At the Regional School Community Goeree-Overflakkee (RGO), awareness grew that with the introduction of the Information Security and Privacy Framework for Primary and Secondary Education (IBP FO), the requirements around information security and privacy were becoming increasingly important. The implementation of the new IBP FO quickly made it clear that the school faced a significant challenge. RGO aimed to meet the highest standards but questioned where it currently stood and what needed improvement. To gain better insight, the school decided to commission an information security audit by Safesecur Group.
We spoke with Julian de Groot, Head of ICT at RGO, about his experience with Safesecur Group and the impact of the audit. “We were confronted with the security requirements of the IBP FO,” Julian begins. “This brought both external pressure and internal motivation to further professionalize our operations. The baseline assessment and the report we received from Safesecur Group were incredibly helpful. They served as a mirror to our own IT organization and provided us with a starting point for further improvement.”
Strength through analysis
The audit began with a baseline measurement of the current state of affairs in information security and privacy. “It was quite an intensive process,” Julian recalls. “You think you’ve got things reasonably under control, but during such an audit, it becomes clear that there’s always room for improvement. Safesecur Group gave us a comprehensive analysis of our strengths and areas where we could still improve.”The final report, supplemented with best practices and concrete recommendations, helped RGO raise the bar and strengthen its approach.
“It was definitely a confronting experience, but it brought a lot of new insights that helped us move forward.”
Julian explains that some findings were difficult to hear: “We discovered that certain processes hadn’t been sufficiently formalized. On paper, we thought we were compliant, but the audit showed there was still work to do. Although that was initially disappointing, we also saw it as an opportunity for growth.” Thanks to the detailed reporting of both general issues and 'low-hanging fruit,' RGO was able to take quick action. “It really helps to have an external party assess your organization and point out areas for improvement. There’s a lot to learn from that, and it gave us a clear starting point.”
Formalization as the Key to Improvement
One of the most important changes at RGO following the audit was the focus on formalizing processes. “I’m now much more aware that documenting our methods is essential,” Julian explains. “There are plenty of distractions during a regular school day, and it’s easy to get caught up in the daily grind. It’s important to occasionally step back and think about how we should be documenting the things we do.”
“After the audit, I truly started looking at our information security differently, because I realized how high the bar is set by the IBP FO framework. I’m now much more involved in formalizing our policies: Why do we do things the way we do, and how do we evaluate them? In doing so, we’re automatically working on improvement and knowledge transfer.”
A Supportive Partnership
Julian emphasizes the way Safesecur Group supported them throughout the process: “It never felt like an attack. They genuinely stood beside us as partners in improving our processes. Thanks to their guidance and clear recommendations, we were able to take concrete steps to elevate our information security.”
Professionalize Early: Don’t Wait for the Deadline
Julian has a clear message for other schools preparing for IBP FO compliance: "Don’t wait until the 2027 deadline is approaching. As a school, you really need to reflect on why you do things a certain way. Schools handle a tremendous amount of sensitive data, and I can’t stress enough the importance of this external assessment. For us, it marked a new step in the professionalization of our work and served as a wake-up call not to postpone action.”
“I can’t stress the importance of external evaluation enough.”
Julian also shared an important observation: “I’ve spoken with several people in education, and everyone seems to have their own definition of what it means to be ‘compliant.’ That’s problematic, because being compliant means simply meeting the standard. Some schools claim they’re compliant just because they received a ‘report’ from someone with an IT background. That’s not how it works. That’s why I strongly recommend being assessed by an independent and knowledgeable organization like Safesecur Group.”
From Audit to Collaboration: A Valuable Experience
The personal aspect of working with Safesecur Group was one of the most valuable parts of the process, according to Julian: “The process and assessment were personal. There was a good balance between detail and broader reflection, allowing us to have equal-level conversations — sometimes intense, but always constructive. Their empathy and flexibility were greatly appreciated.” After the audit, Safesecur Group remained involved, providing both written and verbal final reporting and a willingness to continue thinking along about next steps. Julian concludes: “For us, it was a very positive experience that I would highly recommend to any school.”
