Differences
‘Changes have been made to both the content and the structure. The most important differences can be simply divided into the following three topics: structure, measures and attributes. For the government, municipalities, provinces and water boards, the Baseline Information Security Government (BIO) is the minimum basis to comply with in the field of information security. Despite the fact that the BIO standards framework has not yet been fully implemented within some organisations, they can already start preparing for BIO 2.0.’
What was it again about the BIO and ISO27002?
The BIO is a standard for the government with specific measures with regard to reducing the impact and/or chance of risks. This specifically concerns risks in the field of information security. Securing information is now a top priority for almost every organisation, partly due to the digitalisation in recent decades and the increasing threats from various angles. The current version of the BIO is in line with the structure of ISO27002. Below I list some important points that are important:
- The International Organization for Standardization (ISO) establishes various standards, including information security standards (ISO27002);
- The Baseline Information Security Government (BIO) is structured according to ISO27002;
- ISO27002 is a best practice of controls and a subsequent elaboration of ISO27001;
- ISO27002 provides organizations with a basis for setting up the Information Security Management System (ISMS);
- In order to keep up with all developments regarding information security, ISO27002 is revised over time;
- There appears to be sufficient support within the government to revise the BIO as a result of the new ISO27002;
- This means that the structure of the BIO remains the same as ISO27002.
What will change?
Structure
Firstly, the structure of the new BIO 2.0 will change. In concrete terms, this means that a number of chapters will be merged. From no less than 14 chapters, we will go down to just four chapters. People, Physical Objects, Technology and Organisation.
Measures
Secondly, there is a change in the number of measures. From 110, we will go back to a total of 96. Unfortunately, that is no reason to celebrate! Some of these have been merged, so the work to meet the basic requirements will not immediately decrease. In addition, 13 new measures will be introduced.
Attributes
Thirdly and finally, the new BIO contains additional information (attributes) about the measures. Specific characteristics have been described for all measures. This concerns, for example, control types, with options such as “preventive”, “defective” and “corrective”.
Are there any advantages?
The question betrays a somewhat cynical view of the new BIO. This is mainly due to the fact that many organizations struggle with capacity and budget. Of course, this goes hand in hand. In addition, no one is cheering when the newly established BIO standards framework is completely overhauled. However, this new BIO 2.0 also has clear advantages.
Managing current risks
First of all, it is of course good to have new and more stringent measures. Due to the increasing risks, dusting off and tightening up the measures is certainly appropriate. Which will enable organizations to effectively mitigate these risks to a level acceptable to the organization.
Better insights
Secondly, the new attributes are expected to provide new opportunities to gain more targeted insight from the results. By linking different variables, the dashboards and reports will enable users to secure the PDCA (plan-do-check-act) cycle more efficiently and effectively and thus continuously improve their information security. This way, more information can be obtained from the results of the measures from the business.
Clear structure
Thirdly, it is of course a nice tidy up! Four chapters with clear themes will make a positive contribution to realizing support in the organization. Which is (still) an important challenge for many organizations. Finally, the BIO2.0 keeps the structure the same as the latest version of ISO27002. This ensures that it remains easy to benchmark between government and commercial parties such as suppliers (who often use ISO and not BIO) and to specify agreements regarding the security of information within the collaboration (contract management).
Impact
The new BIO will have a small or large impact on your ISMS. If you use a flexible software solution for your ISMS, such as the ISMS of the Key Control Dashboard, there are various efficient options to implement the BIO 2.0 without problems and to minimize its negative impact. As described, there are various advantages that you can benefit from.
Are you already a customer of ours? Then we will contact you at some point to discuss the implementation options. Not yet a customer? Then quickly schedule a demo to hear and see how our ISMS can help organizations to get a better grip on information security and the implementation of the BIO2.0.