO, based on the latest ISO 27002 version, is planned for 2024.

HelloID Simplifies BIO Compliance

When setting up your BIO-based security plans, you will therefore, per government process, use the BIO assessment to determine which management and security controls are required. For many controls, Identity and Access Management (IAM) is now a critical component. You want to automatically determine, at the level of individual civil servants and their specific roles, which access rights they should receive. You also want to improve governance, streamline individual access requests for applications and data, and apply Multifactor Authentication as needed based on a person's profile and user context. You also want to automatically log all administrative actions and sign-in attempts for audit trails.

That is why many government security professionals assess whether their current IAM solutions adequately support the BIO controls. To assist with this, Tools4ever has created the whitepaper 'BIO and the Role of Identity Management.' It provides an extensive introduction to the BIO baseline and explores the role of Identity Management in information security within public sector organizations. A useful tool is the checklist 'Contribution to ISO 27001 and BIO compliance.' It describes for each control whether IAM functionality is required and how a modern IAM solution can best support the security requirements. We describe this in the checklist using our own HelloID Identity-as-a-Service platform.