Governance, Risk Management, and Compliance blog

How will NIS2 impact an information security manager?

[fa icon="calendar"] Wednesday, 05 July 2023 / by Neupart

NIS2 will have practical significance for you as an information security manager, as the requirements of the directive are directly aimed at the administration of information security.

If you need further information about NIS2, click here to get a handle on the NIS2-basics.

It should be mentioned that we see NIS2 as an opportunity to increase management commitment and strengthen the focus on the entire information security work.

If you already have an ISMS or GRC tool built on ISO 27001/2, you have come a long way.
A documented compliance with ISO 27001/2, with a few additions, will likely be sufficient to comply with the NIS2 directive.

However, we recommend that you take an extra look at the following two areas:

  1. Expansion of management processes, including clarification of roles and responsibilities
    ISO 27001 includes requirements for management's commitment and support for information security work. Similarly, there are requirements for employee education (awareness) and for describing and delegating roles and responsibilities related to security work. Even if you already have these areas in place, it is worth considering whether anything needs to be reorganized, further described, or if there are new topics in which employees need to be trained.

  2. Clarification and adjustment of control measures
    As mentioned before, if you have implemented your ISMS/GRC tool based on ISO 27001 and have used the control measures in Annex A/ISO 27002, you are already well-prepared. However, there may be some areas where clarification is needed about NIS2. If you currently use an ISMS or GRC tool where ISO control measures are mapped to the NIS2 directive, you do not need to duplicate your work. If not, you can use the table below, which outlines the main areas of focus in NIS2 compared to ISO 27001.

These areas are further explained in the next section.

NIS2-area

Control measures
ISO 27001:2013

Control measures
ISO 27001:2022 

Risk Management

ISO 27001 6.1, 8.1

ISO 27001 6.1, 6.2 8.1

Incident Management 1) 

ISO 27001 7.3

ISO2700 A16

ISO27002

5.24
5.25
5.26

5.27

&.8

Security in network and information security during the acquisition and development of systems

ISO27001
A14.1.1
A14.1.3
A14.2.1
A15.2.5
A14.2.8
A14.2.9

ISO 27001
A5.8
A8.8
A8.26
A8.27
A8.29
A8.30
A8.31

A8.32

Business Continuity

ISO 27001
A12
A17

ISO27002
5.37
8.7
8.13

8.15

Personnel security 

ISO 27001 A7

5.9-5.11,
5.15 

6,1- 6.8

Assets

ISO 27001 A8

5.9-5.11,

Network security

ISO 27001 A13

8.8
8.20-22
8.25-8.34



Access control security

ISO 27001 A9

ISO27002
5.5,
5.14

5.17

5.29
5.30
8.5

Cryptography

ISO 27001 A10

ISO27002
8.24

Vendor management

ISO 27001 8.1

ISO 17001 A15

5.19
5.23

Compliance control

ISO 27001 9.3

ISO 27001 A18.2

ISO 27001 9.3
ISO 27002
5.35
5.36
8.8

 

When the controls have been reviewed, there will naturally be a process where they need to be tested to determine their actual effectiveness. This can be done in connection with an upcoming internal audit, taking into account the advice and guidelines (hopefully) provided by the designated supervisory authority at that time.

The Difference between ISO 27002 and NIS2

The NIS2 areas shown in the table above describe several specific minimum requirements for working with information security. These are mainly found in §21 and §23 of the directive's text. As mentioned, there is significant overlap with ISO 27001 and ISO 27002, but in some areas, you may need to clarify or expand your information security:

  1. Risk Management
    Under NIS2, systematic and periodic risk assessments need to be conducted on the vulnerability of information assets to cyber incidents. The assessments are expected to follow the same requirements as in ISO 27002.

    NIS2 emphasizes a focus on cybersecurity from a societal perspective, but the methods and processes will be familiar to companies that have worked systematically with risk analysis and evaluation in connection with ISO 27002.

  2. Incident Management
    Special emphasis is placed on security incident handling, and unlike ISO 27002, there will be specific requirements for a formalized and documented process for this. There will be concrete requirements regarding how incidents should be reported, to whom, and within what timeframe. If you are familiar with GDPR, this will be recognizable, as GDPR also contains specific requirements for reporting to the authority (Data Protection Agency) and notifying data subjects. There are also expected requirements for additional root cause analysis of incidents in the handling of security incidents.

  3. Network Security and Information Security in the Acquisition and Development of Systems
    Protecting networks is one of the key elements. The focus is on establishing a combination of technical, administrative, and organizational controls to effectively manage internal and external risks.

  4. Business Continuity Planning
    Business continuity and disaster recovery will be emphasized in the handling of cyber incidents. You need to demonstrate that there are processes in place to handle cyber incidents that may disrupt or completely interrupt your critical business processes.

  5. Supply Chain Security
    Supply chain security is likely to receive significant attention. Information security needs to be considered throughout the entire supply chain, and threats that can potentially spread through the supply chain must be identified and mitigated.

  6. Security in Acquisition and Development
    Security in the acquisition and development of systems ensures that new systems are assessed and classified based on their significance and that the control measures correspond to the risk associated with relevant cyber threats.

  7. Policies and Procedures
    Security policies and supporting procedures ensure that security processes function as intended. This means that controls such as the approval of security policies, Statement of Applicability (SoA), and management review of information security are documented. The underlying documentation may vary depending on the industry and risk profile, but it is an administrative task that needs to be addressed.

  8. Use of Encryption
    There is also a focus on specific control measures such as decision-making and management of encryption technology, as well as the use of encryption. If ISO 27002 is complied with, the organization will likely meet the requirements of the directive in this specific control area.

Conclusion of this article

In conclusion, the NIS2 directive holds practical significance for information security managers, as it directly addresses the administration of information security.

By understanding the similarities and differences between NIS2 and ISO 27001/2, organizations can leverage their existing ISMS or GRC tools to comply with the directive.

However, it is important to pay extra attention to areas such as management commitment processes and control measures that may require clarification or adjustment. 

Need help with NIS2 compliance?

Although there are still some uncertainties about how the NIS2 directive will be implemented in the legislation, it is clear that if you have a good understanding of ISO 27001/2, you have come a long way.

Our GRC tool helps companies and organizations gain control and overview of their compliance work with standards and directives such as ISO 27001, ISO 27002, NIS2, GDPR, etc. With all the needed templates for annual tasks, controls, documents, threat catalogs, risk and incident management, Statement of Applicability (SoA), and more, you can quickly assess how far you have already progressed and get assistance with what is missing.

With our GRC tool, you can manage your compliance in one place. You don't need separate tools for ISO 27001, NIS2, GDPR, etc., as security measures implemented in one place often contribute to compliance with multiple security standards. If you want to read more and experience the tool yourself - completely free and without obligation, click here and fill out the form.

You can skip a few steps and book a meeting with our sales director here if you are interested.

Emner: ISO 27001, NIS2, CISO, ISO 27002

GRC blog

The NorthGRC blog offers advice and knowledge of effective information security management, security strategies, risk management, compliance with information security standards and other requirements, business continuity planning, ISO2700x, EU Data Protection Regulation, PCI DSS, etc.

Popular Posts