Baseline Information Security for Government (BIO)
What is the Baseline Information Security for Government (BIO)?
The Baseline Information Security for Government (BIO) is the unified framework of standards for information security within the Dutch government. It applies to all tiers of public administration, from central ministries through to municipalities and water authorities. While the BIO contains many guidelines comparable to general security standards such as ISO 27001, it is fully focused on the specific requirements, compliance needs, and circumstances of public sector bodies.
What are the benefits of the government BIO?
Security standards enable organisations to organise their information security more efficiently. Rather than "reinventing the wheel," the BIO provides a structured overview of every risk your organisation must consider.
The primary benefits include:
Standardisation across Government: Until 2020, there were different security standards for specific layers of administration (BIG for municipalities, BIR for central government, BIWA for water, and IBI for provinces). These were structured differently despite covering comparable risks. The BIO replaces these earlier standards, ensuring that every public sector organisation addresses security risks in the same uniform way.
Sector-Specific Focus: While ISO 27001 is a general global standard, some sectors require more specific guidelines (e.g., NEN 7510 for healthcare). For the government, the BIO provides a recognisable set of guidelines that public sector managers can apply immediately without needing to interpret generic rules.
Ease of Collaboration: Because the BIO is derived from ISO 27001 and ISO 27002, it uses a language familiar to external experts and partners. This makes it easier to explain your security setup to suppliers and facilitates smoother collaboration between different government bodies.
Baseline Information Security for Government (BIO) in brief
As indicated, ISO 27001 and ISO 27002 form the foundation of the BIO. Within government, these standards fall under the strict ‘comply or explain’ principle:
ISO 27001 provides the governance framework for establishing an Information Security Management System (ISMS).
ISO 27002 provides the concrete guidance and controls to support implementation.
The Risk-Driven Approach An important aspect of the BIO is that it is risk-driven. You should not simply implement the complete list of controls blindly. Instead, your organisation must first map security risks per process. This analysis determines which controls have real priority. Furthermore, you must repeat this risk analysis regularly to adjust or add controls as the threat landscape changes.
The core of the standard is the ‘BIO Framework’, which includes 14 categories ranging from segregation of duties to physical security, each with a specific list of controls.
Difference between BIO and ISO 27002
Where does the difference lie between the general ISO standards and the government-specific BIO? The two critical differences are the approach to risk management and the level of detail.
1. Simplified Risk Management (BBN Levels) The BIO simplifies risk management by organising information security into three Basic Security Levels (Basisbeveiligingsniveaus or BBN):
BBN 1: Concerns protecting the basic integrity and availability of information (e.g., public data).
BBN 2: Relates to confidential data where the impact of security incidents is considerably higher (standard internal operations).
BBN 3: Applied in scenarios where consequences are very serious, such as when processing classified information or state secrets.
For every business process, a mandatory BBN assessment determines the classification level. This structure makes risk assessment much more uniform in the BIO than within the general ISO standard.
2. Concrete, Mandatory Controls While ISO 27002 is often interpretive, the BIO makes controls concrete. Where necessary, the BIO supplements standard ISO controls with detailed government-specific requirements.
Example: Password Security
ISO 27002 (Control 9.3.1): States generally that "Users should be required to follow the organisation’s practices when using secret authentication information."
BIO (Control 9.3.1.1): Adds a specific, mandatory requirement for BBN 2 or higher: "Employees are supported in managing their passwords by making a password vault available."
With the BIO, there is less room for interpretation; if a process is BBN 2, the control is required.
HelloID simplifies BIO compliance
Once you have determined your BBN levels, you must implement the required controls. For many of these, Identity and Access Management (IAM) is the technical key to compliance.
To meet BIO standards, organisations must ensure that:
Access rights are determined automatically based on the civil servant's role (preventing unauthorised access).
Individual access requests are streamlined and logged.
Multi-Factor Authentication (MFA) is enforced depending on the user context.
All administrative actions and login attempts are logged automatically for audit trails.
Many security professionals are now assessing whether their current legacy tools can support these strict BIO controls. To support this, Tools4ever has created the whitepaper ‘BIO and the role of Identity Management’. It provides a comprehensive introduction to the baseline and examines the role of IAM in public sector security.