Information Security

What is the BIO?

What is the BIO?
The Baseline Information Security Overheid (BIO) is a standard that has been in effect for government agencies in the Netherlands since Jan. 1, 2020. This blog explains what the BIO is, why this standard is important and how it differs from ISO 27001.
This article was last updated on
16/4/2025

What is the BIO?

De BIO, ook wel Baseline Informatiebeveiliging Overheid genoemd, is de specifieke norm die de informatiebeveiliging voor overheidsinstanties definieert. Het is een samenhangend raamwerk dat voortbouwt op eerdere baselines zoals BIG, BIR, IBI en BIWA, en is gestructureerd volgens de ISO 27001- en 27002-normen.

Why comply with BIO?

The BIO is aimed at improving information security at all levels of government. This is very important because communication between entrepreneurs, citizens and governments is increasingly taking place digitally, including sensitive and confidential information. The BIO not only applies to government agencies themselves, but government suppliers are increasingly being required to comply with the BIO.

BIO has the following advantages:

  • One clear line thanks to a standardized standards framework
  • Competitive bid advantage for organizations working with governments
  • Facilitates interagency cooperation
  • Promotes risk awareness and knowledge sharing

Protection levels BIO

The BIO has three levels of protection, called Baseline Protection Levels (BBN). The severity of the technical and organizational measures to be taken must match the risk level of a process or system.  

When a process is established at BBN level 2, both the measures of BBN1 and BBN2 must be implemented. In addition, from the highest basic security level (BBN3), relevant requirements of, among others, the NATO Convention for the Security of Information and the National Office Special Information Regulations Decree (VIR-BI) must also be met. Which BBN level is needed or desired is determined by a BBN test.

BIO in relation to ISO 27001

The structure of the BIO is similar to the ISO 27001 Addendum, with the requirements from the ISO 27001 Addendum further strengthened with BIO-specific requirements. The requirements become more stringent as the aforementioned BIO risk level increases. Basic chapters 4 through 10 of the ISO 27001 standard, which set requirements for an organization's Plan-Do-Check-Act process, are not part of the BIO.

Wil je ervoor zorgen dat jouw organisatie voldoet aan de Baseline Informatiebeveiliging Overheid (BIO)? Ons team van experts staat klaar om je te begeleiden of ontzorgen bij de implementatie van de BIO-norm.

Find out what our implementation process looks like

In our white paper, we take you step by step through our implementation process.

Download Now
Kilian Houthuijzen
Commercial Manager & Partner
085 773 60 05
To news overview

Related articles

Customer case
Klantcase: Heras behaalt ISO 27001-certificering binnen één jaar met ontzorgende implementatie
read more
News
Why an AVG scan is important for your organization
read more
KAM Certifications is now Fendix

We are a partner of

SGS
BSI
TUV
DEKRA
KIWA
Brand Compliance
LRQA
DNV
Digitrust