EN 
NL 
DE BIO audits and 'in-control' statements
Do you want to demonstrate BIO compliance or do you need an 'in-control' statement? Demonstrable compliance with BIO is an important requirement for suppliers, but also for the government itself. Contact us to discuss the possibilities. DigiTrust has experience in various sectors.
- Your audit starts when it suits your organisation
- Personal guidance throughout the certification process.
- Sharp prices
More than 500 organisations have already gone before you.
The standards explained
Demonstrate compliance with BIO?
All governments and organisations linked to the government have to comply with BIO requirements since 2020. The Baseline Information Security Government (BIO) is the basic standards framework for information security within all layers of government (national, municipal, provincial and water boards). Previously, each layer of government had its own baseline, now there is one BIO for the entire government.
The BIO has established additional requirements to the ISO27001 - Annex A measures. Many times this is also explained that the BIO is additional to ISO27002. this is not quite correct as the ISO27002 implementation provides guidance on the management measures listed in Annex A.
In fact, the BIO provides additional requirements to the Annex A control measures from ISO27001.
The organisation must, by law, comply with BIO. in case of non-compliance, there is actually a breach of law. It is therefore important that the organisation can demonstrate to relevant stakeholders that the additional BIO requirements are actually met. Within the BIO, there are 3 Basic Security Levels (BBN).
BIO In-Control statement
DigiTrust can assess your suppliers and issue an 'in-control' statement (if they meet the BIO controls). In line with BIO requirements, this declaration is valid for 1 year. Contact us for the various possibilities. DigiTrust also uses the CIP - BIO self-assessment.
BBN 1
BBN1 is about what can be expected as a minimum from the government for the protection of information. We are dealing here with a low level of reliability and therefore complex requirements are omitted here. It is purely about a minimum basic requirement on the management measures.
BBN 2
Most information within government will be classified at this level. This is good housekeeping for information. BBN2 is the minimum level at which personal data is handled. In terms of severity, BBN2 is at the same level as the old baselines. In BBN2, for state actors and similar threats, the emphasis is on 'detection'.
BBN 3
BBN3 involves information where resistance to state or criminal actors (or similar threats) is required. Confidentiality has a higher score here, the other requirements may still sit at middle. Within the BIO, no requirements have yet been set at BBN3 level for specific management measures.
![logo-zl-concern[1]](https://www.digitrust.nl/wp-content/uploads/2025/02/logo-zl-concern1-300x90.jpg){kind=logo}
![cmyk-Logo Cura Mare [top]](https://www.digitrust.nl/wp-content/uploads/2024/09/RGB-Logo-CuraMare-300x45.jpg){kind=logo}
or call one of our specialists
The steps explained
Determine the right BBN level
To choose the right level, there is a baseline key available. Based on a number of questions, it clarifies which BBN level applies. Based on the test, the process owner determines which BBN should be followed.
BIO compliance statement or combine it with an ISO27001 certification?
At DigiTrust, we now have extensive experience with BIO audits and how to combine this with ISO27001 certification. We have now successfully applied this at several government agencies.
During the Pre-audit, we check whether you are ready for certification. What is the status of the management system? Are there any issues that may not be in order? Together with you, DigiTrust can determine which topics should be covered during this pre-audit. We also determine the duration together. Usually this is between 2 and 4 days for a good picture of the management system and all control measures. After each pre-audit, DigiTrust provides you with a clear audit report, detailing where you may not yet be working in accordance with the requirements.
Tip; this is a frequently chosen option. It really gets you started in the process and immediately gives you a good idea of where you stand as an organisation.
Initial certification
DigiTrust tests whether the system works and functions according to the requirements from ISO 27001. This assessment also includes the review of all operations at your office as well as at the implementation site. The initial certification consists of 2 parts. The phase 1 and phase 2 audit.
During the phase 1 audit, we take an outline look at your management system (ISMS) and whether you are really ready for the phase 2 audit. We will also create the audit plan together for the phase 2. Who do we need when.
During the phase 2 audit, we test the ISMS and all management measures.
Phase 1
During the phase 1 audit, we take an outline look at your management system (ISMS) and whether you are really ready for the phase 2 audit. We will also create the audit plan together for the phase 2. Who do we need when.
Phase 2
During the phase 2 audit, we test the ISMS and all management measures.
Issue certificate
In case of a positive assessment, the auditor will nominate the organisation for certification. The certification manager will do a quality check on the file. If everything is in order, you will receive the ISO 27001 certification.
Control 1
During the term of the certificate, which is usually three years, DigiTrust will conduct an annual surveillance audit. During a surveillance audit, we take a sample on the various standard elements. In case of a positive assessment, the current certificate will be continued.
Control 2
DigiTrust will visit about three months before the certificate expires for the reassessment. This assessment is of the same scope as the one at step 2 and should ensure that if the result is positive, the certificate is renewed for another three years.
BIO audits and the investment
In practice, BIO audits are often combined with an ISO27001 certification. The additional BIO measures are then included during the certification audit. To arrive at an offer for certification, we need to have a good picture of your organisation. We will send you a simple intake form. In this form, you can enter your details and the context of your organisation. What exactly do you do, which processes do you have, how many FTE work in your organisation.
This is the start of the formal DigiTrust process; we want to know very well who you are and what you do. After all, your organisation is leading, not the standard.
With the information received, we will make a calculation. The beginning of the calculation always starts with the number of FTEs; this is determined by the standard we have to comply with. With all the information received, DigiTrust will issue a quotation.
Tip; always take a sharp look at the number of FTEs and list the job groups and functions. This can just save a lot of time and certification costs.
The certification audit will consist of phase 1 and phase 2. During phase 1, we look closely at your documentation and want to form a picture of whether the management system is actually in place. Does it work and are you therefore ready for phase 2. During phase 2, we look closely at the implementation of all your procedures and their demonstrability.
After both each phase, you will receive an audit report immediately after the audit. Upon positive completion of phase 2, you will receive the official certificate.
Questions about a BIO audits or curious about the possibilities?
Our specialists will be happy to tell you more about it. Call us at 088-224 56 00, please email us at sales@digitrust.nl or use our online contact form. We will be happy to visit you for a no-obligation introduction.
More than 300 organisations have already gone before you.