Baseline Informatiebeveiliging Overheid 2 (Dutch Government Information Security Baseline) — SP 800-53 Coverage
How well do NIST SP 800-53 Rev 5 controls address each BIO2 requirement? This analysis maps from framework clauses back to SP 800-53, with expert coverage weightings and gap identification.
Clause-by-Clause Analysis
Sorted by clause5.1 Policies for information security (BIO2)
Rationale
SP 800-53 has comprehensive policy controls (-01) for every family. PL-01 is the overarching planning policy. PM-01 establishes program plan. PT-01 and SR-01 add privacy and supply chain policy requirements, giving broad coverage of ISO 27002's requirement for a coherent policy framework with topic-specific policies. BIO2 government measures additionally require explicit alignment with the Cyberbeveiligingswet and ENSIA audit framework, mandating that security policies reference Dutch legislative obligations and are subject to ENSIA accountability reporting, which is not addressed by SP 800-53.
Gaps
SP 800-53 policy requirements are more granular (per-family) while ISO 27002 expects a coherent hierarchical policy set with explicit review triggers and communication channels. BIO2 mandates that information security policy explicitly references the Cyberbeveiligingswet implementation roadmap and ENSIA compliance obligations, which have no SP 800-53 equivalent.
5.2 Information security roles and responsibilities (BIO2)
Rationale
PM-02 assigns CISO/senior security role. PS-01/PS-02 cover position risk designation and personnel categorization. PS-09 (Position Descriptions) explicitly requires incorporating security and privacy roles and responsibilities into organizational position descriptions, directly addressing ISO 27002's requirement that all information security responsibilities are defined and allocated. BIO2 government measures additionally require the formal appointment of a CISO at board level and mandate reporting lines to the executive board, which SP 800-53 does not prescribe at this level of organizational specificity.
Gaps
ISO 27002 provides specific implementation guidance on asset owner responsibilities. SP 800-53 addresses through system owner concept in PL-02 but 'asset owner' role is less defined. BIO2 mandates CISO appointment with specific governance reporting lines and accountability to ENSIA supervisory bodies, which are Netherlands-specific organisational requirements.
5.3 Segregation of duties (BIO2) 87%
Rationale
AC-05 directly addresses separation of duties including identifying conflicting duties and implementing compensating controls. Comprehensive alignment with ISO 27002's requirement. BIO2 government measures additionally require segregation of duties to be formally documented for ENSIA audit evidence, which is an accountability requirement that SP 800-53 supports implicitly through documentation but does not mandate for external audit purposes.
Gaps
ISO 27002 provides detailed guidance on identifying conflicting duties across business processes. AC-05 is focused on system-level duty separation. BIO2 requires ENSIA audit compliance for accountability to supervisory bodies, adding documentation obligations beyond SP 800-53 requirements.
Mapped Controls
5.4 Management responsibilities (BIO2)
Rationale
PM-02 and PM-13 address management security roles and workforce management. PS-07 covers third-party personnel management. AT-01 establishes training policy. PM-29 (Risk Management Program Leadership) adds explicit senior leadership accountability for risk management, supporting ISO 27002's requirement that management requires personnel to apply security per policies. BIO2 government measures additionally require management accountability through ENSIA self-assessment and external audit, with explicit board-level sign-off on security posture reported to supervisory bodies, which is not addressed by SP 800-53.
Gaps
ISO 27002 emphasizes management actively requiring all employees and contractors to apply security per policies, leading by example, and providing resources. SP 800-53 is less explicit on management behavioral expectations and enforcement responsibility. BIO2 mandates ENSIA audit compliance for accountability to supervisory bodies and requires board-level sign-off on information security status.
5.5 Contact with authorities (BIO2)
Rationale
IR-06 covers incident reporting to authorities. PM-15 covers establishing and maintaining contacts with security groups and associations. Together they address ISO 27002's requirement for maintaining relationships with relevant authorities. BIO2 government measures additionally require proactive engagement with NCSC-NL and coordination with Dutch sector-specific CERTs, as well as alignment with Rijksoverheid security coordination structures, which SP 800-53 does not address.
Gaps
ISO 27002 includes proactive relationship maintenance with authorities for prevention and intelligence, not just reactive incident reporting. Anticipatory contact with regulatory bodies is not explicitly required. BIO2 mandates proactive engagement with NCSC-NL and sector-specific CERTs under the Cyberbeveiligingswet framework.
5.6 Contact with special interest groups (BIO2)
Rationale
PM-15 directly covers contacts with security groups and associations. PM-16 covers threat awareness program including sharing with security communities. Good alignment with ISO 27002's requirement. BIO2 government measures additionally require participation in Dutch government information-sharing communities such as NCSC-NL partnerships and sector-specific ISACs, which SP 800-53 supports in general terms but does not prescribe for specific national communities.
Gaps
ISO 27002 details benefits including improved knowledge, early warnings, and advisory access from professional forums. SP 800-53 is less specific about the breadth of groups to engage. BIO2 requires participation in Dutch government security communities and NCSC-NL threat intelligence sharing.
5.7 Threat intelligence (BIO2)
Rationale
PM-16 addresses threat awareness program. SI-05 covers security alerts and advisories. RA-03/RA-05 include threat identification and vulnerability assessment. RA-10 (Threat Hunting) adds proactive cyber threat hunting capability. RA-07 (Risk Response) ensures threat intelligence findings are acted upon systematically. BIO2 government measures additionally require consumption of NCSC-NL threat advisories and integration with Dutch government threat intelligence feeds, which SP 800-53 supports through general mechanisms but does not prescribe for specific national sources.
Gaps
Minimal gap for core threat intelligence. BIO2 requires integration with NCSC-NL threat advisories and Dutch government-specific threat intelligence feeds.
5.8 Information security in project management (BIO2)
Rationale
SA-03 covers security in SDLC integration. SA-04 addresses acquisition security requirements. SA-08 covers security engineering principles applied to projects. PM-07 addresses enterprise architecture integration. BIO2 government measures additionally require that all government IT projects undergo a BIO2 baseline assessment as part of project initiation, which is a mandatory gate not prescribed by SP 800-53.
Gaps
ISO 27002 specifies security integration into ALL project types regardless of nature (IT and non-IT). SP 800-53 SA controls focus on IT system development and acquisition projects specifically. BIO2 mandates BIO2 baseline assessment as a formal project gate for government IT projects.
5.9 Inventory of information and other associated assets (BIO2)
Rationale
CM-08 directly covers system component inventory. PM-05 covers system inventory. CM-12 (Information Location) identifies and documents the location of information types and the specific system components on which information is processed and stored. CM-13 (Data Action Mapping) maps data actions to system components and individuals, strengthening asset-to-data relationship tracking. BIO2 government measures additionally require asset inventories to be aligned with Rijksoverheid asset classification standards, which SP 800-53 supports through general inventory controls.
Gaps
ISO 27002 includes 'associated assets' beyond information and system components (e.g., people, premises, cloud services as assets). CM-12 and CM-13 significantly strengthen the information asset inventory mapping. BIO2 requires alignment with Dutch government asset classification standards.
5.10 Acceptable use of information and other associated assets (BIO2)
Rationale
PL-04 directly covers rules of behavior and acceptable use policies. AC-20 covers use of external systems. MP-07 covers media use restrictions. BIO2 government measures additionally require acceptable use policies to reference Dutch government classification (Departementaal Vertrouwelijk, Staatsgeheim) and handling procedures, which SP 800-53 addresses through its own classification framework but not Dutch-specific markings.
Gaps
ISO 27002 specifies 'return of assets' as part of the acceptable use lifecycle and covers acceptable use of cloud services. SP 800-53 separates asset return into PS-04. BIO2 requires acceptable use policies to reference Dutch government security classification levels.
5.11 Return of assets (BIO2)
Rationale
PS-04 covers personnel termination including return of organizational assets and information. PS-05 covers personnel transfer with similar asset handling requirements. BIO2 government measures additionally require that classified government assets are returned through verified chain-of-custody procedures aligned with Rijksoverheid protocols, which SP 800-53 supports through general termination procedures.
Gaps
Minimal gap. ISO 27002 includes return of both physical and electronic assets, which PS-04/PS-05 address. BIO2 adds chain-of-custody requirements for classified government assets aligned with Dutch government handling standards.
5.12 Classification of information (BIO2)
Rationale
RA-02 covers security categorization of information and systems using FIPS 199 methodology. AC-16 supports association of security and privacy attributes with information for classification purposes. BIO2 government measures additionally require alignment with the Dutch government classification scheme (Departementaal Vertrouwelijk, Staatsgeheim-Confidentieel/Geheim/Zeer Geheim) and the Besluit Voorschrift Informatiebeveiliging Rijksdienst (VIR), which SP 800-53 does not address.
Gaps
ISO 27002 uses multi-tier classification schemes; SP 800-53 uses FIPS 199 categorization (C/I/A impact levels). Conceptually similar but terminology and methodology differ. BIO2 mandates the Dutch government classification scheme (Departementaal Vertrouwelijk, Staatsgeheim levels) per VIR, which has no SP 800-53 equivalent.
5.13 Labelling of information (BIO2)
Rationale
MP-03 covers media marking and labeling. AC-16 supports association of security attributes with information for digital labeling. RA-02 provides the categorization basis for labels. BIO2 government measures additionally require Dutch government classification markings (Departementaal Vertrouwelijk, Staatsgeheim) to be applied consistently across all information formats per VIR procedures, which SP 800-53 does not prescribe.
Gaps
ISO 27002 requires labeling procedures for all information formats including physical, electronic, and verbal. SP 800-53 focuses primarily on media marking; comprehensive cross-format labeling is less prescribed. BIO2 mandates Dutch government-specific classification markings per the VIR framework.
5.14 Information transfer (BIO2)
Rationale
SC-07 boundary protection; SC-08 transmission confidentiality/integrity; AC-04 information flow enforcement; AC-17 remote access; MP-05 media transport. SC-46 (Cross Domain Policy Enforcement) adds policy enforcement for information transfer between security domains. BIO2 government measures additionally require that information transfers between government organisations use approved secure channels (e.g., Diginetwerk, Rijksportaal) and comply with Dutch government data exchange standards, which SP 800-53 does not prescribe.
Gaps
ISO 27002 includes transfer agreements and procedures for all forms (electronic, physical, verbal). SP 800-53 focuses on electronic and physical transfer; verbal transfer procedures are a gap. BIO2 mandates use of approved Dutch government secure transfer channels such as Diginetwerk for inter-governmental data exchange.
5.15 Access control (BIO2)
Rationale
AC family is exceptionally comprehensive for access control. AC-01 policy; AC-02 account management; AC-03 access enforcement; AC-06 least privilege; AC-07 unsuccessful login attempts; AC-17 remote access; AC-24 access control decisions. SP 800-53 AC family exceeds ISO 27002's access control requirements. BIO2 government measures additionally require that access control policies reference Dutch government identity frameworks and eIDAS trust levels where applicable, which SP 800-53 supports in general terms.
Gaps
Minimal gap for core access control. BIO2 requires access control policies to align with Dutch government identity and trust level frameworks, including eIDAS integration for cross-border government services.
5.16 Identity management (BIO2)
Rationale
IA family comprehensively covers identity management. IA-02 identification and authentication; IA-04 identifier management; IA-05 authenticator management; IA-08 non-organizational users; IA-12 identity proofing covers identity verification before credential issuance. BIO2 government measures additionally require eIDAS-compliant identity proofing and may mandate integration with DigiD for citizen-facing government services, which SP 800-53 does not prescribe.
Gaps
Minimal gap for core identity management. BIO2 requires eIDAS-compliant identity proofing for government services and may mandate DigiD integration for citizen-facing applications. DigiD authentication requirements for citizen-facing services are Netherlands-specific.
5.17 Authentication information (BIO2)
Rationale
IA-05 directly covers authenticator management (passwords, tokens, certificates). IA-06 covers authenticator feedback. IA-07 covers cryptographic module authentication. IA-11 covers re-authentication requirements. BIO2 government measures additionally require that authentication mechanisms meet eIDAS assurance levels (low/substantial/high) appropriate to the service risk level, and may mandate PKIoverheid certificates for government services, which SP 800-53 does not prescribe.
Gaps
Minimal gap for core authentication. BIO2 requires eIDAS assurance level alignment and may mandate PKIoverheid certificates for government-to-government authentication, which are Netherlands-specific requirements.
5.18 Access rights (BIO2)
Rationale
AC-02 covers account management including provisioning, periodic review, and revocation. AC-06 covers least privilege. AC-25 covers reference monitor concept for access mediation. BIO2 government measures additionally require periodic access right reviews with documentation for ENSIA audit trail, which SP 800-53 supports through AC-02 review provisions.
Gaps
Minimal gap. Access right lifecycle (request, approve, review, revoke) is well covered. BIO2 requires access right reviews to be documented for ENSIA audit compliance.
5.19 Information security in supplier relationships (BIO2)
Rationale
SA-04 acquisition security requirements; SA-09 external system services; SR family covers supply chain risk management. SR-01 establishes supply chain risk management policy; SR-02/SR-03 cover supply chain controls. BIO2 government measures additionally mandate compliance with the DigiInkoop procurement framework for government ICT acquisitions, requiring specific security clauses in procurement contracts, which SP 800-53 does not prescribe.
Gaps
ISO 27002 emphasizes ongoing supplier relationship management with periodic review and risk reassessment. SP 800-53 focuses more on acquisition-time requirements. BIO2 mandates DigiInkoop procurement framework compliance for government ICT acquisitions, which has no SP 800-53 equivalent.
5.20 Addressing information security within supplier agreements (BIO2)
Rationale
SA-04 directly requires security requirements in acquisitions. SA-09 covers external service agreements. SR-03 covers supply chain controls and processes specified in agreements. BIO2 government measures additionally require supplier agreements to include DigiInkoop security annexes and Dutch government-specific data processing requirements under the Uitvoeringswet AVG, which SP 800-53 does not prescribe.
Gaps
ISO 27002 requires specific agreement terms for information access, processing, handling, and return. SA-04 is comprehensive but agreement format requirements differ. BIO2 mandates DigiInkoop security annexes in supplier agreements and Dutch GDPR (Uitvoeringswet AVG) data processing clauses.
5.21 Managing information security in the ICT supply chain (BIO2)
Rationale
SR family comprehensively addresses ICT supply chain risk management. SR-05 covers acquisition strategies; SR-06 supplier assessments; SR-09 tamper resistance; SR-10 inspection of systems; SR-11 component authenticity verification. BIO2 government measures additionally require DigiInkoop procurement compliance and alignment with Dutch government supply chain security guidelines issued by NCSC-NL, which SP 800-53 does not prescribe.
Gaps
Minimal gap for core supply chain management. BIO2 mandates DigiInkoop compliance and NCSC-NL supply chain security guidelines for government ICT procurement.
5.22 Monitoring, review and change management of supplier services (BIO2)
Rationale
SA-09 includes external service monitoring requirements. SR-06 covers supplier assessments and reviews. CA-07 continuous monitoring can extend to supplier service monitoring. BIO2 government measures additionally require supplier service reviews to be aligned with DigiInkoop evaluation criteria and reported through ENSIA accountability mechanisms, which SP 800-53 does not prescribe.
Gaps
ISO 27002 requires regular monitoring and review of supplier service delivery, performance measurement, and change management of supplier services. SP 800-53 is less prescriptive about ongoing supplier service monitoring cadence and performance tracking. BIO2 mandates DigiInkoop evaluation criteria and ENSIA reporting for supplier service monitoring.
5.23 Information security for use of cloud services (BIO2)
Rationale
SA-09 covers external information system services (includes cloud). AC-20 addresses use of external systems. SC-07 boundary protection. SA-04 acquisition requirements. BIO2 government measures additionally require government cloud services to be assessed per the Rijkscloud policy and NCSC-NL cloud security guidelines, and may require data sovereignty assessment to ensure government data remains within EU/EEA jurisdictions, which SP 800-53 does not address.
Gaps
ISO 27002:2022 added cloud-specific controls covering shared responsibility models, cloud exit strategy, multi-tenancy isolation, and cloud-specific risk assessment. SP 800-53 addresses cloud through general external service controls but lacks cloud-specific implementation requirements. BIO2 requires government cloud assessment per Rijkscloud policy and NCSC-NL cloud guidelines, including data sovereignty and EU/EEA data residency requirements.
5.24 Information security incident management planning and preparation (BIO2)
Rationale
IR-01 covers incident response policy and procedures. IR-02 incident response training. IR-03 incident response testing. IR-04 incident handling. IR-07 incident response assistance. IR-08 incident response plan. Comprehensive coverage of planning and preparation. BIO2 government measures additionally require incident management plans to include NCSC-NL notification procedures and coordination with sector-specific CERTs per the Cyberbeveiligingswet, which SP 800-53 does not prescribe.
Gaps
Minimal gap for core incident planning. BIO2 mandates NCSC-NL notification procedures and sector-specific CERT coordination in incident management plans per the Cyberbeveiligingswet.
5.25 Assessment and decision on information security events (BIO2)
Rationale
IR-04 incident handling includes event assessment and triage. IR-05 incident monitoring. IR-06 incident reporting. SI-04 system monitoring supports event identification and initial assessment. BIO2 government measures additionally require event classification to align with Dutch government incident severity levels and NCSC-NL reporting thresholds, which SP 800-53 does not prescribe.
Gaps
Minor: Event classification and decision-making processes are well addressed. BIO2 requires event classification aligned with Dutch government incident severity levels and NCSC-NL reporting thresholds per the Cyberbeveiligingswet.
5.26 Response to information security incidents (BIO2)
Rationale
IR-04 comprehensively covers incident response including containment, eradication, and recovery. IR-06 reporting; IR-07 assistance. IR-09 (Information Spillage Response) adds specific response procedures for information spillage incidents. BIO2 government measures additionally require notification to NCSC-NL and sector-specific CERTs within specific timeframes defined by the Cyberbeveiligingswet, which SP 800-53 does not prescribe.
Gaps
Minimal gap for core incident response. BIO2 government measures mandate NCSC-NL incident notification within specific timeframes per the Cyberbeveiligingswet, which has no SP 800-53 equivalent.
5.27 Learning from information security incidents (BIO2)
Rationale
IR-03 includes lessons learned as part of incident response testing and exercises. IR-04 includes incident analysis and post-incident activities. Together they support ISO 27002's requirement for using incident knowledge to improve security. BIO2 government measures additionally require that lessons learned are shared with NCSC-NL and relevant sector CERTs where appropriate, and documented for ENSIA audit trail, which SP 800-53 does not prescribe.
Gaps
ISO 27002 emphasizes structured knowledge management from incidents to reduce future likelihood and impact. SP 800-53 supports this through post-incident review but formal knowledge base management is less prescribed. BIO2 requires lessons learned to be shared with NCSC-NL and documented for ENSIA audit compliance.
5.28 Collection of evidence (BIO2)
Rationale
IR-04 incident handling includes evidence collection. AU-03 content of audit records for evidential value. AU-06 audit review and analysis. AU-09 protection of audit information against tampering. AU-11 audit record retention for evidence preservation. BIO2 government measures additionally require evidence handling to comply with Dutch Wetboek van Strafvordering (Code of Criminal Procedure) for potential law enforcement referrals, which SP 800-53 does not address.
Gaps
ISO 27002 provides specific evidence handling guidance including chain of custody, forensic admissibility, and evidence management procedures. SP 800-53 is less explicit on forensic evidence management procedures for legal proceedings. BIO2 requires evidence handling compliance with Dutch legal procedures for potential law enforcement referrals.
5.29 Information security during disruption (BIO2)
Rationale
CP family comprehensively covers continuity planning, testing, and recovery. CP-11 alternate communications protocols; CP-12 safe mode; CP-13 alternative security mechanisms. Strong alignment with maintaining security during disruption. BIO2 government measures additionally require continuity plans to ensure essential government services remain available during disruptions, aligned with the Wet beveiliging netwerk- en informatiesystemen (Wbni) essential services requirements, which SP 800-53 does not prescribe.
Gaps
Minimal gap for core continuity controls. BIO2 requires continuity plans to address essential government service availability per the Wbni (Dutch NIS implementation) and Cyberbeveiligingswet.
5.30 ICT readiness for business continuity (BIO2)
Rationale
CP-02 contingency plan covers ICT readiness. CP-04 testing. CP-07 alternate processing site. CP-08 telecommunications services. CP-09 backup. CP-10 recovery and reconstitution. BIO2 government measures additionally require ICT readiness assessments to be aligned with Dutch government essential services continuity requirements under the Cyberbeveiligingswet, which SP 800-53 supports through general contingency planning but does not prescribe for specific national essential services.
Gaps
ISO 27002 specifically addresses Business Impact Analysis for ICT services and ICT readiness as a distinct concept. SP 800-53 CP-02 requires BIA but ICT readiness analysis is implicit rather than a standalone requirement. BIO2 requires ICT readiness aligned with Dutch essential services continuity requirements.
5.31 Legal, statutory, regulatory and contractual requirements (BIO2)
Rationale
PL-04 rules of behavior include legal compliance obligations. PM-01 program plan addresses regulatory compliance. SA-04 covers contractual requirements. PM-08 critical infrastructure plan. BIO2 government measures additionally require explicit identification of and compliance with Dutch legislation including the Cyberbeveiligingswet, Uitvoeringswet AVG (Dutch GDPR implementation), Wet open overheid (Woo), and sector-specific regulations, which SP 800-53 does not address.
Gaps
ISO 27002 requires explicit identification, documentation, and maintenance of all applicable legal, regulatory, and contractual requirements. SP 800-53 lacks a dedicated legal compliance identification control; FISMA context assumes federal requirements rather than requiring systematic identification. BIO2 requires alignment with the Cyberbeveiligingswet implementation roadmap and explicit compliance tracking for Dutch legislation (Uitvoeringswet AVG, Woo, sector regulations).
5.32 Intellectual property rights (BIO2) 13%
Rationale
No direct SP 800-53 control addresses intellectual property management, software licensing compliance, or copyright protection. BIO2 government measures additionally require compliance with Dutch government software licensing standards and open-source policy (Comply or Explain for open standards), which SP 800-53 does not address.
Gaps
Significant gap. SP 800-53 does not address software licensing compliance, copyright management, proprietary data protection, or IP rights enforcement. Requires supplementary organizational controls outside SP 800-53. BIO2 adds Dutch government open-source and open standards compliance requirements.
5.33 Protection of records (BIO2)
Rationale
AU-11 covers audit record retention. SI-12 covers information management and retention. AU-09 covers protection of audit information against unauthorized modification or deletion. BIO2 government measures additionally require records management to comply with the Archiefwet (Dutch Archives Act) and Selectielijsten (retention schedules) for government records, which SP 800-53 does not address.
Gaps
ISO 27002 requires protection of all records from loss, destruction, falsification, unauthorized access, and unauthorized release per legal, regulatory, and business requirements. SP 800-53 covers audit records well but broader records management is less explicit. BIO2 requires compliance with the Archiefwet and Dutch government retention schedules for government records.
5.34 Privacy and protection of PII (BIO2)
Rationale
PT family provides comprehensive PII protection. PM-25 minimisation; PM-26 complaint management; PM-27 privacy reporting; PM-28 risk framing. SI-18 (PII Quality Operations) adds controls for maintaining the quality of PII throughout the data lifecycle. RA-08 (Privacy Impact Assessments) ensures privacy impacts are assessed before processing PII. BIO2 government measures additionally require compliance with the Uitvoeringswet AVG (Dutch GDPR implementation), mandatory DPIA for high-risk processing, and appointment of a Functionaris Gegevensbescherming (FG/DPO), which SP 800-53 partially addresses but not in the Dutch legal context.
Gaps
ISO 27002 defers to ISO 27701 for full privacy management system. SP 800-53 privacy controls are comprehensive but focused on US federal regulatory context. BIO2 requires compliance with the Uitvoeringswet AVG with specific Dutch DPO (FG) requirements and DPIA obligations that reflect EU/Dutch privacy law, not US federal privacy frameworks.
5.35 Independent review of information security (BIO2)
Rationale
CA-02 covers security assessments which serve as independent reviews. CA-07 continuous monitoring. PM-06 performance measurement to evaluate effectiveness. BIO2 government measures additionally require ENSIA self-assessment and external audit as the mandated independent review mechanism for Dutch government organisations, which SP 800-53 does not prescribe.
Gaps
ISO 27002 requires independent review of the organisation's approach to managing information security, not just technical control assessment. Management system review independence is less explicitly addressed in SP 800-53. BIO2 mandates ENSIA audit compliance for accountability to supervisory bodies, which has no SP 800-53 equivalent.
5.36 Compliance with policies, rules and standards (BIO2)
Rationale
CA-02 assesses compliance with security requirements. AU-06 reviews audit records for compliance violations. PM-06 measures security performance. CA-07 continuous monitoring detects deviations. BIO2 government measures additionally require compliance verification through the ENSIA framework with annual self-assessments and periodic external audits reported to supervisory bodies, which SP 800-53 does not prescribe.
Gaps
ISO 27002 requires regular review that information processing and procedures comply with security policies and standards. SP 800-53 assessment approach differs from ISO's compliance checking methodology. BIO2 mandates ENSIA compliance verification with annual self-assessments reported to supervisory bodies.
5.37 Documented operating procedures (BIO2)
Rationale
PL-02 covers system security plans documenting procedures. SA-05 system documentation. CM family covers operational procedures for configuration management activities. BIO2 government measures additionally require operating procedures to be documented, reviewed, and maintained per ENSIA accountability requirements, and to be aligned with Rijksoverheid operational standards, which SP 800-53 does not prescribe.
Gaps
ISO 27002 requires documented operating procedures for information processing facilities made available to all personnel who need them. SP 800-53 distributes procedures across families rather than requiring unified operating procedures documentation. BIO2 requires operating procedures to be aligned with Rijksoverheid standards and documented for ENSIA audit compliance.
6.1 Screening (BIO2) 88%
Rationale
PS-03 directly covers personnel screening including background verification checks before access is granted. Covers initial and ongoing screening requirements. BIO2 government measures additionally require screening to comply with Dutch government personnel vetting standards, including Verklaring Omtrent het Gedrag (VOG) certificates for all government employees and contractors, which SP 800-53 supports in principle through PS-03 but does not prescribe Dutch-specific vetting.
Gaps
ISO 27002 provides guidance on screening depth varying by role sensitivity, which aligns with PS-03's risk-based approach. BIO2 requires VOG certificates (certificates of conduct) as a mandatory screening requirement for Dutch government personnel.
Mapped Controls
6.2 Terms and conditions of employment (BIO2)
Rationale
PS-06 covers access agreements including confidentiality requirements. PL-04 covers rules of behavior. PS-07 covers third-party personnel. PS-09 (Position Descriptions) requires security and privacy responsibilities in position descriptions. BIO2 government measures additionally require employment terms to reference Dutch government security obligations including the Ambtenarenwet and applicable CAO regulations, which SP 800-53 does not address.
Gaps
ISO 27002 includes security responsibilities in employment contracts. SP 800-53 focuses on access agreements and position descriptions rather than employment contract terms specifically. BIO2 requires employment terms to reference Dutch Ambtenarenwet and applicable CAO security obligations.
6.3 Information security awareness, education and training (BIO2)
Rationale
AT-02 awareness training; AT-03 role-based security training; AT-04 training records. PM-13 workforce program; PM-14 testing and exercises. AT-06 (Training Feedback) provides feedback on training results. BIO2 government measures additionally require awareness training to cover Dutch-specific topics including the Cyberbeveiligingswet, government classification handling, and NCSC-NL advisories, which SP 800-53 supports through general training mechanisms.
Gaps
Minimal gap for core training. BIO2 requires awareness training to include Dutch government-specific topics including Cyberbeveiligingswet obligations and government classification handling procedures.
6.4 Disciplinary process (BIO2) 73%
Rationale
PS-08 covers personnel sanctions for security violations including formal and informal sanctions. BIO2 government measures additionally require disciplinary processes to comply with Dutch employment law (Ambtenarenwet) and applicable CAO procedures, including specific protections for government employees, which SP 800-53 does not address.
Gaps
ISO 27002 requires a formal, communicated disciplinary process with graduated responses. PS-08 addresses sanctions but is less prescriptive about process stages, communication to personnel, and consideration of mitigating circumstances. BIO2 requires disciplinary processes to comply with Dutch Ambtenarenwet employee protections.
Mapped Controls
6.5 Responsibilities after termination or change of employment (BIO2)
Rationale
PS-04 covers personnel termination including access revocation and ongoing obligations. PS-05 covers personnel transfer. PS-06 covers access agreements that persist post-employment. BIO2 government measures additionally require post-employment confidentiality obligations to extend to classified government information under Dutch law, which SP 800-53 supports through access agreements but does not prescribe for specific national classification schemes.
Gaps
Minimal gap for core termination controls. BIO2 requires post-employment confidentiality obligations for classified government information under Dutch legal frameworks.
6.6 Confidentiality or non-disclosure agreements (BIO2)
Rationale
PS-06 covers access agreements which include confidentiality requirements for personnel. SA-09 covers external service agreements including confidentiality terms with third parties. BIO2 government measures additionally require NDAs to reference Dutch government classification levels and comply with Dutch contract law, which SP 800-53 does not prescribe.
Gaps
ISO 27002 specifically requires NDAs reflecting organisational needs with regular review and updates. PS-06 is broader (access agreements) and NDA-specific requirements (jurisdiction, post-contract duration) are less detailed. BIO2 requires NDAs to reference Dutch government classification levels and comply with Dutch contract law.
6.7 Remote working (BIO2)
Rationale
AC-17 directly covers remote access controls and monitoring. PE-17 covers alternate work site security. SC-28 covers protection of information at rest on remote devices. BIO2 government measures additionally require remote working to comply with Rijksoverheid remote working policy and NCSC-NL secure remote working guidelines, including approved device management, which SP 800-53 supports through general remote access controls.
Gaps
ISO 27002 includes physical security at remote locations, clean desk for remote workers, and remote working-specific risk considerations beyond technical access controls. BIO2 requires compliance with Rijksoverheid remote working policy and NCSC-NL guidelines for secure remote working.
6.8 Information security event reporting (BIO2)
Rationale
IR-06 directly covers incident reporting requirements. IR-07 covers incident response assistance and guidance for reporters. IR-01 establishes the policy framework for event reporting. BIO2 government measures additionally require security event reporting to include NCSC-NL notification within prescribed timeframes per the Cyberbeveiligingswet, and employees must be trained on Dutch government-specific reporting channels, which SP 800-53 does not prescribe.
Gaps
ISO 27002 emphasizes employee obligation to report events. SP 800-53 addresses through policy and reporting procedures. BIO2 government measures mandate NCSC-NL incident notification within prescribed timeframes per the Cyberbeveiligingswet, which has no SP 800-53 equivalent.
7.1 Physical security perimeters (BIO2)
Rationale
PE-03 covers physical access control including perimeter barriers, entry points, and access mechanisms. PE-04 covers access control for transmission medium including physical protection of cabling routes that form perimeters. BIO2 government measures additionally reference Rijksoverheid physical security standards for government buildings, which SP 800-53 supports through general physical access controls.
Gaps
ISO 27002 includes guidance on perimeter strength proportional to assets; PE-03 addresses this through risk-based physical access controls. BIO2 references Rijksoverheid physical security standards for government facilities.
7.2 Physical entry (BIO2)
Rationale
PE-02 physical access authorizations; PE-03 physical access control mechanisms; PE-06 monitoring physical access; PE-07 visitor control; PE-08 visitor access records. Comprehensive physical entry controls. BIO2 government measures additionally reference Rijksoverheid visitor management procedures for government buildings, which SP 800-53 supports through general visitor controls.
Gaps
Minimal gap for core physical entry. BIO2 references Rijksoverheid visitor management procedures for government buildings.
7.3 Securing offices, rooms and facilities (BIO2)
Rationale
PE-03 physical access control for offices and rooms. PE-05 access control for output devices. PE-18 location of information system components within facilities. BIO2 government measures additionally reference Rijksoverheid physical security standards for securing government offices and classified processing areas, which SP 800-53 supports through general physical access controls.
Gaps
ISO 27002 addresses office-specific risks including sound insulation, door locks, window protection, and facility design. SP 800-53 is less specific about office-level security design. BIO2 references Rijksoverheid standards for securing classified processing areas in government facilities.
7.4 Physical security monitoring (BIO2)
Rationale
PE-06 directly covers monitoring physical access including CCTV, intrusion alarms, and guard patrols. PE-08 covers access logs for monitoring and review. BIO2 government measures additionally reference Rijksoverheid surveillance and monitoring requirements for government facilities, which SP 800-53 supports through general monitoring provisions.
Gaps
Minimal gap for core monitoring. BIO2 references Rijksoverheid surveillance requirements for government facilities.
7.5 Protecting against physical and environmental threats (BIO2)
Rationale
PE family comprehensively covers environmental protections: power equipment (PE-09), emergency shutoff (PE-10), emergency power (PE-11), emergency lighting (PE-12), fire protection (PE-13), temperature/humidity (PE-14), water damage (PE-15). PE-21 (Electromagnetic Pulse Protection) adds protection against EMP threats. PE-23 (Facility Location) adds facility location planning. BIO2 government measures additionally reference Rijksoverheid environmental protection standards, which SP 800-53 comprehensively addresses.
Gaps
Minimal gap. PE-21 and PE-23 strengthen coverage. BIO2 references Rijksoverheid environmental protection standards for government facilities.
7.6 Working in secure areas (BIO2)
Rationale
PE-02/PE-03 control access to secure areas. PE-07 addresses visitor control and escort requirements in secure areas. BIO2 government measures additionally reference Rijksoverheid secure area working procedures for classified processing environments, including photography restrictions and device controls, which SP 800-53 is less specific about.
Gaps
ISO 27002 includes specific rules for working in secure areas such as photography restrictions, supervised access, empty area verification, and prohibition of recording equipment. SP 800-53 is less specific about behavioural controls within secure areas. BIO2 references Rijksoverheid secure area working procedures for classified environments.
7.7 Clear desk and clear screen (BIO2)
Rationale
AC-11 covers session lock (clear screen). MP-04 covers media storage requirements. PE-05 covers access control for output devices to prevent unauthorized viewing. BIO2 government measures additionally require clear desk policies to address handling of classified government documents per VIR, which SP 800-53 supports through general media protection.
Gaps
ISO 27002 explicitly addresses clear desk policy as a formal requirement. AC-11 covers screen lock; desk policy is implied through MP controls but not explicitly stated. BIO2 requires clear desk policies to address Dutch government classified document handling per VIR.
7.8 Equipment siting and protection (BIO2)
Rationale
PE-14 environmental controls for equipment. PE-18 location of information system components. PE-01 physical and environmental protection policy. PE-23 (Facility Location) addresses planning facility and equipment location. BIO2 government measures additionally reference Rijksoverheid equipment siting guidelines for government data centres and processing facilities, which SP 800-53 supports through general environmental controls.
Gaps
ISO 27002 includes equipment placement to minimize unauthorized access, environmental hazards, and electromagnetic interference. SP 800-53 is less specific about equipment siting methodology. BIO2 references Rijksoverheid equipment siting guidelines for government data centres.
7.9 Security of assets off-premises (BIO2)
Rationale
AC-17 remote access; MP-05 media transport protection; SC-28 protection of information at rest; AC-19 access control for mobile devices. BIO2 government measures additionally require that classified government assets taken off-premises comply with VIR handling standards and NCSC-NL mobile device security guidelines, which SP 800-53 supports through general mobile and media controls.
Gaps
ISO 27002 covers all off-premises assets including laptops, paper documents, and portable equipment. SP 800-53 covers media and remote access well but holistic physical asset protection off-site is less comprehensive. BIO2 requires classified government assets off-premises to comply with VIR handling standards.
7.10 Storage media (BIO2)
Rationale
MP family comprehensively covers media protection lifecycle: policy (MP-01), access (MP-02), marking (MP-03), storage (MP-04), transport (MP-05), sanitization (MP-06), use restrictions (MP-07). MP-08 (Media Downgrading) adds media downgrading procedures. BIO2 government measures additionally require media handling to comply with VIR classification-specific procedures, which SP 800-53 comprehensively addresses through the MP family.
Gaps
Minimal gap. MP-08 strengthens coverage for media reclassification and reuse scenarios. BIO2 requires media handling aligned with VIR classification procedures for government media.
7.11 Supporting utilities (BIO2)
Rationale
PE-09 power equipment and cabling protection. PE-10 emergency shutoff capabilities. PE-11 emergency power supply. PE-12 emergency lighting. Comprehensive supporting utility protection. BIO2 government measures additionally reference Rijksoverheid utility resilience standards for government facilities, which SP 800-53 addresses through general utility protection controls.
Gaps
ISO 27002 includes water supply and sewage considerations which are partially addressed through general facility controls. BIO2 references Rijksoverheid utility resilience standards for government facilities.
7.12 Cabling security (BIO2)
Rationale
PE-04 covers access control for transmission medium including cable routing protection. PE-09 covers power equipment and cabling protection. BIO2 government measures additionally reference Rijksoverheid cabling standards for government facilities, particularly for classified processing areas requiring TEMPEST-grade protection, which SP 800-53 supports through PE-04 but is less specific about.
Gaps
ISO 27002 provides specific cabling security measures including protected routing, electromagnetic shielding, fibre optic preference for sensitive links, and separation of power/telecommunications. SP 800-53 PE-04 is more general. BIO2 references Rijksoverheid cabling standards including TEMPEST requirements for classified environments.
7.13 Equipment maintenance (BIO2)
Rationale
MA family comprehensively covers maintenance: policy (MA-01), controlled maintenance (MA-02), maintenance tools (MA-03), nonlocal maintenance (MA-04), maintenance personnel (MA-05), timely maintenance (MA-06). MA-07 (Field Maintenance) adds controls for field maintenance on critical components. BIO2 government measures additionally require maintenance personnel to hold appropriate security clearances per Dutch government vetting standards, which SP 800-53 supports through MA-05.
Gaps
Minimal gap. MA-07 strengthens coverage for maintenance of critical equipment. BIO2 requires maintenance personnel to hold Dutch government security clearances where applicable.
7.14 Secure disposal or re-use of equipment (BIO2)
Rationale
MP-06 covers media sanitization with methods appropriate to classification (clear, purge, destroy). MP-08 (Media Downgrading) adds media downgrading procedures for reclassification before reuse. BIO2 government measures additionally require disposal of classified government equipment to follow VIR destruction procedures and NCSC-NL sanitization guidelines, which SP 800-53 supports through MP-06.
Gaps
ISO 27002 includes all equipment disposal beyond just media. Equipment-level sanitization is less explicitly addressed. BIO2 requires disposal of classified equipment to follow VIR destruction procedures and NCSC-NL sanitization guidelines.
8.1 User endpoint devices (BIO2)
Rationale
AC-19 mobile device management; CM-07 least functionality for endpoint hardening; SC-28 encryption at rest; CM-08 inventory of endpoints. SC-41 (Port and I/O Device Access Restriction) adds controls for restricting physical port and I/O device access on endpoints. BIO2 government measures additionally require endpoints to comply with NCSC-NL endpoint security guidelines and Rijksoverheid-approved device configurations, which SP 800-53 supports through general endpoint controls.
Gaps
ISO 27002 provides holistic endpoint management guidance including BYOD policies, MDM, containerisation, and endpoint-specific risk assessment. SP 800-53 distributes endpoint controls across multiple families. BIO2 requires endpoints to comply with NCSC-NL endpoint security guidelines and Rijksoverheid-approved configurations.
8.2 Privileged access rights (BIO2)
Rationale
AC-06 least privilege with specific privileged access restrictions, authorization, and review. AC-02 account management including privileged account lifecycle. AC-05 separation of duties for privileged functions. BIO2 government measures additionally require privileged access to be logged and reviewed for ENSIA audit compliance, which SP 800-53 supports through AC-02 and AU controls.
Gaps
Minimal gap. SP 800-53 privileged access controls are comprehensive. BIO2 requires privileged access review logs for ENSIA audit compliance.
8.3 Information access restriction (BIO2)
Rationale
AC-03 access enforcement; AC-04 information flow enforcement; AC-06 least privilege; AC-24 access control decisions based on security attributes. Comprehensive access restriction implementation. BIO2 government measures additionally require access restrictions to align with Dutch government classification handling rules per VIR, which SP 800-53 addresses through its own classification framework.
Gaps
Minimal gap. SP 800-53 access restriction controls exceed ISO 27002 requirements. BIO2 requires access restrictions aligned with VIR classification handling rules for classified government information.
8.4 Access to source code (BIO2)
Rationale
CM-05 covers access restrictions for change including source code. AC-03 access enforcement. SA-10 developer configuration management covers source code repository controls. BIO2 government measures additionally require source code access controls to align with Dutch government open-source policy and code publication guidelines where applicable, which SP 800-53 does not address.
Gaps
ISO 27002 specifically addresses source code repositories, read/write access separation, and source code library management. SP 800-53 addresses through general access and configuration management controls. BIO2 adds Dutch government open-source code publication requirements.
8.5 Secure authentication (BIO2)
Rationale
IA-02 identification and authentication with MFA capabilities. IA-05 authenticator management. IA-08 identification of non-organisational users. IA-11 re-authentication requirements. BIO2 government measures additionally require authentication to meet eIDAS assurance levels and may mandate DigiD for citizen-facing services and PKIoverheid certificates for government authentication, which SP 800-53 does not prescribe.
Gaps
Minimal gap for core authentication. BIO2 requires eIDAS assurance level compliance and may mandate DigiD for citizen-facing services. DigiD authentication requirements for citizen-facing services are Netherlands-specific.
8.6 Capacity management (BIO2)
Rationale
AU-04 covers audit log storage capacity. SC-05 denial of service protection addresses capacity exhaustion attacks. CP-02 contingency planning considers capacity requirements. SA-04 addresses capacity in acquisition requirements. BIO2 government measures additionally require capacity management for essential government services to ensure availability per the Cyberbeveiligingswet, which SP 800-53 addresses through general capacity provisions.
Gaps
ISO 27002 requires proactive capacity management for all IT resources with monitoring, forecasting, and right-sizing. SP 800-53 covers capacity in specific contexts but lacks a general IT capacity planning and management control. BIO2 requires capacity management for essential government services per the Cyberbeveiligingswet.
8.7 Protection against malware (BIO2)
Rationale
SI-03 directly covers malicious code protection with detection, eradication, and prevention. SI-08 covers spam protection. SC-44 (Detonation Chambers) adds malware detonation/sandboxing capabilities. BIO2 government measures additionally require malware protection aligned with NCSC-NL advisories and hardening guidelines, which SP 800-53 comprehensively addresses through general malware controls.
Gaps
Minimal gap. SC-44 adds advanced malware analysis capability. BIO2 requires malware protection aligned with NCSC-NL advisories and hardening guidelines.
8.8 Management of technical vulnerabilities (BIO2)
Rationale
RA-05 vulnerability monitoring and scanning. SI-02 flaw remediation with patching. SI-05 security alerts, advisories, and directives for vulnerability notifications. BIO2 government measures additionally require vulnerability management to incorporate NCSC-NL vulnerability advisories and patching timelines, which SP 800-53 supports through general vulnerability management controls.
Gaps
Minimal gap. SP 800-53 vulnerability management controls are comprehensive. BIO2 requires incorporation of NCSC-NL vulnerability advisories and patching timelines.
8.9 Configuration management (BIO2)
Rationale
CM family comprehensively covers configuration management: baselines (CM-02), change control (CM-03), impact analysis (CM-04), access restrictions (CM-05), settings (CM-06), least functionality (CM-07), inventory (CM-08), restrictions (CM-09). CM-14 (Signed Components) adds digital signature verification. BIO2 government measures additionally require configuration baselines to align with NCSC-NL hardening guidelines, which SP 800-53 supports through general configuration controls.
Gaps
Minimal gap. CM-14 strengthens configuration integrity verification. BIO2 requires configuration baselines aligned with NCSC-NL hardening guidelines.
8.10 Information deletion (BIO2)
Rationale
MP-06 media sanitization covers secure deletion methods. SI-12 information management and retention covers information lifecycle including deletion. BIO2 government measures additionally require information deletion to comply with the Archiefwet (Dutch Archives Act) retention and destruction schedules, and the Uitvoeringswet AVG right-to-erasure provisions, which SP 800-53 does not address.
Gaps
ISO 27002 specifically addresses deletion when information is no longer required, based on retention policies and legal requirements. SP 800-53 covers sanitization methods but proactive information deletion based on business need is less explicitly addressed. BIO2 requires information deletion compliance with the Archiefwet and Uitvoeringswet AVG right-to-erasure provisions.
8.11 Data masking (BIO2)
Rationale
SI-19 covers de-identification techniques. PT-06/PT-07 cover privacy data processing minimisation. SC-28 protection of information at rest. SI-20 (Tainting) applies tainting to data to detect unauthorised data flows. BIO2 government measures additionally require data masking to comply with the Uitvoeringswet AVG pseudonymisation and anonymisation requirements, which SP 800-53 supports through general de-identification controls.
Gaps
ISO 27002 provides specific data masking technique guidance including pseudonymisation, anonymisation, and dynamic masking rules. SP 800-53 addresses de-identification and privacy but masking as a comprehensive technique set is less prescriptively covered. BIO2 requires data masking compliance with Uitvoeringswet AVG pseudonymisation requirements.
8.12 Data leakage prevention (BIO2)
Rationale
AC-04 information flow enforcement directly supports DLP. PE-19 information leakage addresses physical emanations. SC-07 boundary protection controls data egress. SI-04 system monitoring detects unauthorized data transfer. SC-31 (Covert Channel Analysis) adds analysis of covert exfiltration channels. BIO2 government measures additionally require DLP to address Dutch government classification markings and prevent leakage of classified government information, which SP 800-53 supports through general DLP controls.
Gaps
ISO 27002 specifically addresses DLP tool implementation. SP 800-53 distributes DLP concepts across multiple controls. BIO2 requires DLP to address Dutch government classification markings and prevent leakage of classified information.
8.13 Information backup (BIO2)
Rationale
CP-09 directly covers information system backup including backup frequency, testing, and integrity verification. CP-06 alternate storage site for off-site backup. BIO2 government measures additionally require backup storage to comply with Dutch data sovereignty requirements, ensuring government data backups remain within EU/EEA jurisdictions, which SP 800-53 supports through general backup controls.
Gaps
Minimal gap. SP 800-53 backup controls are comprehensive. BIO2 requires backup storage to comply with Dutch data sovereignty and EU/EEA data residency requirements.
8.14 Redundancy of information processing facilities (BIO2)
Rationale
CP-06 alternate storage site; CP-07 alternate processing site; CP-08 telecommunications services. SC-36 distributed processing and storage provides additional redundancy. BIO2 government measures additionally require redundant processing facilities for essential government services to comply with the Cyberbeveiligingswet availability requirements, which SP 800-53 supports through general contingency controls.
Gaps
ISO 27002 focuses on redundancy for availability requirements. CP controls focus on contingency which includes redundancy. BIO2 requires redundant processing for essential government services per the Cyberbeveiligingswet availability requirements.
8.15 Logging (BIO2)
Rationale
AU family comprehensively covers logging: auditable events (AU-02), content (AU-03), storage capacity (AU-04), response to failures (AU-05), review and analysis (AU-06), reduction/reporting (AU-07), timestamps (AU-08), protection (AU-09), retention (AU-11), generation (AU-12). BIO2 government measures additionally require logging to support ENSIA audit trail requirements and NCSC-NL forensic readiness guidelines, which SP 800-53 comprehensively addresses through the AU family.
Gaps
Minimal gap. SP 800-53 AU family is comprehensive for logging requirements. BIO2 requires logging to support ENSIA audit trail and NCSC-NL forensic readiness guidelines.
8.16 Monitoring activities (BIO2)
Rationale
SI-04 directly covers system monitoring including real-time analysis, anomaly detection, and alerting. AU-06 audit review and analysis. CA-07 continuous monitoring strategy. IR-04 incident handling integrates monitoring outputs. BIO2 government measures additionally require monitoring to be aligned with NCSC-NL monitoring guidelines and to feed into Dutch government threat intelligence sharing, which SP 800-53 comprehensively addresses through general monitoring controls.
Gaps
Minimal gap. SP 800-53 monitoring controls are comprehensive. BIO2 requires monitoring aligned with NCSC-NL guidelines and Dutch government threat intelligence sharing.
8.17 Clock synchronization (BIO2)
Rationale
AU-08 directly covers time stamps and clock synchronisation for audit records. SC-45 (System Time Synchronization) adds authoritative time source synchronisation requirements. BIO2 government measures additionally require clock synchronisation to use approved time sources for government systems, which SP 800-53 addresses through SC-45.
Gaps
Minimal gap. SC-45 strengthens coverage with authoritative time source requirements. BIO2 requires use of approved time sources for government systems.
8.18 Use of privileged utility programs (BIO2)
Rationale
CM-07 least functionality restricts available utilities. CM-11 controls user-installed software including utilities. AC-06 least privilege restricts access to privileged utilities. BIO2 government measures additionally require privileged utility program usage to be logged and reviewed per NCSC-NL hardening guidelines, which SP 800-53 supports through general least functionality and privilege controls.
Gaps
ISO 27002 specifically addresses privileged utility programs that can override system and application controls. SP 800-53 addresses through general least functionality and privilege controls rather than utility-specific controls. BIO2 requires privileged utility usage logging aligned with NCSC-NL hardening guidelines.
8.19 Installation of software on operational systems (BIO2)
Rationale
CM-05 access restrictions for change controls who can install. CM-07 least functionality limits what can be installed. CM-11 controls user-installed software. SA-22 addresses unsupported components. CM-14 (Signed Components) prevents installation of unsigned software/firmware. BIO2 government measures additionally require software installation to comply with NCSC-NL approved software lists and hardening guidelines, which SP 800-53 supports through general software installation controls.
Gaps
Minimal gap. CM-14 adds digital signature verification for software installation. BIO2 requires software installation compliance with NCSC-NL approved software lists.
8.20 Networks security (BIO2)
Rationale
SC-07 boundary protection; SC-08 transmission confidentiality and integrity; AC-04 information flow enforcement. CA-09 (Internal System Connections) addresses authorisation and review of internal system connections. BIO2 government measures additionally require network security to comply with NCSC-NL network security guidelines and may require connection to Diginetwerk for inter-governmental communication, which SP 800-53 supports through general network controls.
Gaps
Minimal gap. CA-09 adds internal connection authorisation. BIO2 requires network security aligned with NCSC-NL guidelines and may require Diginetwerk connectivity for inter-governmental networks.
8.21 Security of network services (BIO2)
Rationale
SC-07/SC-08 cover network security mechanisms. SA-09 covers external system services including network services with security requirements and monitoring. BIO2 government measures additionally require network services to comply with NCSC-NL service security guidelines and Dutch government network standards, which SP 800-53 supports through general network service controls.
Gaps
ISO 27002 requires security features, service levels, and management requirements for network services including SLAs. Network service-specific level agreements are less detailed in SP 800-53. BIO2 requires network services aligned with NCSC-NL and Dutch government network standards.
8.22 Segregation of networks (BIO2)
Rationale
SC-07 boundary protection includes network segmentation capabilities. SC-32 system partitioning provides logical and physical separation. Together they comprehensively address network segregation. BIO2 government measures additionally require network segregation to align with Dutch government network zone standards, particularly for classified processing environments, which SP 800-53 comprehensively addresses through SC-07 and SC-32.
Gaps
Minimal gap. SP 800-53 network segmentation controls are comprehensive. BIO2 requires network segregation aligned with Dutch government zone standards for classified environments.
8.23 Web filtering (BIO2)
Rationale
SC-07 boundary protection includes content filtering. SI-03 malware protection catches web-borne threats. AC-04 information flow enforcement. BIO2 government measures additionally require web filtering to align with NCSC-NL web security guidelines and may require DNS filtering through government-approved services, which SP 800-53 does not specifically address.
Gaps
ISO 27002 specifically addresses URL filtering, web content filtering, and restricting access to unsafe websites. No dedicated SP 800-53 web filtering control exists. BIO2 requires web filtering aligned with NCSC-NL guidelines and may require government-approved DNS filtering services.
8.24 Use of cryptography (BIO2)
Rationale
SC-12 cryptographic key establishment and management. SC-13 cryptographic protection with algorithm requirements. SC-28 protection of information at rest using encryption. BIO2 government measures additionally require cryptographic implementations to comply with NCSC-NL cryptographic guidelines and may require PKIoverheid certificates for government services, which SP 800-53 supports through general cryptographic controls but does not prescribe Dutch-specific certificate authorities.
Gaps
Minimal gap for core cryptography. BIO2 requires cryptographic implementations to comply with NCSC-NL cryptographic guidelines and may mandate PKIoverheid certificates for government services.
8.25 Secure development life cycle (BIO2)
Rationale
SA-03 system development life cycle with security integration. SA-08 security and privacy engineering principles. SA-10 developer configuration management. SA-11 developer testing and evaluation. SA-15 development process, standards, and tools. SA-17 developer security and privacy architecture and design. BIO2 government measures additionally require secure development to align with NCSC-NL secure development guidelines and Dutch government open-source policy, which SP 800-53 comprehensively addresses through general SDLC controls.
Gaps
Minimal gap. SP 800-53 SA family is comprehensive for secure development lifecycle. BIO2 requires alignment with NCSC-NL secure development guidelines.
8.26 Application security requirements (BIO2)
Rationale
SA-04 acquisition process includes security functional requirements. SA-08 security engineering principles applied to application design. SA-11 developer testing validates security requirements are met. BIO2 government measures additionally require application security requirements to address DigiD integration, accessibility (WCAG), and Dutch government application standards where applicable, which SP 800-53 supports through general application security controls.
Gaps
Minimal gap for core application security. BIO2 requires application security to address DigiD integration, accessibility, and Dutch government application standards where applicable.
8.27 Secure system architecture and engineering principles (BIO2)
Rationale
SA-08 security and privacy engineering principles. SA-17 developer security architecture and design. SC-07/SC-32 provide architecture-level security controls. PL-08 security and privacy architectures. BIO2 government measures additionally require system architecture to comply with the Nederlandse Overheid Referentie Architectuur (NORA) and NCSC-NL architecture guidelines, which SP 800-53 supports through general architecture controls.
Gaps
Minimal gap for core architecture. BIO2 requires system architecture alignment with NORA (Nederlandse Overheid Referentie Architectuur) and NCSC-NL architecture guidelines.
8.28 Secure coding (BIO2)
Rationale
SA-11 developer security testing validates code security. SA-15 development process standards and tools includes coding standards. SA-16 developer-provided training includes secure coding practices. BIO2 government measures additionally require secure coding to align with NCSC-NL secure coding guidelines and Dutch government open-source code publication standards, which SP 800-53 supports through general development controls.
Gaps
ISO 27002 provides specific secure coding practice guidance including input validation, error handling, and code review. SP 800-53 addresses through development process and testing controls rather than explicit coding standard requirements. BIO2 requires secure coding aligned with NCSC-NL guidelines.
8.29 Security testing in development and acceptance (BIO2)
Rationale
SA-11 directly covers developer security testing and evaluation. CA-02 security assessments for acceptance testing. SA-04 includes testing requirements in acquisition. BIO2 government measures additionally require security testing to include BIO2 baseline compliance verification as part of acceptance criteria, which SP 800-53 supports through general testing and assessment controls.
Gaps
Minimal gap for core security testing. BIO2 requires BIO2 baseline compliance verification as part of acceptance testing criteria.
8.30 Outsourced development (BIO2)
Rationale
SA-04 acquisition requirements for outsourced development. SA-09 external system services. SA-10/SA-11 developer requirements apply to outsourced developers. SA-21 (Developer Screening) adds screening requirements for developers of critical system components. BIO2 government measures additionally require outsourced development to comply with DigiInkoop procurement requirements and Dutch government supplier security standards, which SP 800-53 supports through general acquisition and developer controls.
Gaps
ISO 27002 details outsourced development supervision, intellectual property rights, and acceptance testing. SP 800-53 covers through general acquisition and developer controls. BIO2 requires outsourced development compliance with DigiInkoop procurement requirements.
8.31 Separation of development, test and production environments (BIO2)
Rationale
CM-04 impact analysis requires separate test environments. SA-11 developer testing implies testing environments. SC-32 system partitioning supports environment separation. CM-02 baseline configuration with variants for different environments. BIO2 government measures additionally require environment separation to comply with NCSC-NL guidelines, particularly ensuring production data is not used in test environments without anonymisation per Uitvoeringswet AVG, which SP 800-53 implies but does not mandate.
Gaps
ISO 27002 explicitly requires development, testing, and production environment separation. SP 800-53 implies but does not mandate specific three-way environment separation. BIO2 requires environment separation aligned with NCSC-NL guidelines and Uitvoeringswet AVG data protection for test environments.
8.32 Change management (BIO2)
Rationale
CM-03 configuration change control with documented approval processes. CM-04 impact analysis before changes. CM-05 access restrictions for change. SA-10 developer configuration management for development changes. BIO2 government measures additionally require change management to be documented for ENSIA audit trail, which SP 800-53 supports through CM-03 documentation requirements.
Gaps
Minimal gap. SP 800-53 change management controls are comprehensive. BIO2 requires change management documentation for ENSIA audit compliance.
8.33 Test information (BIO2)
Rationale
SA-11 covers testing requirements. SA-15 development process standards includes test data management practices. BIO2 government measures additionally require test data to comply with the Uitvoeringswet AVG, ensuring production PII is not used in test environments without proper anonymisation or pseudonymisation, which SP 800-53 does not explicitly address.
Gaps
ISO 27002 specifically addresses protection of test data including anonymisation, controlled use of production data for testing, and proper disposal of test data. SP 800-53 lacks an explicit test data management control. BIO2 requires test data compliance with Uitvoeringswet AVG anonymisation requirements.
8.34 Protection of information systems during audit testing (BIO2)
Rationale
CA-02 covers security assessments including audit considerations and planning. AU-06 audit review analysis. CA-08 penetration testing addresses planned security testing with controls to protect systems during testing activities. BIO2 government measures additionally require audit testing to be coordinated with ENSIA audit schedules and conducted by approved auditors, which SP 800-53 does not prescribe.
Gaps
ISO 27002 requires that audit testing be planned and agreed to minimize business disruption, that access to tools is controlled, and that requirements are agreed with management. SP 800-53 assessment controls do not explicitly address protection of systems during audit activities. BIO2 requires audit testing coordination with ENSIA schedules and use of approved auditors.
Methodology and Disclaimer
This coverage analysis maps from BIO2 clauses/requirements back to NIST SP 800-53 Rev 5 controls, assessing how well the SP 800-53 control set addresses each framework requirement.
Coverage weighting represents an informed estimate based on control-objective alignment, not a definitive compliance determination. Weightings consider whether SP 800-53 controls address the intent of each framework requirement, even where terminology and structure differ.
This analysis should be validated by qualified assessors for use in compliance or audit activities. The authoritative source for any compliance determination is always the framework itself.