IT OT Convergence

Security Standards

2 min read

Security standards: CSIR, ISO 27001, IEC 62443 and the BIO

These four standards and frameworks play a key role in information security and Cybersecurity, each with its own focus and area of application.

🛡️ 1. CSIR – Cyber Security Implementation Rules

The CSIR (Cyber Security Implementation Guideline for Objects) is a Dutch guideline issued by Rijkswaterstaat and Het Waterschapshuis. The CSIR contains practical security measures for industrial automation (such as SCADA, PLCs and OT systems) and aligns closely with international standards such as IEC 62443.

Characteristics:

  • Focused on the security of industrial environments (OT)
  • Practical, actionable measures and recommendations
  • Aligns with the zones and conduits model
  • Not an official standard, but a government guideline

📋 2. ISO 27001 – Information Security Management System (ISMS)

ISO/IEC 27001 is an international standard for establishing, implementing, managing and improving an Information Security Management System (ISMS).

Characteristics:

  • Focused on IT systems and information security
  • Applicable to any organisation, sector-independent
  • Addresses confidentiality, integrity and availability (CIA)
  • A certifiable standard

Examples of measures:

  • Performing risk analyses
  • Access management and authorisation
  • Backup and recovery processes
  • Incident management

🔧 3. IEC 62443 – Security of industrial automation (OT)

IEC 62443 is an international standard specifically focused on Cybersecurity within industrial automation and control systems (ICS/OT). It is modular and aimed at vendors, integrators and end users.

Characteristics:

  • Focused on OT environments (PLC, DCS, SCADA, Sensor, Actuator)
  • Supports the zones and conduits model
  • Distributes responsibilities between manufacturer, system integrator and asset owner
  • Not generally certifiable for organisations as a whole (component certification is available)

🏛️ 4. BIO – Baseline Information Security for Government

The BIO (Baseline Informatiebeveiliging Overheid) is a Dutch standard that applies to all government bodies (central government, provinces, municipalities, water boards). The BIO is based on ISO 27001 and 27002, but adds additional requirements and measures specific to government.

Characteristics:

  • Mandatory for all Dutch government organisations
  • Provides a uniform approach to information security
  • Based on risk management and measures per security level (BBN)
  • Replaces earlier standards such as BIG, BIR and BIWA

Graph View