Public Administration ISAC Baseline

Collaborate, share, and develop your security 

ISAC Baseline can help your city and/or region enhance its cybersecurity and collaborate in a community of peers across Europe. Contact us to see how compliance work with NIS2 requirements is effectively supported by a unique Benchmarking and a Solution Library with shared security practices using the Benchlearning principle.

The ISAC Baseline is a joint initiative by ISAC for Cities, Major Cities Europe, and I-Trust supported by ENISA with the goal of enabling collaboration between cities and sharing of best practices within cyber security.

Why Get Involved?
By joining ISAC Baseline, your city and/or region will:

  • Learn from other cities: Leverage proven security solutions already in use by other authorities.
  • Contribute to a shared solutions library: Help build a library of best practices that will benefit the entire community.
  • Strengthen cyber resilience: Implement best-in-class security measures in day-to-day operations securing your data and processes.
  • Effectively report compliance: Get reports on compliance status to management and stakeholders in the organization.

Learn best practice from peers
Since 2016 Danish municipalities have collaborated in the Baseline program, jointly improving their security. In 2024, the EU Commission’s Benchlearning principle was added to the Baseline program. Benchlearning is an innovative, dynamic approach that identifies best practice and security solutions, and effectively shares them within a community.

Over 60 % of participating Danish municipalities have already shared how they meet critical security requirements, such as CIS18, ISO 27001-2, and NIS2.

The Baseline program from Denmark is being replicated inside and across other EU member states. Members of our ISAC are leading the effort to not only benefit from replication internally, but also benefits from Benchlearning across the participating members.

What are the costs?
Participation in the ISAC Baseline is based on a subscription to the Enablor benchlearning solution. Subscription costs are tailored to the number of citizens of your city and/or regions and also tailored to the comparative economic strength of your nation.

What is included?

The ISAC Baseline includes:

  1. ISAC Baseline services and content
  2. ISAC Baseline Community and collaboration tools
  3. License for the Baseline platform enablor

Together referred to as the ISAC Baseline program.

ISAC BASELINE SERVICES

ISAC Baseline Community:

  • All participants in the ISAC Baseline from MCE and ISAC
  • Benchmarking with European data
  • Custom peer-groups with named organizations

ISAC Baseline is executed on I-Trust enablor platform with including modules for:

  • Landing page
  • Article and news
  • Status Assessment
  • Documenting and sharing solutions
  • Gap management and action plans
  • Administration of organization and users
  • Reporting, including knowledge sharing functionality

ISAC baseline services include the following services and functionality:

  • Profiling the organization participating in the assessment: The ISAC Baseline Program can be setup to include status assessments from up to 8 departments / organizational units. Reporting can be done on department- and city level, and benchmarking can be done on city level as an average of all participating departments.
  • Benchmarking with selected peers: Results of the security assessment can be benchmarked against other participant from members of ISAC/MCE or other organizations participating in the ISAC Baseline. Benchmarking groups can be setup with peer organizations (setup requires consent from other all organizations in the group.
  • Knowledge sharing (Benchlearning) of best practice learnings with peers: Sharing of best practice examples from the participants with most experience according to EU recommendations based on EU’s principle of Benchlearning.
  • Assessing the organization’s compliance with NIS2: NIS2 compliance requirements are set up in a NIS2 questionnaire based on controls from CIS18 and ISO 27001. The questionnaire will be adjusted as the EU requirements become practice. The organization has the option to comment and refer to documentation for each control assessed, guiding texts and mapping to security standards, best practice and regulations are available for each control to support consistent assessment.
  • Implementation of critical cybersecurity controls based on CIS18 and ISO 27001: Optional questionnaires for assessing the organization’s compliance to central requirements from best practice standards. All questions are mapped to relevant standards and regulations and supported by guiding texts.
  • Documenting and sharing solutions: For each requirement the organization can use the platform for documenting its efforts – both documentation for implementation, procedures and solutions implemented.
  • The organization can share its practice with other organizations – anonymously or openly in a cluster.
  • Working with gaps and benchlearning: Once having completed the status assessment the organization can evaluate gaps and decide how to mitigate them. Using the solutions database, the organization may include best practice from other organizations in its action plan.
  • ISAC survey questionnaire for critical roles: ISAC has developed an EU survey targeted 3 critical roles in public administrations: Publicly Elected Officials, Essential Service Managers, and IT (Security) Managers. Each role will be asked to assess security within their relevant security area.
  • Cyber Incident reporting: Based on ENISA’s Threat taxonomy recording the frequency of cyber-attacks, breaches resulting from cyber-attacks and consequences. Online report facility showing the organization’s statistics in relation to the ISAC Community and selected peers. Automatic analysis of results in relation to the organization’s ability to detect and process cyber incidents.
  • One annual Baseline assessment and subsequent assessments: The organization can assess its security status and make data available to the benchmark for the ISAC community in an annual Baseline. After release of the annual Baseline, next year’s Baseline is open for follow-up assessments to track improvements and prepare for next year’s assessment.
  • A comprehensive reporting toolbox: Predefined reports are available for management and security staff, and all assessments can be analyzed to find high risk gaps or areas with lower-than-average implementation. All assessments can be exported in excel format.
  • Risk-based recommendations using MITRE ATT&CK: The security assessment questions are all weighted against their ability to mitigate Risks based on mappings to MITRE ATT&CK threat techniques. Recommendations and peer solutions for high-risk gaps are presented to all participants.
  • Automated compliance mapping across security standards and regulatory requirements: Based on the annual assessment, the organization has access to compliance reports of the most common security standards and legislation including recommendations to improve compliance. For each framework, the organization has access to automated mapping to the security assessment.

The ISAC Baseline Program is provided by I-Trust In collaboration with I-Trust ApS Storegade 4, DK-8850 Bjerringbro.