Municipality of Waterland

Structure and Control meeting the BIO standard
Hosted in EU Icon
Jimmy Voskuil • CISO
I stopped worrying, it just runs

Getting in Control of the BIO Standard

The Municipality of Waterland is a rural community of 17,500 residents just outside Amsterdam. Its goal for 2024 was clear: get the implementation of ISO measures under control to meet the BIO standard, the baseline information security for Dutch government, derived from ISO 27001. The hard part was getting there without a structure to lean on. Together, ISOPlanner™ and Instant 27001 gave the municipality exactly that, a system that brings structure to the rollout of ISO measures and keeps implementation on track.

Too Many Apps, No Overview

Like any municipality, Waterland runs a wide range of services for residents, from housing and planning to local business and the social domain. Each leans on its own software, and the result was a sprawling IT landscape, a lot of applications to secure, and an IT team far smaller than a city like Amsterdam could field. To meet the BIO standard, the municipality needed an ISMS that could finally pull every required measure into one overview.

Jimmy Voskuil, CISO at Waterland, recalls the starting point: "Implementing the measures for our ISO and BIO certification was very ad hoc. What we missed most was a single application that showed the whole picture. There were no automatic reminders, no notifications on the controls we still had to put in place, and no real Plan-Do-Check-Act rhythm."

1
Embedded ML
API Calling ML
2

NIS2 Set the Clock

NIS2 turned a good intention into a deadline. The legislation took effect in March 2024 and carried enforcement from October 2024, and once it lands an ISMS becomes mandatory for municipalities, along with measures like two-factor authentication. Waterland needed a pragmatic ISMS, and it needed one in time.

Live in Five Months

Waterland chose the combination of ISOPlanner™ and Instant 27001, an ISMS that ships with templates and examples already built in, which is what made the pace possible.

Voskuil picks it up: "We started in August 2022 and the ISMS was live by December, up and running in five months, where it usually takes organisations a year. The templates made it far easier to decide how to implement each standard; it is always simpler to react to a worked example than to invent everything from scratch. The template for the mandatory stakeholder analysis, for one, was a real help. We have finished the process in the first department, and over the coming months we will take the others through it too."

3
ML Platform
API Calling ML
4

It Had to Live in Microsoft

Voskuil goes on: "For a small municipality like ours, information security matters just as much as it does for a big one, but a large, expensive ISMS was never an option. We followed the tender procedure and spoke with four parties about implementing an ISMS."

He continues: "We wanted a fast implementation with much of the groundwork already done, and it had to meet our security requirements, single sign-on among them. Microsoft integration was non-negotiable, because it drives the Plan-Do-Check-Act cycle. The other three had no Microsoft integration, so documents stayed trapped in a vendor environment. With ISOPlanner™ and Instant 27001, tasks and triggers land straight in Outlook through that integration, and that is what secures the final implementation of our measures."

Pricing That Scales With You

Pricing weighed heavily in the choice of ISOPlanner™ and Instant 27001 too. Voskuil explains: "As a smaller municipality, a model based on the number of users suited us perfectly. We could add new people ourselves, without going back to the provider each time. We had no ISMS yet, so the first phase was simply about building one; only later were we ready to bring in more users and departments.

That model lets us prepare for each step calmly, one at a time. A fully finished ISMS up front does wonders for how readily people accept a new system, and it means we can iron out any issues before we connect the next department."

5
ML Platform
API Calling ML
6

A Head Start on Risk

Another real bonus was the 40 standard risks that came built in. Voskuil: "Certification ultimately comes down to reducing risk: you take a measure, establish its effect, implement it properly, then check whether the original risk has become acceptable.

Instant 27001 and ISOPlanner™ gave us around 40 risks by default. We used them as a starting point and shaped our own risk analysis from there. Even where our risks were different, it was far easier to decide against something that already existed than to map the whole thing from a blank page. That proved especially valuable in internal discussions, and it helped people accept the measures."

Ready Before the Invoice

Because so much of the groundwork is already done, the platform is easy to live with. The steps follow a logical order, and the standard reports are exactly what a smaller municipality needs, nothing more to build. The telling detail: the app was ready to use before the invoice was even paid, and the foundation for certification was already in place.

7
ML Platform
API Calling ML
8

Ask Once, Fixed for Good

Reaching ISOPlanner™ the team is easy, and updates arrive on a steady rhythm. When a user raises a question it is not just answered, it gets built in, so the next person never runs into the same thing.

Under the Tender Limit

The cost structure was a plus in its own right. Waterland still followed the full tender procedure, but the price came in comfortably below the €12,500 limit.

9
ML Platform
A small IT team, a sprawling application landscape and a hard NIS2 deadline. Waterland needed structure fast, and got it: a working ISMS in five months, built into Microsoft, comfortably under the tender limit, and a CISO who finally stopped worrying about it.

See how ISOPlanner™ would fit your organisation.