The government must handle personal and other data with care. Citizens, business owners and visitors expect municipalities, provinces and water authorities to do this. For government organisations, the Government Information Security Baseline (Baseline Informatiebeveiliging Overheid, “BIO”), derived from ISO 27001, is the prevailing standard for information security. ENSIA was created as a means of rendering account for information security.

What is ENSIA?

The Single Information Audit Unified Norm (Eenduidige Normatiek Single Information Audit) – is an accountability methodology for government agencies to demonstrate that they are taking appropriate measures to ensure data security and quality. ENSIA has two modes of accountability: horizontal accountability (to the municipal council) and vertical accountability (to the regulatory authorities), which means that it is binding.

In terms of horizontal accountability, the organisation renders account on the extent to which the BIO measures have been implemented. This can be recorded in ENSIA by means of a self-assessment. This ultimately translates into reports that end up with the municipal council and the Municipal Executive. The organisation must also include a section on information security in its annual report. The self-assessment results can be used as input for that section.

In terms of vertical accountability, the organisation renders account on various elements (to the extent that they apply):

  • the measures taken on information security within the Personal Records Database (BRP), Travel Documents database, Suwinet and DigiD connections;
  • for the purposes of the Key Register of Addresses and Buildings (BAG), the Key Register for Large-Scale Topography (BGT) and the Key Register of the Subsurface (BRO), accounts is rendered on the manner in which data quality and data integrity are ensured;
  • for the purposes of the Valuation of Immovable Property Act (WOZ), account is rendered on information security, system management and architecture.

For specific components, a Registered EDP Auditor (RE) should assess whether the control measures that have been put in place are effective. This applies to the components that have DigiD connections as well as to the use of Suwinet.

How can Cuccibu help my organisation with ENSIA accountability? ?

Cuccibu can support your organisation in several ways when it comes to ENSIA accountability. If an organisation is required to render account, it appoints an ENSIA coordinator to manage this process. Cuccibu has experienced consultants who can take on this role. What is more, accountability for information security is not a one-off or annual activity, but an ongoing process. We support organisations as they set up that process so that no surprises arise during the ENSIA accountability.
Cuccibu also carries out audits on ENSIA (municipal executive’s opinion (collegeverklaring)), the DigiD Assessment and Suwinet. Our consultants are certified to carry out these audits.

We are Cuccibu

Interested or have any questions?

Please feel free to contact us via sales@cuccibu.nl We would be happy to help you find the solution that best suits your company’s needs.

“ We believe that you create added value through secure and responsible digitisation. This leads to opportunities for individuals, companies and society as a whole.“