How to transition from BIO 1.04 to BIO2-opmaat to BIO2
Introduction
The Baseline Informatiebeveiliging Overheid (BIO) has evolved from version 1.04 (2019) to the transitional opmaat version and now to the definitive BIO 2.0 (2024).
BIO 2.0 is aligned with ISO/IEC 27001:2022 and ISO/IEC 27002:2022, and introduces a stronger focus on risk-based management and the use of an Information Security Management System (ISMS).
In ISOPlanner, we support this migration path in two steps:
-
Customers on BIO 1.04 first upgrade to BIO 2.0 opmaat, and then to BIO 2.0.
-
Customers already using BIO 2.0 opmaat can upgrade directly to BIO 2.0.
Key changes and obligations in BIO 2.0
When upgrading, customers should be aware of the following high-level changes compared to BIO 1.04 and opmaat:
-
Mandatory ISMS
-
Working with a management system for information security (ISO 27001:2022, chapters 4–10) is now explicitly required.Please note that you will need to activate ISO 27001:2022 to have the requirements for this management system available in ISOPlanner.
-
-
Risk-based approach
-
Controls must be demonstrably linked to the organization’s risks and context, not just implemented as a checklist.
-
-
New structure of measures
-
Controls have been restructured from 114 (ISO 27002:2017) to 93 (ISO 27002:2022), grouped under four domains:
-
Organizational
-
People
-
Physical
-
Technological
-
-
-
Public-sector specific requirements
-
BIO-specific obligations remain, e.g. around logging, monitoring, and ENSIA reporting.
-
Upgrade path in ISOPlanner
-
Step 1: Upgrade from BIO 1.04 → BIO 2.0 opmaat
- Follow the instructions on Standard upgrade to a new version to start the upgrade.
-
Your existing measures are mapped to the transitional set.
-
Step 2: Upgrade from BIO 2.0 opmaat → BIO 2.0 (definitive)
- Follow the instructions on Standard upgrade to a new version to start the upgrade.
- Measures are updated to the final structure and requirements.
-
Direct upgrade: Customers already using BIO 2.0 opmaat can skip step 1 and upgrade directly to BIO 2.0.
Next steps
-
Review your ISMS setup and make sure it aligns with ISO 27001:2022.
-
Update your risk assessment and ensure that all measures are justified by identified risks.
-
Prepare evidence for ENSIA and internal audits in line with the new structure.
ISOPlanner helps you manage this transition by providing the new measure sets and migration mapping between BIO versions.