In 2023, SIVON tested fourteen school boards within primary and secondary education for information security through a "Deep Dive" assessment. The basis of this assessment was the Information Security and Privacy Framework of Standards for Foundation Education (IBP FO). Based on the 69 norms for information security from the standards framework, the extent to which the school boards comply with these norms was tested.
The average observed maturity level of the tested school boards is 1.9 on a scale of 5, while the desired level for information security implementation is 3. There are considerable differences, as maturity levels range from 1.5 to 2.7. The goal is for all school boards to achieve level 3 by 2027.
In the report Deep Dive by SIVON summarizes the results of the fourteen school boards and explains the recommendations. Also read the experience of Elementary School de Rank, which participated in the assessment.
The report provides several success factors for information security implementation, including:
Get commitment from the school board to take information security to the next level.
Make use of handouts/standards available to the sector (IBP Approach and through the IBP Network).
Discuss the IBP FO standards framework internally. It helps make information security negotiable among school boards and gain insight into the quality of information security.
Support services such as IT, Facilities, HR and Purchasing are organized above-school or IT is fully outsourced to an IT partner that is ISO27001 certified.
The Deep Dive assessments are part of the Digitally Safe Education program. With this program, the Ministry of OCW, Kennisnet, SIVON, the PO Council and VO Council join forces for an education sector in which every student can learn digitally safely and employees can work digitally safely. The Normative Framework for Information Security and Privacy for Foundation Education (IBP FO) describes the norms for a digitally safe school organization and offers concrete example measures.
Various support offerings are available from the Digitally Secure Education program to help schools become more digitally secure, including the Processor Agreement Service, the tests on processor agreements, Data Protection Impact Assessments (DPIAs) and the Information Security and Privacy (IBP) Network.
The PO-Raad and VO-raad recently updated the handbook for the management report, because IBP must have a place in the annual report starting with the 2024 annual report.
