Case Municipality of Waterland
The Municipality of Waterland had a clear goal: to control the implementation of ISO measures to comply with the Baseline Information Security Government (BIO) in 2024. This is the basic standards framework for information security within governments and is derived from the general ISO 27001 standard.
With ISOPlanner and Instant 27001, the municipality has a system that provides a structure for the implementation of ISO measures and helps keep control of implementation.
Voskuil, CISO at Waterland says: “Implementation of measures regarding our ISO and BIO certification often happened very ad hoc. What we particularly missed was an implementation overview of a single application. There were no automatic reminders or notifications on measures or controls to be implemented. We missed a structured Plan-Do-Check-Act cycle.”
Divergent IT applications complicating information security
The Municipality of Waterland is a rural municipality in Noord Holland, located a short distance from Amsterdam, Purmerend, Hoorn, and Zaandam. It has 17,500 residents in the city of Monnickendam and the villages of Broek in Waterland, Marken, Zuiderwoude, and Ilpendam, among others.
Like other municipalities, the Waterland municipality provides a variety of services for its residents: from housing and spatial facilities to services for local businesses. It also offers services within the social domain.
The result? A scattered IT landscape with information security challenges due to the large number of IT applications in use. While the IT department is much smaller compared to a large municipality such as Amsterdam.
To meet the BIO standard, the municipality needed an Information Security Management System (ISMS) that would also provide an overview of all the necessary meassures to be carried out.
Jimmy Voskuil, CISO at Waterland says: “Implementation of measures regarding our ISO and BIO certification often happened very ad hoc. What we particularly missed was an implementation overview of a single application. There were no automatic reminders or notifications on measures or controls to be implemented. We missed a structured Plan-Do-Check-Act cycle.”
There were no automatic reminders or notifications on measures and controls to be implemented. We were missing a structured Plan-Do-Check-Act cycle.
Urgency: NIS2 mandates ISMS for municipalities starting in 2024
With the deadline of the new NIS2 legislation in mind – effective March 2024 and enforced by October 2024 – the municipality needed a low-level ISMS. After this new law takes effect, an ISMS will be mandatory for municipalities, as will 2-factor authentication, for example.
Fast implementation ISMS through included templates
The Municipality of Waterland ultimately chose a combination of ISOPlanner and Instant 27001, which together offer an ISMS that already includes templates and examples. This increased the speed of implementation.
Jimmy Voskuil continues: “In August 2022 we started the project, and the ISMS has been in use since December 2022. Overall, we were able to implement the ISMS within five months, which normally takes organizations a year to coplete. The templates made it easier to decide how we wanted to implement certain standards. It is always easier to consider an outcome based on examples, rather than having to come up with everything yourself. For example, the template for the mandatory stakeholder analysis was very helpful. We now have completed the process in the first department. And in the coming months, we will take the other departments through the process.”
Microsoft integration secures the implementation of measures
Jimmy Voskuil continues, “With a small municipality like Waterland, information security is just as important as with large municipalities. But a large-scale and expensive ISMS is not an option. In our search for a supplier, we adhered to the tender procedure. We ended up talking to four parties about implementing an ISMS.
We opted for a quick implementation where a lot of preliminary work had already been done. It also had to match our security requirements such as single sign-on. Microsoft integration was also a requirement because it facilitates the Plan-Do-Check-Act cycle. With the other three parties, there was no Microsoft integration and documents remained in a vendor environment. But with ISOPlanner and Instant 270001, we were able to set up tasks and triggers that automatically ended up in Outlook because of the Microsoft integration. This helps us secure the final implementation of measures.”
We chose a quick implementation where a lot of preliminary work had already been done. And that matched our security requirements such as single sign-on. Microsoft integration was also a requirement.
The pricing model facilitates incremental implementation
The pricing model was also an important aspect of choosing the ISOPlanner and Instant 27001 combination. Jimmy Voskuil explains: “As a relatively smaller municipality, the pricing model based on the number of users appealed to us. This allowed us to easily scale up new employees without the intervention of the provider. Since we did not yet have an ISMS, the first phase focused on setting that up. Only more recently were we ready to add other users and departments.
This pricing model allows us to calmly prepare for further implementation step by step. Because a fully completed ISMS in advance helps tremendously with the acceptance of such a new system. “In addition, this approach allows us to resolve any problems before we hook up the next department.”
‘Standard risks’ facilitate an internal discussion
A real bonus to choosing ISOPlanner and Instant 27001 was the presence of 40 standard risks. Jimmy Voskuil continues: “After all, ISO certification is about reducing certain risks. You have a measure and establish its effect, you then implement it correctly and check whether the original risk is now acceptable.
With Instant 27001 and ISOPlanner, some 40 risks were already available by default. We took these examples as a starting point and used them to create our own risk analysis. Even though they were different kinds of risks, it was easier to make decisions based on something that was already there. Rather than plot the whole thing ourselves. This was especially valuable in internal discussions; it helped with the acceptance of the measures.
After the implementation of the ISMS, I no longer worried. It works, it’s accessible, it’s stable and if I ask a question, I get an answer. It’s a program that’s ultimately not a core business. But in the background, it’s constantly running. And that relieves me tremendously: you want it to work the way it’s supposed to and don’t be bothered by it.
The benefits of ISOPlanner and Instant 27001 according to the Municipality of Waterland
Ease of use
Because a lot of preliminary work has already been done, the ease of use is high. In the application, the steps are also logically structured. The standard reporting options are very convenient for a smaller municipality. Before the invoice was paid, the app was already ready. And the foundation for certification was already there.
Service
Contacting the provider goes very smoothly and updates are shared regularly. Questions from users are quickly answered and implemented so the next user does not have to deal with them.
Costs
The cost structure is a plus. The municipality also adhered to the tender procedure, although the price for the solution was ultimately below the €12,500 limit.
About the Municipality of Waterland
The Municipality of Waterland is a rural municipality with 17,500 inhabitants, located a short distance from Amsterdam, Purmerend, Hoorn, and Zaandam. A unique stock of monuments is combined with the typical open and valuable meadow landscape.
The municipality is unique in its kind due to the protected cityscape of Monnickendam and the protected village scapes of Broek in Waterland, Marken, and Zuiderwoude. Each core has its specific characteristics and culture. The open waters of the Gouwzee and the Markermeer complete the atmospheric picture.