It is 2026. Cyberattacks are no longer an exception, but a daily reality. Recently, the Public Prosecution Service, the Population Screening Program, ODIDO, and the Dutch Correctional Institutions Agency were targeted. Government bodies and the healthcare sector are being systematically attacked, suppliers are being misused as backdoors, and data breaches regularly make the news. In that context, it is downright worrying, and frankly a disgrace, when a supplier of a mileage tracking system is not itself ISO27001 certified for its own solution.
Especially with software that processes privacy-sensitive and tax data, information security must not be an afterthought.
Trip registration: sensitive data in the hands of third parties
A trip registration system processes:
- Location data
- Movement patterns
- License plates
- Working hours
- Private and business trips
- Tax substantiation for the Tax and Customs Administration
This is no “ordinary” application. This is data that directly touches upon privacy (GDPR), fiscal auditability, and, in the case of government bodies, public responsibility.
Unfortunately, we still too often encounter situations in the market where the ISO27001 certification of the data center housing the servers is touted as a shield. This reveals nothing about the solution itself or its weaknesses. Furthermore, in European tenders, we see that the requirement for data and information security is very easily disregarded. It is listed as a requirement in the tender, but compliance checks are subsequently not performed, or not performed properly. Alternatively, bidders are simply lured away by a nice document.
In the current context of increasing cyber threats and stricter laws and regulations, such as the Duty of Care and the Cybersecurity Act, it is therefore relevant to critically examine the information security of these solutions. An important question in this regard is: to what extent is the supplier demonstrably in control?
The Trip Registration Systems Quality Mark: what does it cover and what does it not?
Many trip registration systems hold the Trip Registration Systems Quality Mark. This quality mark focuses primarily on the fiscal reliability of the registration and the correct recording of trip data in accordance with the requirements of the Tax and Customs Administration.
That is valuable.
At the same time, the quality mark does not focus on the full spectrum of information security. Fiscal compliance and information security are two different disciplines. Both are important, but they do not automatically guarantee the same thing.
The BIO and the responsibility of governments
The Government Information Security Baseline (BIO) applies to government organizations. This sets requirements for the way in which information is protected, risks are managed, and suppliers are managed.
When a trip registration system is deployed within a government organization, this processing falls under the BIO. This means that not only the internal organization but also the supplier must be able to demonstrate that appropriate security measures have been put in place.
The new BIO2 is enshrined in the upcoming Cybersecurity Act and is therefore mandatory for all information systems active within a government organization. BIO compliance is demonstrated by elements of ISO27001, ISO27002, and the Statement of Applicability.
In practice, ISO27001 is the most common way to demonstrate this.
No ISO27001 certification on your own solution means:
- No independent review of the ISMS
- No periodic external audit
- No demonstrable structural improvement
- No formal assurance of risk management
In a time when cyberattacks are increasing exponentially, that is a real risk.
Cybercriminals have long ceased targeting only end organizations. They seek the weakest link in the chain. Software vendors are attractive targets. A trip registration system without demonstrably mature information security is not a minor detail. It is an attack vector.
The question is not whether suppliers are targets. The question is when.
What should you pay attention to as an organization?
The following questions can help with the selection or evaluation of a trip registration system:
1. Is the supplier ISO27001 certified?
2. What is the exact scope of the certification?
3. Are penetration tests performed periodically?
4. How are BIO requirements (if applicable) fulfilled?
5. How is incident management structured?
6. How are data breaches and the reporting obligation handled?
Asking these questions helps to make information security an explicit part of decision-making, rather than an implicit assumption.
Advice: make demonstrability the guiding principle
In a time when cyberattacks are a structural part of the threat landscape, demonstrability is essential. Do not rely solely on explanations, but ask for:
- A current certificate
- The scope statement
- Information about audit frequency
- Transparency regarding security measures
Moreover, for governments, this is directly linked to BIO responsibility.
Are you unsure whether your current supplier offers sufficient security?
- Have your current situation assessed.
- Ask critical questions.
- Ask for demonstrable proof.
At MyFMS, we believe that mobility data must be protected just as seriously as financial or medical data. Transparency, demonstrable compliance, and independent verification are not an option for us, but a starting point.
Would you like to brainstorm about how to assess or improve the information security of your current trip registration system? MyFMS is happy to help think about a future-proof, secure, and demonstrably compliant setup for mobility management.
