
Like any municipality, Waterland runs a wide range of services for residents, from housing and planning to local business and the social domain. Each leans on its own software, and the result was a sprawling IT landscape, a lot of applications to secure, and an IT team far smaller than a city like Amsterdam could field. To meet the BIO standard, the municipality needed an ISMS that could finally pull every required measure into one overview.
Jimmy Voskuil, CISO at Waterland, recalls the starting point: "Implementing the measures for our ISO and BIO certification was very ad hoc. What we missed most was a single application that showed the whole picture. There were no automatic reminders, no notifications on the controls we still had to put in place, and no real Plan-Do-Check-Act rhythm."


NIS2 turned a good intention into a deadline. The legislation took effect in March 2024 and carried enforcement from October 2024, and once it lands an ISMS becomes mandatory for municipalities, along with measures like two-factor authentication. Waterland needed a pragmatic ISMS, and it needed one in time.
Waterland chose the combination of ISOPlanner™ and Instant 27001, an ISMS that ships with templates and examples already built in, which is what made the pace possible.
Voskuil picks it up: "We started in August 2022 and the ISMS was live by December, up and running in five months, where it usually takes organisations a year. The templates made it far easier to decide how to implement each standard; it is always simpler to react to a worked example than to invent everything from scratch. The template for the mandatory stakeholder analysis, for one, was a real help. We have finished the process in the first department, and over the coming months we will take the others through it too."


Voskuil goes on: "For a small municipality like ours, information security matters just as much as it does for a big one, but a large, expensive ISMS was never an option. We followed the tender procedure and spoke with four parties about implementing an ISMS."
He continues: "We wanted a fast implementation with much of the groundwork already done, and it had to meet our security requirements, single sign-on among them. Microsoft integration was non-negotiable, because it drives the Plan-Do-Check-Act cycle. The other three had no Microsoft integration, so documents stayed trapped in a vendor environment. With ISOPlanner™ and Instant 27001, tasks and triggers land straight in Outlook through that integration, and that is what secures the final implementation of our measures."
Pricing weighed heavily in the choice of ISOPlanner™ and Instant 27001 too. Voskuil explains: "As a smaller municipality, a model based on the number of users suited us perfectly. We could add new people ourselves, without going back to the provider each time. We had no ISMS yet, so the first phase was simply about building one; only later were we ready to bring in more users and departments.
That model lets us prepare for each step calmly, one at a time. A fully finished ISMS up front does wonders for how readily people accept a new system, and it means we can iron out any issues before we connect the next department."


Another real bonus was the 40 standard risks that came built in. Voskuil: "Certification ultimately comes down to reducing risk: you take a measure, establish its effect, implement it properly, then check whether the original risk has become acceptable.
Instant 27001 and ISOPlanner™ gave us around 40 risks by default. We used them as a starting point and shaped our own risk analysis from there. Even where our risks were different, it was far easier to decide against something that already existed than to map the whole thing from a blank page. That proved especially valuable in internal discussions, and it helped people accept the measures."
Because so much of the groundwork is already done, the platform is easy to live with. The steps follow a logical order, and the standard reports are exactly what a smaller municipality needs, nothing more to build. The telling detail: the app was ready to use before the invoice was even paid, and the foundation for certification was already in place.


Reaching ISOPlanner™ the team is easy, and updates arrive on a steady rhythm. When a user raises a question it is not just answered, it gets built in, so the next person never runs into the same thing.
The cost structure was a plus in its own right. Waterland still followed the full tender procedure, but the price came in comfortably below the €12,500 limit.

Log in to your ISOPlanner™ workspace, or start a free trial.
Log in Start your free trial