What is the CSIR?
CSIR stands for Cybersecurity Implementation Guideline (Cybersecurity ImplementatieRichtlijn). It is a practical implementation guideline developed for Dutch government and utility organisations (such as water authorities and Rijkswaterstaat) to apply the BIO (Baseline Information Security for Government) and IEC 62443 standards effectively and on a risk-driven basis within OT environments — for installations such as pumping stations, locks, weirs and treatment plants.
🎯 Purpose and significance
- Translating standards into practice: the CSIR helps apply BIO and IEC 62443 without overlap by linking clear measures to process objects and project phases.
- Water sector focus: developed in cooperation with Rijkswaterstaat and the NCSC, aimed at water authorities and infrastructure assets, but also applicable to other critical OT systems.
- Risk-driven approach: for each object (such as a pumping station or treatment plant), a resilience and risk level is determined; appropriate measures from BIO and IEC 62443 are then suggested automatically.
🔄 Relationship to other frameworks
- BIO: provides the baseline security for IT and OT environments within government
- IEC 62443: adds OT-specific, process-oriented measures
- CSIR: combines the two into a single, coherent and practical security framework
🛠️ Measures and implementation
- Measures are organised under labels such as VSP (processes), VSE (systems engineering) and conformance guidelines.
- They are linked to ISO 27001 Annex A controls so that existing management processes can be reused.
- CSIR version 3.0 has been optimised for broader application, no longer focused specifically on Rijkswaterstaat projects.
✅ In summary
The CSIR is a practical guideline for OT security, translating the theoretical frameworks of BIO and IEC 62443 into concrete security requirements per object and risk level. It helps organisations secure systems in a focused, uniform and verifiable way according to current standards.