ENSIA audit

ENSIA stands for Eenduidige Normatiek Single Information Audit. The main objective of ENSIA is to ease the audit burden of municipalities to enable municipalities to hold themselves accountable for information security.

With the 2013 resolution "Information security, prerequisite for the professional municipality," the municipalities agreed to implement the Baseline Information Security Municipalities (BIG). The municipality must justify itself to the municipal council on the subject of information security through a self-assessment, an IT audit, a college statement and a passage on information security in the annual report. This is called horizontal accountability.

In addition, municipalities must provide vertical accountability (to another body) for a number of issues: the Basic Registration of Persons (BRP), DigiD, Suwinet, the Netherlands Passport Implementation Regulations (PUN), the Basic Registration of Addresses and Buildings (BAG) and the Basic Registration of Large Scale Topography (BGT). The basis of this vertical accountability is the horizontal accountability supplemented by specific requirements for each subject.

Our ENSIA audit support

Our organization consists of an team of registered IT auditors (REs). A RE auditor of 2-Control checks, together with you, whether you meet the set standards for all active DigiD connections and for all Suwinet components you use. For this, the self-assessment is the main input.

Our auditors have very extensive experience in conducting security assessments and annually perform the ENSIA audit for many different municipalities.

ENSIA approach 2-Control

1. Support with self-assessment (pre-audit)
   By first assessing the extent to which your systems comply, you gain insight into the measures you must take in any case. We can perform this pre-audit for you. Ideally, before the municipality uploads the self-assessments in the ENSIA tool, we assess the results of the self-assessment with a focus on demonstrability. This prevents as many surprises as possible afterwards. The outcome of the pre-audit gives you a clear picture of whether or not you meet the criteria of the self-assessment and what measures you need to take to meet the criteria and security guidelines.
   
   
2. Take action
   Following the pre-audit, implement the necessary measures yourself to better protect your systems from outside hacking.
   
   
3. Perform Penetration Test (Pentest)
   If you perform in-house hosting or software development, you must have a penetration test (ethical hacking test) performed on your web environment for your DigiD connection as part of the requirements. This will check your information systems for their vulnerability and you will receive a report with findings. We recommend using Dong-IT for this purpose. View the different offers for penetration testing here.
   
   Take measures yourself to follow up and resolve the findings from the pen test. If the pen test shows that high risks are present in your environment then these should be resolved prior to the audit.
   
   
4. Audit on Suwinet and DigiD and review college statement
   Once the previous phases have been completed then the final ENSIA audit is performed. The object of examination is the college declaration on ENSIA with the corresponding annexes for DigiD and Suwinet. The audit is performed by one of our RE auditors.
   
   
5. Report
   The opinion on the college declaration is processed in a standardized (form-fixed) report. This format has been created in consultation with VNG and the professional group of auditors (NOREA). The report must be signed by one of our RE auditors.

Our experience has shown that having an ENSIA audit carried out is often more complicated than previously thought. We therefore advise you to schedule a pre-audit in time to avoid any problems.

Do you have questions about the Baseline Information Security Government (BIO)?

{{Click here}}