Update on ITGC framework for practical IT governance insights
The Audit Service of the Kingdom (Auditdienst Rijk) has introduced an updated IT General Controls (ITGC) framework aligned with BIO2, centred on risk management.
Cybersecurity accountability
The government has a responsibility to handle citizens’ data with care and to provide reliable public services that the people of the Netherlands can depend on. A key part of this is accountability and oversight of risk management within government organisations. This accountability is demonstrated both internally to management and supervisory bodies and externally to the public.
Baseline Information Security for Government (BIO)
The Baseline Information Security for Government (BIO) is the core framework for information security across all levels of government. It also serves as the basis for accountability in information security. The BIO requires government organisations to provide accountability through the relevant reporting frameworks and to the relevant supervisory authorities.
The latest version of the BIO is available at bio-overheid.nl, in Dutch. An English-language version will follow soon.
Information security is a standard component of each organisation’s annual report. To ensure secure collaboration between government bodies, organisations provide each other with insight into the measures they have implemented, using a Statement of Applicability.
ENSIA (Uniform Single Information Audit Standard)
Municipalities efficiently fulfil their information security accountability requirements through ENSIA (Uniform Single Information Audit Standard) (Dutch). Various system owners are continuously developing ENSIA based on the BIO’s accountability framework. Looking ahead, the Ministry of the Interior and Kingdom Relations (BZK) is exploring whether other tiers of government can also use ENSIA, and whether additional systems can be integrated into the framework.
Assessment of internet standards
Government-wide agreements have been made to accelerate the adoption of internet security and information security standards, known as the Target Vision Agreements (Streefbeeldafspraken) (Dutch). As of 1 July 2023, a number of these standards have been strengthened into legal requirements by the Decree on Secure Connections with Government Websites and Web Applications (Dutch).
The Standardisation Forum (Forum Standaardisatie) assesses (Dutch) the implementation of these information security standards across government organisations every 6 months.
Internet Cleanup Foundation
The Internet Cleanup Foundation assesses internet security using open sources and public measurement tools. This foundation provides up-to-date information to citizens and entrepreneurs on whether key organisations have their digital baseline security in place. As part of the Dutch Cybersecurity Strategy Action Plan 2022-2028 (Dutch), the Ministry of BZK encourages government organisations to use the Internet Cleanup Foundation’s platform basisbeveiliging.nl (Dutch).
IDRS Annual report
The International Digital Reporting Standards (IDRS) enable organisations to prepare an annual report on IT governance. The aim is to provide stakeholders, executives, and regulators with transparency regarding an organisation’s digital resilience.
IDRS includes accountability for cybersecurity. At the request of the House of Representatives (Dutch), the Ministries of BZK and Economic Affairs and Climate Policy (EZ) are exploring the potential introduction of an IT annual report based on IDRS for both government and business. These ministries are carrying out the assignment in collaboration with the ECP Platform for the Information Society.
BIO2 version 1.3 available for all government tiers
BIO2 version 1.3 replaces earlier editions and aligns more closely with the Cyberbeveiligingswet (Cbw), which implements the NIS2 Directive into Dutch law.
