NIS2 will have practical significance for you as an information security manager, as the requirements of the directive are directly aimed at the administration of information security.
If you need further information about NIS2, click here to get a handle on the NIS2-basics.
It should be mentioned that we see NIS2 as an opportunity to increase management commitment and strengthen the focus on the entire information security work.
If you already have an ISMS or GRC tool built on ISO 27001/2, you have come a long way.
A documented compliance with ISO 27001/2, with a few additions, will likely be sufficient to comply with the NIS2 directive.
However, we recommend that you take an extra look at the following two areas:
- Expansion of management processes, including clarification of roles and responsibilities
ISO 27001 includes requirements for management's commitment and support for information security work. Similarly, there are requirements for employee education (awareness) and for describing and delegating roles and responsibilities related to security work. Even if you already have these areas in place, it is worth considering whether anything needs to be reorganized, further described, or if there are new topics in which employees need to be trained. - Clarification and adjustment of control measures
As mentioned before, if you have implemented your ISMS/GRC tool based on ISO 27001 and have used the control measures in Annex A/ISO 27002, you are already well-prepared. However, there may be some areas where clarification is needed about NIS2. If you currently use an ISMS or GRC tool where ISO control measures are mapped to the NIS2 directive, you do not need to duplicate your work. If not, you can use the table below, which outlines the main areas of focus in NIS2 compared to ISO 27001.
These areas are further explained in the next section.
|
NIS2-area |
Control measures |
Control measures |
|---|---|---|
|
Risk Management |
ISO 27001 6.1, 8.1 |
ISO 27001 6.1, 6.2 8.1 |
|
Incident Management 1) |
ISO 27001 7.3 ISO2700 A16 |
ISO27002 5.24 5.27 &.8 |
|
Security in network and information security during the acquisition and development of systems |
ISO27001 |
ISO 27001 A8.32 |
|
Business Continuity |
ISO 27001 |
ISO27002 8.15 |
|
Personnel security |
ISO 27001 A7 |
5.9-5.11, 6,1- 6.8 |
|
Assets |
ISO 27001 A8 |
5.9-5.11, |
|
Network security |
ISO 27001 A13 |
8.8 |
|
Access control security |
ISO 27001 A9 |
ISO27002 5.17 5.29 |
|
Cryptography |
ISO 27001 A10 |
ISO27002 |
|
Vendor management |
ISO 27001 8.1 ISO 17001 A15 |
5.19 |
|
Compliance control |
ISO 27001 9.3 ISO 27001 A18.2 |
ISO 27001 9.3 |
When the controls have been reviewed, there will naturally be a process where they need to be tested to determine their actual effectiveness. This can be done in connection with an upcoming internal audit, taking into account the advice and guidelines (hopefully) provided by the designated supervisory authority at that time.
The Difference between ISO 27002 and NIS2
The NIS2 areas shown in the table above describe several specific minimum requirements for working with information security. These are mainly found in §21 and §23 of the directive's text. As mentioned, there is significant overlap with ISO 27001 and ISO 27002, but in some areas, you may need to clarify or expand your information security:
- Risk Management
Under NIS2, systematic and periodic risk assessments need to be conducted on the vulnerability of information assets to cyber incidents. The assessments are expected to follow the same requirements as in ISO 27002.
NIS2 emphasizes a focus on cybersecurity from a societal perspective, but the methods and processes will be familiar to companies that have worked systematically with risk analysis and evaluation in connection with ISO 27002. - Incident Management
Special emphasis is placed on security incident handling, and unlike ISO 27002, there will be specific requirements for a formalized and documented process for this. There will be concrete requirements regarding how incidents should be reported, to whom, and within what timeframe. If you are familiar with GDPR, this will be recognizable, as GDPR also contains specific requirements for reporting to the authority (Data Protection Agency) and notifying data subjects. There are also expected requirements for additional root cause analysis of incidents in the handling of security incidents. - Network Security and Information Security in the Acquisition and Development of Systems
Protecting networks is one of the key elements. The focus is on establishing a combination of technical, administrative, and organizational controls to effectively manage internal and external risks. - Business Continuity Planning
Business continuity and disaster recovery will be emphasized in the handling of cyber incidents. You need to demonstrate that there are processes in place to handle cyber incidents that may disrupt or completely interrupt your critical business processes. - Supply Chain Security
Supply chain security is likely to receive significant attention. Information security needs to be considered throughout the entire supply chain, and threats that can potentially spread through the supply chain must be identified and mitigated. - Security in Acquisition and Development
Security in the acquisition and development of systems ensures that new systems are assessed and classified based on their significance and that the control measures correspond to the risk associated with relevant cyber threats. - Policies and Procedures
Security policies and supporting procedures ensure that security processes function as intended. This means that controls such as the approval of security policies, Statement of Applicability (SoA), and management review of information security are documented. The underlying documentation may vary depending on the industry and risk profile, but it is an administrative task that needs to be addressed. - Use of Encryption
There is also a focus on specific control measures such as decision-making and management of encryption technology, as well as the use of encryption. If ISO 27002 is complied with, the organization will likely meet the requirements of the directive in this specific control area.
Conclusion of this article
In conclusion, the NIS2 directive holds practical significance for information security managers, as it directly addresses the administration of information security.
By understanding the similarities and differences between NIS2 and ISO 27001/2, organizations can leverage their existing ISMS or GRC tools to comply with the directive.
However, it is important to pay extra attention to areas such as management commitment processes and control measures that may require clarification or adjustment.
Need help with NIS2 compliance?
Although there are still some uncertainties about how the NIS2 directive will be implemented in the legislation, it is clear that if you have a good understanding of ISO 27001/2, you have come a long way.
Our GRC tool helps companies and organizations gain control and overview of their compliance work with standards and directives such as ISO 27001, ISO 27002, NIS2, GDPR, etc. With all the needed templates for annual tasks, controls, documents, threat catalogs, risk and incident management, Statement of Applicability (SoA), and more, you can quickly assess how far you have already progressed and get assistance with what is missing.
With our GRC tool, you can manage your compliance in one place. You don't need separate tools for ISO 27001, NIS2, GDPR, etc., as security measures implemented in one place often contribute to compliance with multiple security standards. If you want to read more and experience the tool yourself - completely free and without obligation, click here and fill out the form.
You can skip a few steps and book a meeting with our sales director here if you are interested.
