Information security by the governance

5 tips for a secure implementation of the BIO 2020

More information Request a demo

BIO 2020: The new standard

From January 1, 2020, all government services, municipalities, provinces and regional water authorities will be affected by the BIO 2020, including the organizations that supply these bodies. These new rules for information security are in addition to the already long list of quality requirements. How do you ensure that you stay ‘in control’? We give you five tips!

According to the requirements of the BIO 2020, every government organization must:

  • Have an ISMS (Information Security Management System) that demonstrates the entire Plan-Do-Check-Act cycle in a structured manner.
  • Performing risk analyzes.
  • Implement policies and security measures (design, existence and operations) to control the risks.
  • Inventory the company assets.
  • Assign an owner to all company assets.
  • Create, store and regularly assess information security event log files.
  • Assess vulnerabilities including current state (real-time) reporting.
  • Planning and conducting audits; report all incidents monthly.


Until now, all levels of government had their own ‘’baseline’’ for information security. The BIR for the government, the BIG for the municipalities, the IBI for the provinces and the BIWA for the regional water authorities. The BIO 2020 replaces all these standards with a universal way of working.

The switch to the BIO can have a significant impact, but with these tips it will become a lot easier!

Tip 1: Use GRC tooling

Many organizations use separate spreadsheets for all their individual reports. This means that you have to do a lot of work twice and you quickly lose the overview. Moreover, spreadsheets have no check mechanisms such as reminder and deadlines, so you must monitor every action yourself. By using the GRC tooling you integrate all the information security process in one overview, allowing you to control all requirements from one central location. This will save you al lot of time and money and are you demonstrably in control.

Request for a demo

Tip 2: Use the ENSIA questionnaire

Use the ENSIA BIO 2020 questionnaire. This allows the accountability process for information security to be further professionalized by bundling supervision and establishing a link with the Planning & Control cycle. This provides more insights into the state of affairs, which makes it easier to manage.

Tip 3: Monitor risks using the three BBNs.

In the BIO 2020, the emphasis is more on risk management than in its predecessors. The basic security levels (BBNs) can help to keep the risk management manageable and efficient. Based on the reliability requirements (availability, integrity and confidentiality) for the information to be protected and the threats that exist, it is determined which set of measures is relevant for the adequate security of that information.

Tip 4: Guarantee broad support in the organization

The role of the director and the line manager has become a lot more explicit with regard to risk management than in de predecessors of the BIO 2020. In order to give substance to this, a guide ‘’10 administrative principles for information security’’ is being issued at the same time as the BIO. Use this manual to fulfill the various responsibilities. Make sure that these responsibilities are known and clear to everyone and explain why they are so important, this will increase the chance of success.

Tip 5: Provide Real Time dashboarding

In addition to the GDPR, the BIO 2020 also obligates you to provide you with continuous data, updates and logging at all times. Spreadsheets cannot do this. This requirement calls for Real Time dashboarding. Make sure you know where your organization is at all times witch regard to compliance with applicable standards, laws and regulations. You also need to know what risks your organization is currently and in the future.

Request for a demo

Get in control with GRCcontrol from CompLions!

GRCcontrol is the most simple software for meeting the BIO 2020 because GRCcontrol has a best-practice measure set that helps you with the transition to the BIO 2020 and its implementation by controlling it centrally. You can also easily fill in the latest ENSIA BIO 2020 questionnaire because direct measures are proposed to you to implement through the Plan-Do-Check-Act cycle that is integrated into our software solution.

GRCcontrol also helps you to keep risk management manageable and efficient, with which you demonstrably guarantee your risk management as a process to your organization and your stakeholders. In addition, with GRCcontrol you can see at any desired moment where your organization is now and in the future through the compliance and risk dashboard.

Plus: GDPR integration

The BIO 2020 contains many connections and overlapping requirements with the GDPR. What could be easier than integrating your BIO 2020 and GDPR processes into one system? You can with GRCcontrol! GRCcontrol also has an additional GDPR module, with which you can work on your GDPR compliance in addition to the BIO 2020. And with the unique ‘Map once, comply to many’ functionalities, all overlapping requirements are deduplicated in advance, saving you up to 70% on your compliance processes!

Request a demo