EN 
NL 
DE ISO27001 + BIO Government
Certification from DigiTrust proves that personal data is safe with you.
More than 500 organisations have already gone before you.
Baseline Information Security Government (BIO) and ISO 27001
Since 2020, a single uniform framework of standards for information security, the Baseline Information Security Government (BIO), applies to the entire Dutch government.
Sometimes there is still some confusion among a CISO as to whether the BIO is mandatory or not.
The BIO was published in May 2019 in the gazette and, after agreement from all layers of government, ratified intergovernmentally in the Government-wide Consultation on Digital Government (OBDO). Municipalities are represented in this consultation by the VNG.
The BIO is valid for all Dutch government and government-affiliated organisations.
BIO or ISO 27001?
The BIO primarily describes additional requirements to the control measures in ISO27001.
However, the BIO refers to the ISO27001, that an organisation must have an information security management system. An organisation cannot certify on the BIO alone.
DigiTrust has a solution; ISO27001+BIO
If your organisation meets the requirements of ISO27001, we can certify you for this. If you make the additional control measures from the BIO part of your ISMS and reflect these additional BIO control measures in your VVT, the DigiTrust auditor will include these BIO control measures in his audit.
The final certificate then states, that your organisation is certified in accordance with ISO27001, but that the BIO control measures are included in it.
Please contact us for more information
![logo-zl-concern[1]](https://www.digitrust.nl/wp-content/uploads/2025/02/logo-zl-concern1-300x90.jpg){kind=logo}
![cmyk-Logo Cura Mare [top]](https://www.digitrust.nl/wp-content/uploads/2024/09/RGB-Logo-CuraMare-300x45.jpg){kind=logo}
or call one of our specialists
ISO 27001 and BIO
Zero measurement
We often see provinces, municipalities and other government-related organisations keen to have a baseline measurement carried out. By performing a baseline measurement, it becomes clear where the possible gaps compared to the standard lie. The DigiTrust auditor will deliver a detailed report following this audit. This provides guidance in preparation for the official audit.
Contact one of our specialists to discuss the possibilities.
ISO 27001 and BIO auditor
The DigiTrust auditor assesses the information security management system and the control measures taken in accordance with ISO 27002 and BIO during the certification audit.
DigiTrust auditors have experience in governments and understand the layers of governance. It is important to understand the organisation well so that the audit is conducted in the right context. What threats and threat actors are there and how are they dealt with?
It should be a coherent set of policies, procedures and measures from ISO 27001 and BIO. It is important to realise that the BIO measures have to be implemented to a level in line with its own risk analysis and acceptance or improvement level. Things are never finished, but mostly a baseline is already in place. Is good enough or does more need to be done?
DigiTrust audits and certifies on the mechnism and never gives an opinion on the level of implementation. That is determined by the organisation itself. This is often unclear to CISOs.
DigiTrust's specialists can tell you more about this.
During the Pre-audit, we check whether you are ready for certification. What is the status of the management system? Are there any issues that may not be in order? Together with you, DigiTrust can determine which topics should be covered during this pre-audit. We also determine the duration together. Usually this is between 2 and 4 days for a good picture of the management system and all control measures. After each pre-audit, DigiTrust provides you with a clear audit report, detailing where you may not yet be working in accordance with the requirements.
Tip; this is a frequently chosen option. It really gets you started in the process and immediately gives you a good idea of where you stand as an organisation.
Initial certification
DigiTrust assesses whether the system works and functions according to the requirements. This assessment includes reviewing all operations at your office as well as at the implementation site. The initial certification consists of 2 parts. The phase 1 and phase 2 audit.
During the phase 1 audit, we take an outline look at your management system (ISMS) and whether you are really ready for the phase 2 audit. We will also create the audit plan together for the phase 2. Who do we need when.
During the phase 2 audit, we test the ISMS and all management measures.
Phase 1
During the phase 1 audit, we take an outline look at your management system (ISMS) and whether you are really ready for the phase 2 audit. We will also create the audit plan together for the phase 2. Who do we need when.
Phase 2
During the phase 2 audit, we test the ISMS and all management measures.
Issue certificate
In case of a positive assessment, the auditor will nominate the organisation for certification. The certification manager does a quality check on the file. If everything is in order, you will receive the certification.
Control 1
During the term of the certificate, which is usually three years, DigiTrust will conduct an annual surveillance audit. During a surveillance audit, we take a sample on the various standard elements. In case of a positive assessment, the current certificate will be continued.
Control 2
DigiTrust will visit about three months before the certificate expires for the reassessment. This assessment is of the same scope as the one at step 2 and should ensure that if the result is positive, the certificate is renewed for another three years.
Questions about an ISO 27001 audit or curious about certification options?
Our specialists will be happy to tell you more about it. Call us at 088-224 56 00, please email us at sales@digitrust.nl or use our online contact form. We will be happy to visit you for a no-obligation introduction.
More than 300 organisations have already gone before you.
Government
Find out more
Baseline Information Security Government (BIO) and ISO 27001
Since 2020, a single uniform framework of standards for information security, the Baseline Information Security Government (BIO), applies to the entire Dutch government.
Sometimes there is still some confusion among a CISO as to whether the BIO is mandatory or not.
The BIO was published in May 2019 in the gazette and, after agreement from all layers of government, ratified intergovernmentally in the Government-wide Consultation on Digital Government (OBDO). Municipalities are represented in this consultation by the VNG.
The BIO is valid for all Dutch government and government-affiliated organisations.
BIO or ISO 27001?
A key difference between the BIO and ISO 27001 is that the BIO only deals with the control measures, as listed in Annex A of ISO 27001 and elaborated in ISO 27002. The BIO imposes additional requirements on various management measures. The BIO does not write anything about an information security management system as the ISO 27001 does.
So an organisation cannot have its management system certified on BIO measures alone. Nevertheless, it is important to be able to demonstrate with an independent opinion that an organisation complies with the requirements of the BIO. This is crucial the moment there is an information security problem or even a data breach. In accordance with the requirements from the Personal Data Authority (AP), an organisation must have taken technical and organisational measures to protect data.
It will certainly make a difference in the AP's judgement if an organisation through having an audit against the BIO or even certification by DigiTrust against ISO 27001 that the BIO has been met. In addition, certification against ISO 27001 that includes the BIO gives demonstrable confidence to citizens and other stakeholders.
ISO 27001 and BIO checklist
Do you want to prepare the organisation for an ISO 27001 and BIO audit? Then use the checklist prepared by DigiTrust.
The checklist is easy to use and provides an initial picture of readiness for certification on key components.
Zero measurement
We often see provinces, municipalities and other government-related organisations keen to have a baseline measurement carried out. By performing a baseline measurement, it becomes clear where the possible gaps compared to the standard lie. The DigiTrust auditor will deliver a detailed report following this audit. This provides guidance in preparation for the official audit.
Contact one of our specialists to discuss the possibilities.
ISO 27001 and BIO auditor
The DigiTrust auditor assesses the information security management system and the control measures taken in accordance with ISO 27002 and BIO during the certification audit.
DigiTrust auditors have experience in governments and understand the layers of governance. It is important to understand the organisation well so that the audit is conducted in the right context. What threats and threat actors are there and how are they dealt with?
It should be a coherent set of policies, procedures and measures from ISO 27001 and BIO. It is important to realise that the BIO measures have to be implemented to a level in line with its own risk analysis and acceptance or improvement level. Things are never finished, but mostly a baseline is already in place. Is good enough or does more need to be done?
DigiTrust audits and certifies on the mechnism and never gives an opinion on the level of implementation. That is determined by the organisation itself. This is often unclear to CISOs.
DigiTrust's specialists can tell you more about this.
Questions about an ISO 27001 audit or curious about certification options?
Our specialists will be happy to tell you more about it. Call us on 088-224 56 00, send an e-mail to info@digitrust.nl or use our online contact form. We will be happy to visit you for a no-obligation introduction.
Baseline Information Security Government (BIO) and ISO 27001
Since 2020, a single uniform framework of standards for information security, the Baseline Information Security Government (BIO), applies to the entire Dutch government.
Sometimes there is still some confusion among a CISO as to whether the BIO is mandatory or not.
The BIO was published in May 2019 in the gazette and, after agreement from all layers of government, ratified intergovernmentally in the Government-wide Consultation on Digital Government (OBDO). Municipalities are represented in this consultation by the VNG.
The BIO is valid for all Dutch government and government-affiliated organisations.
BIO or ISO 27001?
A key difference between the BIO and ISO 27001 is that the BIO only deals with the control measures, as listed in Annex A of ISO 27001 and elaborated in ISO 27002. The BIO imposes additional requirements on various management measures. The BIO does not write anything about an information security management system as the ISO 27001 does.
So an organisation cannot have its management system certified on BIO measures alone. Nevertheless, it is important to be able to demonstrate with an independent opinion that an organisation complies with the requirements of the BIO. This is crucial the moment there is an information security problem or even a data breach. In accordance with the requirements from the Personal Data Authority (AP), an organisation must have taken technical and organisational measures to protect data.
It will certainly make a difference in the AP's judgement if an organisation through having an audit against the BIO or even certification by DigiTrust against ISO 27001 that the BIO has been met. In addition, certification against ISO 27001 that includes the BIO gives demonstrable confidence to citizens and other stakeholders.
ISO 27001 and BIO checklist
Do you want to prepare the organisation for an ISO 27001 and BIO audit? Then use the checklist prepared by DigiTrust.
The checklist is easy to use and provides an initial picture of readiness for certification on key components.
Zero measurement
We often see provinces, municipalities and other government-related organisations keen to have a baseline measurement carried out. By performing a baseline measurement, it becomes clear where the possible gaps compared to the standard lie. The DigiTrust auditor will deliver a detailed report following this audit. This provides guidance in preparation for the official audit.
Contact one of our specialists to discuss the possibilities.
ISO 27001 and BIO auditor
The DigiTrust auditor assesses the information security management system and the control measures taken in accordance with ISO 27002 and BIO during the certification audit.
DigiTrust auditors have experience in governments and understand the layers of governance. It is important to understand the organisation well so that the audit is conducted in the right context. What threats and threat actors are there and how are they dealt with?
It should be a coherent set of policies, procedures and measures from ISO 27001 and BIO. It is important to realise that the BIO measures have to be implemented to a level in line with its own risk analysis and acceptance or improvement level. Things are never finished, but mostly a baseline is already in place. Is good enough or does more need to be done?
DigiTrust audits and certifies on the mechnism and never gives an opinion on the level of implementation. That is determined by the organisation itself. This is often unclear to CISOs.
DigiTrust's specialists can tell you more about this.
Questions about an ISO 27001 audit or curious about certification options?
Our specialists will be happy to tell you more about it. Call us on 088-224 56 00, send an e-mail to info@digitrust.nl or use our online contact form. We will be happy to visit you for a no-obligation introduction.