Information Security

What is the BIO?

What is the BIO?
The Baseline Information Security Overheid (BIO) is a standard that has been in effect for government agencies in the Netherlands since Jan. 1, 2020. This blog explains what the BIO is, why this standard is important and how it differs from ISO 27001.
This article was last updated on
9/12/2024

What is the BIO?

The BIO, also known as the Government Information Security Baseline, is the specific standard that defines information security for government agencies. It is a coherent framework that builds on previous baselines such as BIG, BIR, IBI and BIWA, and is structured according to the ISO 27001 and 27002 standards.

Why comply with BIO?

The BIO is aimed at improving information security at all levels of government. This is very important because communication between entrepreneurs, citizens and governments is increasingly taking place digitally, including sensitive and confidential information. The BIO not only applies to government agencies themselves, but government suppliers are increasingly being required to comply with the BIO.

BIO has the following advantages:

  • One clear line thanks to a standardized standards framework
  • Competitive bid advantage for organizations working with governments
  • Facilitates interagency cooperation
  • Promotes risk awareness and knowledge sharing

Protection levels BIO

The BIO has three levels of protection, called Baseline Protection Levels (BBN). The severity of the technical and organizational measures to be taken must match the risk level of a process or system.  

When a process is established at BBN level 2, both the measures of BBN1 and BBN2 must be implemented. In addition, from the highest basic security level (BBN3), relevant requirements of, among others, the NATO Convention for the Security of Information and the National Office Special Information Regulations Decree (VIR-BI) must also be met. Which BBN level is needed or desired is determined by a BBN test.

BIO in relation to ISO 27001

The structure of the BIO is similar to the ISO 27001 Addendum, with the requirements from the ISO 27001 Addendum further strengthened with BIO-specific requirements. The requirements become more stringent as the aforementioned BIO risk level increases. Basic chapters 4 through 10 of the ISO 27001 standard, which set requirements for an organization's Plan-Do-Check-Act process, are not part of the BIO.

Want to make sure your organization complies with the Baseline Information Security Government (BIO)? Our team of experts is ready to guide or relieve you in the implementation of the BIO standard

Find out what our implementation process looks like

In our white paper, we take you step by step through our implementation process.

Download Now
Kilian Houthuijzen
Commercial Manager & Partner
085 773 60 05
To news overview

Related articles

News
Why an AVG scan is important for your organization
read more
Customer case
Customer case study: cybersecurity week at GOOSE VPN
read more
KAM Certifications is now Fendix

We are a partner of

SGS
BSI
TUV
DEKRA
KIWA
Brand Compliance
LRQA
DNV
Digitrust