The BIO2.0 is Coming: What Will Change?
Author: Abe Winters, Security Analyst
Attention security officers at government agencies: The BIO2.0 is on its way. What additional measures does your organization need to take to comply with it? We outline the differences with BIO1.04 so you can prepare for this transition.
What is the BIO?
The Baseline Information Security Government (BIO) aims to bring all Dutch government agencies to a common level of information security. The current version, BIO1.04, is based on the NEN-ISO/IEC 27001 and 27002 from 2017. In 2022, a new version of ISO 27001 and 27002 was published. This is one of the reasons for developing BIO2.0.
Based on an evaluation of BIO1.04 and workshops with government agencies, a draft has been published. In this article, we compare the current BIO1.04 with the draft of BIO2.0 and outline the key differences. It should be noted that the BIO2.0 texts are still in draft phase and may change.
High-Level Differences
Legal Embedding via NIS2 Implementation
Organizations subject to the NIS2 directive, including governments, will face a duty of care. To implement NIS2 at the government level, it was decided in 2023 to link the delivery of BIO2.0 to the national legislation that will come into effect based on NIS2. Therefore, BIO2.0 will be legally embedded via the NIS2 implementation in the Cybersecurity Act and will soon become mandatory (beginning of 2025). See our practical NIS2 guide for more information on NIS2.
Abandoning Basic Security Levels
The basic security levels (BBNs) are abandoned in BIO2.0. The evaluation of BIO1.04 showed that too much focus was placed on classifying individual systems at BBN, and less on general risk management. To bring the focus back to risk management, the BBNs are being abandoned.
ISO 27002 from 2017 to 2022
The BIO follows the structure of ISO 27002. This standard received an update at the end of 2022, namely ISO 27002:2022. This new version brings several changes in both content and structure. Where controls were previously organized into fourteen chapters, they are now reduced to the following four chapters:
- A5: Organizational
- A6: People
- A7: Physical
- A8: Technological
These chapters contain a consolidation of existing controls, plus new controls addressing new technologies and current threats. For example, Chapter 5 includes a new control on information security for the use of cloud services (5.23) and a control on collecting information and analyses on threats (5.7), known as Threat Intelligence.
It is expected that BIO2.0 will follow this new structure. In anticipation of BIO2.0, the government has already published the BIO2.0 Guide in 2023. This guide aligns the BIO with the context and structure of ISO 27002:2022, linking government measures to the chapters and controls from ISO 27002:2022.
Examples of Changes
01
A functioning ISMS
The concept of BIO2.0 references the ISO27k series multiple times. For example, measure 5.35.1 has been changed as follows:
- BIO1.04: There is an information security management system (ISMS) that demonstrably covers the entire Plan-Do-Check-Act cycle in a structured manner.
- BIO2.0 Concept: There is a functioning ISMS in accordance with ISO 27001.
Therefore, the measure becomes more specific and explicitly requires an ISMS in accordance with ISO 27001.
02
New and changed government measures
In addition to high-level changes, mandatory government measures have also been altered. Chapter five (Organizational) contains the most changed government measures.
Some measures are sharper and/or more specific. For example, where government measure 5.01.02 from BIO1.04 mentions periodically updating the information security policy, BIO2.0 specifies this as annually. A similar change is included in government measure 8.08.04. While BIO1.04 states that information systems should preferably be checked annually for "technical compliance with security standards and risks regarding actual security," BIO2.0 states "at least annually."
03
Attention to responsibilities and roles
There is also more attention to responsibilities and roles within information security, particularly in the area of incident handling. Government measure 5.01.01 now states that the following components must be described and established:
- Responsibilities related to information security,
- The security of operational technology,
- Responsibilities related to Business Continuity Management.
04
Asset management and supply chain management
In several new government measures in BIO2.0, the importance of asset management is highlighted. This includes understanding one's own information processing systems, as well as visibility into suppliers and contracts. This is reflected in the following new government measures:
- 5.09.01: Establishing and maintaining an accurate, detailed, and up-to-date inventory of all assets used for information processing.
- 5.14.04: Keeping a current registry of all internet-facing systems, web applications, IP addresses, and APIs.
- 5.14.05: Publicly accessible websites are reported via the Government Internet Domain Register.
- 5.22.02: Maintaining a current registry of suppliers and concluded contracts.
05
Annually testing employees on click behavior
The draft texts of BIO2 contain several new government measures regarding awareness of cybersecurity risks. This includes both the knowledge of executives and that of employees. This is evident in the following new government measures:
- 5.10.1: Executives must be able to demonstrate that they have completed training courses that have provided them with sufficient knowledge and skills to recognize cybersecurity risks and assess their impact on the services and/or products the organization delivers.
- 5.10.4: Employees must regularly, like executives in 5.10.1, undergo training and education to recognize risks and respond appropriately.
- 8.07.5: At least annually, users are tested on their click behavior.
How Can You Prepare?
Study the ISO/IEC 27001:2022 and ISO/IEC 27002:2022. Also, review the BIO2.0 Guide. This guide allows government measures from BIO1.04 to be used according to the structure of NEN-EN-ISO/IEC 27002:2022.
If you already have an ISMS in accordance with ISO 27001:2022, the transition will not be too significant. It is mainly important to pay close attention to the new government measures.
Do you not have a control framework in place yet? Then BIO2.0 combined with the upcoming NIS2 is a great opportunity to start one. Security consultants from Secura can help and support you in this process.
Additionally, start by setting up and maintaining an inventory of:
- Assets used for information security
- All internet-facing systems, web applications, IP addresses, and APIs.
Sources
About the Author
Abe Winters, Security Analyst
Abe Winters is Security Analyst bij Secura en werkzaam in de 'Public'-marktgroep. Hij is gepassioneerd over de cybersecurity en combineert een technische achtergrond met kennis van de proceskant. Momenteel voert hij voornamelijk penetratietests uit voor klanten in de publieke sector, maar heeft ook kennis van security management met standaarden zoals de ISO 27001.
Abe heeft een MSc. in Cyber Security aan de Universiteit Twente en heeft in zijn thesis onderzoek gedaan naar de prioritering van security controls op basis van het actieve dreigingslandschap per sector.
How Secura supports you
As an independent cybersecurity expert, Secura can assist you with all aspects of NIS2, ISO/IEC 27k, and the additional BIO measures. We can help you with overall BIO Compliance, as well as with specific issues that are addressed in the (updated) government measures. This includes training your executives and employees to recognize and respond to cybersecurity risks, conducting penetration tests, or setting up a control framework and implementing an ISMS in accordance with ISO 27001.
More Information
Would you like more information on how Secura can assist you with BIO2? Fill out the form and we will contact you within one business day.
Related
BIO Compliance
NIS2 Boardroom Training
Why choose Secura | Bureau Veritas
At Secura/Bureau Veritas, we are dedicated to being your trusted partner in cybersecurity. We go beyond quick fixes and isolated services. Our integrated approach makes sure that every aspect of your company or organization is cyber resilient, from your technology to your processes and your people.
Secura is the cybersecurity division of Bureau Veritas, specialized in testing, inspection and certification. Bureau Veritas was founded in 1828, has over 80.000 employees and is active in 140 countries.