Accountability: horizontal and vertical
The ENSIA system ties in with the municipality's planning and control cycle and has two forms of accountability:
- Horizontal accountability: The Municipal Executive reports to the municipal council via a self-evaluation, IT audit, municipal executive statement, and a passage in the annual report.
- Vertical accountability: The municipality reports to national supervisory authorities on specific areas such as:
- Basic Registration of Persons (BRP)
- DigiD & Suwinet
- Passport Implementation Regulation (Dutch: PUN)
- BAG, BGT, and BRO
Roles and Responsibilities
Within the ENSIA process, the roles are divided as follows:
- Municipal Executive: Responsible for drawing up and approving the reports.
- ENSIA coordinator: Manages the process, completes questionnaires, and collects evidence.
- Qualified RE auditor: Checks the municipal executive statement and signs the assurance report.
- Quality monitor: Ensures the timeliness and quality of the reports within the system.
ENSIA approach 2-Control
-
- Support with self-assessment (pre-audit)
By first assessing the extent to which your systems comply, you gain insight into the measures you must take in any case. We can perform this pre-audit for you. Ideally, before the municipality uploads the self-assessments in the ENSIA tool, we assess the results of the self-assessment with a focus on demonstrability. This prevents as many surprises as possible afterwards. The outcome of the pre-audit gives you a clear picture of whether or not you meet the criteria of the self-assessment and what measures you need to take to meet the criteria and security guidelines. - Take action
Following the pre-audit, implement the necessary measures yourself to better protect your systems from outside hacking. - Perform Penetration Test (Pentest)
If you perform in-house hosting or software development, you must have a penetration test (ethical hacking test) performed on your web environment for your DigiD connection as part of the requirements. This will check your information systems for their vulnerability and you will receive a report with findings. We recommend using Dong-IT for this purpose. View the different offers for penetration testing here.
Take measures yourself to follow up and resolve the findings from the pen test. If the pen test shows that high risks are present in your environment then these should be resolved prior to the audit. - Audit on Suwinet and DigiD and review college statement
Once the previous phases have been completed then the final ENSIA audit is performed. The object of examination is the college declaration on ENSIA with the corresponding annexes for DigiD and Suwinet. The audit is performed by one of our RE auditors. - Report
The opinion on the college declaration is processed in a standardized (form-fixed) report. This format has been created in consultation with VNG and the professional group of auditors (NOREA). The report must be signed by one of our RE auditors.
- Support with self-assessment (pre-audit)
Why choose our support?
The goal of an ENSIA audit is not just to ‘tick off’ lists, but to professionalize your information security. By identifying shortcomings in a timely manner and effectively implementing recommendations, you increase your municipality's digital resilience.
Our advice: Schedule your pre-audit in time to avoid time pressure at the end of the cycle.
2-Control
Please contact us
Do you have any questions or comments about our IT audit services? We are happy to hear from you. Please enter your details in the form below and we will get back to you as soon as possible. You can also contact us directly at the phone number on the left.
Our dedicated team is ready to assist you with any questions or concerns. We strive to provide you with the best service possible.
