Digitalisation in education rarely fails because of a single wrong decision. More often, risks arise gradually. Through growth. More systems, more data, more dependencies. And somewhere along the way, control slips out of sight.
Educational organisations know they are responsible for safeguarding information security and privacy. At the same time, questions arise: what must be in place as a minimum? Where do you start? And how do you know you are not overlooking risks?
The Dutch IBP framework (Information Security and Privacy) provides that guidance. Not as a theoretical model, but as a practical framework that helps schools organise information security and privacy in a structured and demonstrable way, in line with what is expected of them.
What is the IBP framework and who is it for?
The IBP framework is a practical reference framework for information security and privacy in education. It describes the minimum measures required to protect personal data and digital systems responsibly.
Formally, the framework is called the Information Security and Privacy Framework for Primary and Secondary Education (IBP FO). It contains concrete standards and measures that schools can implement to bring their digital security and privacy structurally in order.
The framework was developed for schools and school boards in primary, secondary and special education. It is explicitly not a generic IT standard, but a framework aligned with the day-to-day reality of schools. This includes pupil administration systems, digital learning resources, cloud environments and reliance on external suppliers.
In its structure and underlying principles, the framework shows clear similarities with well-known security standards such as ISO/IEC 27001. Just as NEN 7510 does for healthcare, the IBP framework provides a sector-specific interpretation of information security and privacy for education. It is tailored to the scale, context and risks that are typical of educational institutions.
The framework was developed in cooperation with the Dutch Ministry of Education, Culture and Science, Kennisnet, the PO Council, the VO Council and SIVON. As a result, it is not a standalone initiative or a temporary project, but part of a broader national movement to structurally improve digital security and privacy in education.
The IBP framework is the framework that schools are expected to meet in order to get their digital security in order. It is not a certification standard, but it does serve as the policy standard for information security and privacy in primary and secondary education. The Dutch government expects schools to use this framework to fulfil their statutory obligations, including under the GDPR and education legislation.
In concrete terms, schools must have reached at least maturity level 3 by 2030. From 1 January 2027, schools must have insight into their position in relation to the framework through a self-assessment and must have a plan of action in place to meet the standards. The framework therefore serves as the reference point for supervision and accountability.
These expectations and the associated supervision form part of the national programme Digital Safe Education, as explained by the Dutch government.
The IBP framework and an ISMS: how do they relate to each other?
The IBP framework helps schools to organise information security and privacy in a structured way. It describes which measures are required as a minimum and creates coherence between policy, risks and implementation.
In that sense, the framework resembles an Information Security Management System (ISMS). Both focus on controlling information security, not only technical measures, but also agreements, responsibilities and choices at organisational level.
The difference is important. The IBP framework is not a full ISMS. Unlike standards such as ISO/IEC 27001, it does not include all the components required to embed information security as a management system, such as fixed audit cycles, explicit requirements for continuous improvement or certification.
The IBP framework is therefore best seen as a normative framework that facilitates the implementation of an ISMS, without immediately introducing the complexity of a full ISO standard. It is precisely this position that makes the framework practical and well suited to schools.
What does the IBP framework cover in substance?
The IBP framework consists of standards for information security and privacy. Both elements are elaborated in domains that together cover the key risks and responsibilities within schools.
Information security
The information security standards are divided into fifteen domains:
Privacy
The privacy standards are elaborated in seven domains:
How do you approach this as an educational organisation?
The IBP framework works with maturity levels that provide insight into where a school stands in terms of information security and privacy, and which steps make sense to grow further.
The starting point is explicitly not that everything must be perfectly arranged at once. Schools can work towards a higher maturity level in phases, in a controlled manner.
To support this, the Growth Path has been developed. By following this path, you first address the most significant risks and work in a project-based way towards maturity level 3. For many schools, this level represents an appropriate baseline: the key risks are under control and measures are structurally embedded.
The Growth Path in practice
The Growth Path consists of five consecutive phases:
At http://normenkaderibp.kennisnet.nl the full framework, the Growth Path and supporting tools are available to help schools with practical implementation.
Working step by step towards maturity level 3
In practice, it helps to approach the IBP framework in a structured way. A workable approach towards maturity level 3 may look as follows:
-
Map the current situation
Determine where you stand in relation to the standards and maturity levels and identify what is already in place. This can be done through a baseline measurement or self-assessment.
-
Establish strategic policy for information security and privacy
Define how you intend to safeguard information security and privacy, including responsibilities and principles at organisational level, and identify what is needed to implement the policy (level 1).
-
Carry out a risk assessment and draw up a risk treatment plan
Identify the key risks and determine which measures from the framework should be prioritised.
-
Implement the most urgent measures
Focus first on measures that mitigate the greatest risks and have immediate effect (level 2).
-
Perform a gap analysis or maturity assessment
Once the main risks have been addressed, assess which measures are still missing to enable further growth.
-
Draw up and implement an action plan
Translate the remaining improvement points into a concrete action plan and implement it (level 3).
The result is a coherent and manageable setup for information security and privacy, aligned with maturity level 3.
Conclusion
The IBP framework helps schools to organise information security and privacy in a structured and manageable way. By working in phases and using the Growth Path, overview and focus are created, without the need to have everything perfectly arranged at once.
This approach is not only sensible, but also necessary. Schools are expected to have reached at least maturity level 3 by 2030. From 1 January 2027, they must have insight into their position in relation to the framework, supported by a self-assessment and a concrete action plan. In addition, the mandatory section on Information Security and Privacy in the annual report already requires board-level accountability in the short term.
At the same time, digital threats are already increasing. Cyberattacks and data breaches do not wait until 2027 or 2030 and can have a major impact on the educational process and the trust of parents and staff. Those who wait too long not only face greater risk, but also make implementation more complex and more costly in the long run.
The challenge often lies not only in implementing measures, but in making the right choices and demonstrating compliance with the framework. ICTRecht can support schools at every stage, from baseline measurement and implementation to providing objective insight into the extent to which the IBP framework is met. No certification, but an independent assessment that shows where you stand and which next steps are logical.
In this way, the IBP framework becomes not a paper obligation, but a working part of educational practice, today and towards 2030. Therefore, start now by gaining insight: map where you stand in relation to the framework and draw up a plan to have demonstrable control over information security and privacy by 2027 at the latest.
Do you need support with this, or would you simply like to explore your options with us? Get in touch.
