← Frameworks / Government Baseline

Baseline Informatiebeveiliging Overheid 2 (Dutch Government Information Security Baseline)

Mandatory information security baseline for all Dutch government organisations at all levels: central government, provinces, municipalities, and water authorities. Aligned with ISO/IEC 27002:2022 with 93 controls plus government-specific measures (overheidsmaatregelen). Integrates NIS2 Article 21 requirements and supports ENSIA audit compliance. Replaces BIO 1.04 with a risk-based approach.

Clauses: 93

Avg Coverage: 83.0%

Publisher: Dutch Ministry of the Interior and Kingdom Relations (BZK) Version: 1.2 (2025)

BIO2 → SP 800-53 SP 800-53 → BIO2 Coverage Analysis

Clause	Title	SP 800-53 Controls
5.1	Policies for information security (BIO2)	PL-01 PM-01 AC-01 AT-01 AU-01 CA-01 CM-01 CP-01 IA-01 IR-01 MA-01 MP-01 PE-01 PS-01 RA-01 SA-01 SC-01 SI-01 PT-01 SR-01
5.2	Information security roles and responsibilities (BIO2)	PM-02 PS-01 PS-02 PL-01 PS-09
5.3	Segregation of duties (BIO2)	AC-05
5.4	Management responsibilities (BIO2)	PM-02 PM-13 PS-07 AT-01 PM-29
5.5	Contact with authorities (BIO2)	IR-06 PM-15
5.6	Contact with special interest groups (BIO2)	PM-15 PM-16
5.7	Threat intelligence (BIO2)	PM-16 RA-03 RA-05 SI-05 RA-10 RA-07
5.8	Information security in project management (BIO2)	SA-03 SA-04 SA-08 PM-07
5.9	Inventory of information and other associated assets (BIO2)	CM-08 PM-05 CM-12 CM-13
5.10	Acceptable use of information and other associated assets (BIO2)	PL-04 AC-20 MP-07
5.11	Return of assets (BIO2)	PS-04 PS-05
5.12	Classification of information (BIO2)	RA-02 AC-16
5.13	Labelling of information (BIO2)	MP-03 AC-16 RA-02
5.14	Information transfer (BIO2)	SC-07 SC-08 SC-12 AC-04 AC-17 AC-20 MP-05 SC-46
5.15	Access control (BIO2)	AC-01 AC-02 AC-03 AC-06 AC-07 AC-08 AC-10 AC-11 AC-12 AC-14 AC-17 AC-21 AC-24
5.16	Identity management (BIO2)	IA-02 IA-04 IA-05 IA-08 IA-12
5.17	Authentication information (BIO2)	IA-05 IA-06 IA-07 IA-11
5.18	Access rights (BIO2)	AC-02 AC-06 AC-25
5.19	Information security in supplier relationships (BIO2)	SA-04 SA-09 SR-01 SR-02 SR-03 SR-05
5.20	Addressing information security within supplier agreements (BIO2)	SA-04 SA-09 SR-03
5.21	Managing information security in the ICT supply chain (BIO2)	SR-01 SR-02 SR-03 SR-05 SR-06 SR-09 SR-10 SR-11
5.22	Monitoring, review and change management of supplier services (BIO2)	SA-09 SR-06 CA-07
5.23	Information security for use of cloud services (BIO2)	SA-09 AC-20 SC-07 SA-04
5.24	Information security incident management planning and preparation (BIO2)	IR-01 IR-02 IR-03 IR-04 IR-07 IR-08
5.25	Assessment and decision on information security events (BIO2)	IR-04 IR-05 IR-06 SI-04
5.26	Response to information security incidents (BIO2)	IR-04 IR-05 IR-06 IR-07 IR-09
5.27	Learning from information security incidents (BIO2)	IR-03 IR-04
5.28	Collection of evidence (BIO2)	IR-04 AU-03 AU-06 AU-09 AU-11
5.29	Information security during disruption (BIO2)	CP-01 CP-02 CP-03 CP-04 CP-05 CP-06 CP-07 CP-08 CP-09 CP-10 CP-11 CP-12 CP-13
5.30	ICT readiness for business continuity (BIO2)	CP-02 CP-04 CP-07 CP-08 CP-09 CP-10
5.31	Legal, statutory, regulatory and contractual requirements (BIO2)	PL-04 PM-01 SA-04 PM-08
5.32	Intellectual property rights (BIO2)
5.33	Protection of records (BIO2)	AU-11 SI-12 AU-09
5.34	Privacy and protection of PII (BIO2)	PT-01 PT-02 PT-03 PT-04 PT-05 PT-06 PT-07 PT-08 PM-25 PM-26 PM-27 PM-28 SI-18 RA-08
5.35	Independent review of information security (BIO2)	CA-02 CA-07 PM-06
5.36	Compliance with policies, rules and standards (BIO2)	CA-02 AU-06 PM-06 CA-07
5.37	Documented operating procedures (BIO2)	PL-02 SA-05 CM-01 CM-02 CM-03 CM-04 CM-05 CM-06 CM-07 CM-08 CM-09 CM-10 CM-11
6.1	Screening (BIO2)	PS-03
6.2	Terms and conditions of employment (BIO2)	PS-06 PL-04 PS-07 PS-09
6.3	Information security awareness, education and training (BIO2)	AT-02 AT-03 AT-04 PM-13 PM-14 AT-06
6.4	Disciplinary process (BIO2)	PS-08
6.5	Responsibilities after termination or change of employment (BIO2)	PS-04 PS-05 PS-06
6.6	Confidentiality or non-disclosure agreements (BIO2)	PS-06 SA-09
6.7	Remote working (BIO2)	AC-17 PE-17 SC-28
6.8	Information security event reporting (BIO2)	IR-06 IR-07 IR-01
7.1	Physical security perimeters (BIO2)	PE-03 PE-04
7.2	Physical entry (BIO2)	PE-02 PE-03 PE-06 PE-08 PE-07
7.3	Securing offices, rooms and facilities (BIO2)	PE-03 PE-05 PE-18
7.4	Physical security monitoring (BIO2)	PE-06 PE-08
7.5	Protecting against physical and environmental threats (BIO2)	PE-09 PE-10 PE-11 PE-12 PE-13 PE-14 PE-15 PE-21 PE-23
7.6	Working in secure areas (BIO2)	PE-02 PE-03 PE-07
7.7	Clear desk and clear screen (BIO2)	AC-11 MP-04 PE-05
7.8	Equipment siting and protection (BIO2)	PE-14 PE-18 PE-01 PE-23
7.9	Security of assets off-premises (BIO2)	AC-17 MP-05 SC-28 AC-19
7.10	Storage media (BIO2)	MP-01 MP-02 MP-03 MP-04 MP-05 MP-06 MP-07 MP-08
7.11	Supporting utilities (BIO2)	PE-09 PE-10 PE-11 PE-12
7.12	Cabling security (BIO2)	PE-04 PE-09
7.13	Equipment maintenance (BIO2)	MA-01 MA-02 MA-03 MA-04 MA-05 MA-06 MA-07
7.14	Secure disposal or re-use of equipment (BIO2)	MP-06 MP-08
8.1	User endpoint devices (BIO2)	AC-19 CM-07 SC-28 CM-08 SC-41
8.2	Privileged access rights (BIO2)	AC-06 AC-02 AC-05
8.3	Information access restriction (BIO2)	AC-03 AC-04 AC-06 AC-24
8.4	Access to source code (BIO2)	CM-05 AC-03 SA-10
8.5	Secure authentication (BIO2)	IA-02 IA-05 IA-08 IA-11
8.6	Capacity management (BIO2)	AU-04 CP-02 SC-05 SA-04
8.7	Protection against malware (BIO2)	SI-03 SI-08 SC-44
8.8	Management of technical vulnerabilities (BIO2)	RA-05 SI-02 SI-05
8.9	Configuration management (BIO2)	CM-02 CM-03 CM-04 CM-05 CM-06 CM-07 CM-08 CM-09 CM-14
8.10	Information deletion (BIO2)	MP-06 SI-12
8.11	Data masking (BIO2)	SI-19 PT-06 PT-07 SC-28 SI-20
8.12	Data leakage prevention (BIO2)	AC-04 PE-19 SC-07 SI-04 SC-31
8.13	Information backup (BIO2)	CP-09 CP-06
8.14	Redundancy of information processing facilities (BIO2)	CP-06 CP-07 CP-08 SC-36
8.15	Logging (BIO2)	AU-02 AU-03 AU-04 AU-05 AU-06 AU-07 AU-08 AU-09 AU-11 AU-12
8.16	Monitoring activities (BIO2)	SI-04 AU-06 CA-07 IR-04
8.17	Clock synchronization (BIO2)	AU-08 SC-45
8.18	Use of privileged utility programs (BIO2)	CM-07 CM-11 AC-06
8.19	Installation of software on operational systems (BIO2)	CM-05 CM-07 CM-11 SA-22 CM-14
8.20	Networks security (BIO2)	SC-07 SC-08 AC-04 CA-09
8.21	Security of network services (BIO2)	SC-07 SC-08 SA-09
8.22	Segregation of networks (BIO2)	SC-07 SC-32
8.23	Web filtering (BIO2)	SC-07 SI-03 AC-04
8.24	Use of cryptography (BIO2)	SC-12 SC-13 SC-28
8.25	Secure development life cycle (BIO2)	SA-03 SA-08 SA-10 SA-11 SA-15 SA-17
8.26	Application security requirements (BIO2)	SA-04 SA-08 SA-11
8.27	Secure system architecture and engineering principles (BIO2)	SA-08 SA-17 SC-07 SC-32 PL-08
8.28	Secure coding (BIO2)	SA-11 SA-15 SA-16
8.29	Security testing in development and acceptance (BIO2)	SA-11 CA-02 SA-04
8.30	Outsourced development (BIO2)	SA-04 SA-09 SA-10 SA-11 SA-21
8.31	Separation of development, test and production environments (BIO2)	CM-04 SA-11 SC-32 CM-02
8.32	Change management (BIO2)	CM-03 CM-04 CM-05 SA-10
8.33	Test information (BIO2)	SA-11 SA-15
8.34	Protection of information systems during audit testing (BIO2)	CA-02 AU-06 CA-08