Compliance
Baseline infromatiebeveiliging Reiksdinst
Rijksdienst standard (BIR 2012)
Baseline Informatiebeveiliging Rijksdienst standard (BIR 2012)
Organizations operating in the Netherlands government sector must demonstrate compliance with the Baseline Informatiebeveiliging Rijksdienst standard (BIR 2012). The BIR 2012 provides a standard framework based on ISO 27001 and ISO 27002.
The Baseline Informatiebeveiliging Rijksdienst (BIR 2012) is a cybersecurity standard specific to the Dutch government, often referred to in English as the Baseline Information Security Government Services. Established in 2012, BIR was designed to provide a unified security framework for all government bodies within the Netherlands. Its goal is to ensure that all parts of the Dutch central government handle information securely and in a standardized manner, to protect against loss of confidentiality, integrity, and availability of data.
The BIR is based on the international ISO/IEC 27001 standard for information security management systems (ISMS). It specifies requirements for establishing, implementing, maintaining, and continually improving an ISMS within the context of the organization. The BIR sets out a risk management process, prescribing a set of controls that includes policies, processes, procedures, organizational structures, and software and hardware functions. These controls are tailored to the specific needs of Dutch governmental organizations, taking into account the particular threats and vulnerabilities they face and the impact that a security breach could have on public administration and society.
Government agencies are required to adopt the BIR to ensure a baseline level of security that aligns with national interests. Compliance with BIR is important not just for the protection of sensitive government data, but also for maintaining citizens’ trust in the digital aspects of government services. Since its implementation, BIR has also served as a foundation for sector-specific standards within the Netherlands, which address the unique needs and contexts of different areas of the public sector. The BIR is periodically reviewed and updated to respond to the evolving landscape of information security threats and to remain aligned with international standards and best practices.
There are additional BIR controls that are not covered by ISO 27001, references are made to other independent attestations, audit documentation, or contractual statements.