Baseline Informatiebeveiliging Overheid 2 (Dutch Government Information Security Baseline)
Mandatory information security baseline for all Dutch government organisations at all levels: central government, provinces, municipalities, and water authorities. Aligned with ISO/IEC 27002:2022 with 93 controls plus government-specific measures (overheidsmaatregelen). Integrates NIS2 Article 21 requirements and supports ENSIA audit compliance. Replaces BIO 1.04 with a risk-based approach.
Controls: 208
Total Mappings: 412
Publisher: Dutch Ministry of the Interior and Kingdom Relations (BZK) Version: 1.2 (2025) AC (19) AT (5) AU (11) CA (5) CM (14) CP (13) IA (9) IR (9) MA (7) MP (8) PE (20) PL (4) PM (15) PS (9) PT (8) RA (7) SA (13) SC (14) SI (10) SR (8)
AC Access Control
| Control | Name | BIO2 References |
|---|---|---|
| AC-01 | Access Control Policies and Procedures | 5.15.15 |
| AC-02 | Account Management | 5.155.188.2 |
| AC-03 | Access Enforcement | 5.158.38.4 |
| AC-04 | Information Flow Enforcement | 5.148.128.208.238.3 |
| AC-05 | Separation Of Duties | 5.38.2 |
| AC-06 | Least Privilege | 5.155.188.188.28.3 |
| AC-07 | Unsuccessful Login Attempts | 5.15 |
| AC-08 | System Use Notification | 5.15 |
| AC-10 | Concurrent Session Control | 5.15 |
| AC-11 | Session Lock | 5.157.7 |
| AC-12 | Session Termination | 5.15 |
| AC-14 | Permitted Actions Without Identification Or Authentication | 5.15 |
| AC-16 | Automated Labeling | 5.125.13 |
| AC-17 | Remote Access | 5.145.156.77.9 |
| AC-19 | Access Control For Portable And Mobile Devices | 7.98.1 |
| AC-20 | Use Of External Information Systems | 5.105.145.23 |
| AC-21 | Information Sharing | 5.15 |
| AC-24 | Access Control Decisions | 5.158.3 |
| AC-25 | Reference Monitor | 5.18 |
AT Awareness and Training
AU Audit and Accountability
| Control | Name | BIO2 References |
|---|---|---|
| AU-01 | Audit And Accountability Policy And Procedures | 5.1 |
| AU-02 | Auditable Events | 8.15 |
| AU-03 | Content Of Audit Records | 5.288.15 |
| AU-04 | Audit Storage Capacity | 8.158.6 |
| AU-05 | Response To Audit Processing Failures | 8.15 |
| AU-06 | Audit Monitoring, Analysis, And Reporting | 5.285.368.158.168.34 |
| AU-07 | Audit Reduction And Report Generation | 8.15 |
| AU-08 | Time Stamps | 8.158.17 |
| AU-09 | Protection Of Audit Information | 5.285.338.15 |
| AU-11 | Audit Record Retention | 5.285.338.15 |
| AU-12 | Audit Record Generation | 8.15 |
CA Security Assessment and Authorization
CM Configuration Management
| Control | Name | BIO2 References |
|---|---|---|
| CM-01 | Configuration Management Policy And Procedures | 5.15.37 |
| CM-02 | Baseline Configuration | 5.378.318.9 |
| CM-03 | Configuration Change Control | 5.378.328.9 |
| CM-04 | Monitoring Configuration Changes | 5.378.318.328.9 |
| CM-05 | Access Restrictions For Change | 5.378.198.328.48.9 |
| CM-06 | Configuration Settings | 5.378.9 |
| CM-07 | Least Functionality | 5.378.18.188.198.9 |
| CM-08 | Information System Component Inventory | 5.375.98.18.9 |
| CM-09 | Configuration Management Plan | 5.378.9 |
| CM-10 | Software Usage Restrictions | 5.37 |
| CM-11 | User-Installed Software | 5.378.188.19 |
| CM-12 | Information Location | 5.9 |
| CM-13 | Data Action Mapping | 5.9 |
| CM-14 | Signed Components | 8.198.9 |
CP Contingency Planning
| Control | Name | BIO2 References |
|---|---|---|
| CP-01 | Contingency Planning Policy And Procedures | 5.15.29 |
| CP-02 | Contingency Plan | 5.295.308.6 |
| CP-03 | Contingency Training | 5.29 |
| CP-04 | Contingency Plan Testing And Exercises | 5.295.30 |
| CP-05 | Contingency Plan Update | 5.29 |
| CP-06 | Alternate Storage Site | 5.298.138.14 |
| CP-07 | Alternate Processing Site | 5.295.308.14 |
| CP-08 | Telecommunications Services | 5.295.308.14 |
| CP-09 | Information System Backup | 5.295.308.13 |
| CP-10 | Information System Recovery And Reconstitution | 5.295.30 |
| CP-11 | Alternate Communications Protocols | 5.29 |
| CP-12 | Safe Mode | 5.29 |
| CP-13 | Alternative Security Mechanisms | 5.29 |
IA Identification and Authentication
| Control | Name | BIO2 References |
|---|---|---|
| IA-01 | Identification And Authentication Policy And Procedures | 5.1 |
| IA-02 | User Identification And Authentication | 5.168.5 |
| IA-04 | Identifier Management | 5.16 |
| IA-05 | Authenticator Management | 5.165.178.5 |
| IA-06 | Authenticator Feedback | 5.17 |
| IA-07 | Cryptographic Module Authentication | 5.17 |
| IA-08 | Identification and Authentication (Non-Organizational Users) | 5.168.5 |
| IA-11 | Re-authentication | 5.178.5 |
| IA-12 | Identity Proofing | 5.16 |
IR Incident Response
| Control | Name | BIO2 References |
|---|---|---|
| IR-01 | Incident Response Policy And Procedures | 5.15.246.8 |
| IR-02 | Incident Response Training | 5.24 |
| IR-03 | Incident Response Testing And Exercises | 5.245.27 |
| IR-04 | Incident Handling | 5.245.255.265.275.288.16 |
| IR-05 | Incident Monitoring | 5.255.26 |
| IR-06 | Incident Reporting | 5.255.265.56.8 |
| IR-07 | Incident Response Assistance | 5.245.266.8 |
| IR-08 | Incident Response Plan | 5.24 |
| IR-09 | Information Spillage Response | 5.26 |
MA Maintenance
MP Media Protection
| Control | Name | BIO2 References |
|---|---|---|
| MP-01 | Media Protection Policy And Procedures | 5.17.10 |
| MP-02 | Media Access | 7.10 |
| MP-03 | Media Labeling | 5.137.10 |
| MP-04 | Media Storage | 7.107.7 |
| MP-05 | Media Transport | 5.147.107.9 |
| MP-06 | Media Sanitization And Disposal | 7.107.148.10 |
| MP-07 | Media Use | 5.107.10 |
| MP-08 | Media Downgrading | 7.107.14 |
PE Physical and Environmental Protection
| Control | Name | BIO2 References |
|---|---|---|
| PE-01 | Physical And Environmental Protection Policy And Procedures | 5.17.8 |
| PE-02 | Physical Access Authorizations | 7.27.6 |
| PE-03 | Physical Access Control | 7.17.27.37.6 |
| PE-04 | Access Control For Transmission Medium | 7.17.12 |
| PE-05 | Access Control For Display Medium | 7.37.7 |
| PE-06 | Monitoring Physical Access | 7.27.4 |
| PE-07 | Visitor Control | 7.27.6 |
| PE-08 | Access Records | 7.27.4 |
| PE-09 | Power Equipment And Power Cabling | 7.117.127.5 |
| PE-10 | Emergency Shutoff | 7.117.5 |
| PE-11 | Emergency Power | 7.117.5 |
| PE-12 | Emergency Lighting | 7.117.5 |
| PE-13 | Fire Protection | 7.5 |
| PE-14 | Temperature And Humidity Controls | 7.57.8 |
| PE-15 | Water Damage Protection | 7.5 |
| PE-17 | Alternate Work Site | 6.7 |
| PE-18 | Location Of Information System Components | 7.37.8 |
| PE-19 | Information Leakage | 8.12 |
| PE-21 | Electromagnetic Pulse Protection | 7.5 |
| PE-23 | Facility Location | 7.57.8 |
PL Planning
PM Program Management
| Control | Name | BIO2 References |
|---|---|---|
| PM-01 | Information Security Program Plan | 5.15.31 |
| PM-02 | Information Security Program Leadership Role | 5.25.4 |
| PM-05 | System Inventory | 5.9 |
| PM-06 | Measures of Performance | 5.355.36 |
| PM-07 | Enterprise Architecture | 5.8 |
| PM-08 | Critical Infrastructure Plan | 5.31 |
| PM-13 | Security and Privacy Workforce | 5.46.3 |
| PM-14 | Testing, Training, and Monitoring | 6.3 |
| PM-15 | Security and Privacy Groups and Associations | 5.55.6 |
| PM-16 | Threat Awareness Program | 5.65.7 |
| PM-25 | Minimization of Personally Identifiable Information Used in Testing, Training, and Research | 5.34 |
| PM-26 | Complaint Management | 5.34 |
| PM-27 | Privacy Reporting | 5.34 |
| PM-28 | Risk Framing | 5.34 |
| PM-29 | Risk Management Program Leadership Roles | 5.4 |
PS Personnel Security
| Control | Name | BIO2 References |
|---|---|---|
| PS-01 | Personnel Security Policy And Procedures | 5.15.2 |
| PS-02 | Position Categorization | 5.2 |
| PS-03 | Personnel Screening | 6.1 |
| PS-04 | Personnel Termination | 5.116.5 |
| PS-05 | Personnel Transfer | 5.116.5 |
| PS-06 | Access Agreements | 6.26.56.6 |
| PS-07 | Third-Party Personnel Security | 5.46.2 |
| PS-08 | Personnel Sanctions | 6.4 |
| PS-09 | Position Descriptions | 5.26.2 |
PT Personally Identifiable Information Processing and Transparency
| Control | Name | BIO2 References |
|---|---|---|
| PT-01 | Policy and Procedures | 5.15.34 |
| PT-02 | Authority to Process Personally Identifiable Information | 5.34 |
| PT-03 | Personally Identifiable Information Processing Purposes | 5.34 |
| PT-04 | Consent | 5.34 |
| PT-05 | Privacy Notice | 5.34 |
| PT-06 | System of Records Notice | 5.348.11 |
| PT-07 | Specific Categories of Personally Identifiable Information | 5.348.11 |
| PT-08 | Computer Matching Requirements | 5.34 |
RA Risk Assessment
SA System and Services Acquisition
| Control | Name | BIO2 References |
|---|---|---|
| SA-01 | System And Services Acquisition Policy And Procedures | 5.1 |
| SA-03 | Life Cycle Support | 5.88.25 |
| SA-04 | Acquisitions | 5.195.205.235.315.88.268.298.308.6 |
| SA-05 | Information System Documentation | 5.37 |
| SA-08 | Security Engineering Principles | 5.88.258.268.27 |
| SA-09 | External Information System Services | 5.195.205.225.236.68.218.30 |
| SA-10 | Developer Configuration Management | 8.258.308.328.4 |
| SA-11 | Developer Security Testing | 8.258.268.288.298.308.318.33 |
| SA-15 | Development Process, Standards, and Tools | 8.258.288.33 |
| SA-16 | Developer-Provided Training | 8.28 |
| SA-17 | Developer Security and Privacy Architecture and Design | 8.258.27 |
| SA-21 | Developer Screening | 8.30 |
| SA-22 | Unsupported System Components | 8.19 |
SC System and Communications Protection
| Control | Name | BIO2 References |
|---|---|---|
| SC-01 | System And Communications Protection Policy And Procedures | 5.1 |
| SC-05 | Denial Of Service Protection | 8.6 |
| SC-07 | Boundary Protection | 5.145.238.128.208.218.228.238.27 |
| SC-08 | Transmission Integrity | 5.148.208.21 |
| SC-12 | Cryptographic Key Establishment And Management | 5.148.24 |
| SC-13 | Use Of Cryptography | 8.24 |
| SC-28 | Protection of Information at Rest | 6.77.98.18.118.24 |
| SC-31 | Covert Channel Analysis | 8.12 |
| SC-32 | System Partitioning | 8.228.278.31 |
| SC-36 | Distributed Processing and Storage | 8.14 |
| SC-41 | Port and I/O Device Access | 8.1 |
| SC-44 | Detonation Chambers | 8.7 |
| SC-45 | System Time Synchronization | 8.17 |
| SC-46 | Cross Domain Policy Enforcement | 5.14 |
SI System and Information Integrity
| Control | Name | BIO2 References |
|---|---|---|
| SI-01 | System And Information Integrity Policy And Procedures | 5.1 |
| SI-02 | Flaw Remediation | 8.8 |
| SI-03 | Malicious Code Protection | 8.238.7 |
| SI-04 | Information System Monitoring Tools And Techniques | 5.258.128.16 |
| SI-05 | Security Alerts And Advisories | 5.78.8 |
| SI-08 | Spam Protection | 8.7 |
| SI-12 | Information Output Handling And Retention | 5.338.10 |
| SI-18 | Personally Identifiable Information Quality Operations | 5.34 |
| SI-19 | De-identification | 8.11 |
| SI-20 | Tainting | 8.11 |
SR Supply Chain Risk Management
| Control | Name | BIO2 References |
|---|---|---|
| SR-01 | Policy and Procedures | 5.15.195.21 |
| SR-02 | Supply Chain Risk Management Plan | 5.195.21 |
| SR-03 | Supply Chain Controls and Processes | 5.195.205.21 |
| SR-05 | Acquisition Strategies, Tools, and Methods | 5.195.21 |
| SR-06 | Supplier Assessments and Reviews | 5.215.22 |
| SR-09 | Tamper Resistance and Detection | 5.21 |
| SR-10 | Inspection of Systems or Components | 5.21 |
| SR-11 | Component Authenticity | 5.21 |