Posts

Maping NIS2 requirements to the ISO 27001:2022 framework

We described here the process needed to perform a gap analysis for NIS2, but we did not add the details on how to approach this.

This article references on the ISO27001:2022 series, especially on the description of the Annex A controls. Make sure you are familiar with the ISO 27oo1:2022 requirements and the with the Annex A.

Introduction

The NIS2 Directive, aimed at strengthening network and information system security across the European Union, necessitates a thorough alignment with the latest iteration of the ISO 27001 standard, which was updated in 2022. This article explores a comprehensive methodology for conducting a gap analysis to ensure compliance with NIS2 using the framework provided by ISO 27001:2022.

Understand NIS2 Requirements

The NIS2 Directive expands upon its predecessor by setting stringent cybersecurity and resilience measures for essential and important entities across various sectors. Its key focus areas include incident response, supply chain security, and the security of network and information systems. These areas are critical in maintaining the integrity and availability of services that are vital to the internal market and public welfare.

 

The NIS2 Directive does not prescribe a specific set of controls for the affected companies.

Rather, it states that they should adopt measures that are appropriate to their specific risk profile, considering factors such as:

  • The state of the art in cybersecurity

  • The potential impact of incidents on their services

  • The costs of implementing the measures

  • The proportionality between the measures and the risks

The directive also refers to existing standards, guidelines, and best practices that can help entities to choose suitable controls.
For example, it mentions:
  • The NIST Cybersecurity Framework

  • The ENISA Good Practices for Security of Internet of Things

  • The ETSI Technical Specification on Critical Security Controls for Effective Cyber Defense

 

Read here our collection of articles about the NIS2 directive.

Overview of ISO 27001:2022

ISO 27001:2022 establishes requirements for an Information Security Management System (ISMS), providing a systematic approach to managing sensitive company information so that it remains secure.

It includes people, processes, and IT systems by applying a risk management process and clearly defines information security control requirements in its Annex A .

 

Similarities

Despite the differences in scope, objectives, requirements and controls, there are some similarities between the NIS2 Directive and the ISO 27001:2022 standard.

Here are the most evident similarities :

  • Risk management: Both frameworks are based on the concept of risk management, which involves identifying, analyzing, evaluating, and treating the information security risks that affect the organization or the service.

  • Involvement and commitment of top management: Both frameworks require the involvement and commitment of top management, who are responsible for ensuring that the appropriate resources, roles and responsibilities are allocated to support the implementation and maintenance of the measures.

  • Importance of continuous improvement: Both frameworks emphasize the importance of continuous improvement, which involves monitoring, measuring, reviewing, and updating the measures to ensure they remain effective and relevant in a changing environment.

  • Cooperation and information sharing: Both frameworks encourage cooperation and information sharing among relevant stakeholders, such as authorities, regulators, customers, suppliers, and peers, to enhance the overall level of cybersecurity.

Mapping NIS2 to ISO27001:2022 requirements

The mapping begins with identifying the specific NIS2 requirements that are applicable to the organization.

Step 1: Identify NIS2 requirements

1. Scope of Application

  • Expansion of Affected Entities: NIS2 extends its requirements beyond the sectors covered by the original NIS Directive, including essential and important entities across various sectors such as energy, transport, health, and digital services.

2. Risk Management Measures

  • Comprehensive Security Requirements: Entities are required to implement appropriate technical and organizational measures to manage the risks posed to the security of network and information systems, including measures for incident handling, business continuity, and supply chain security.

3. Incident Response and Reporting

  • Incident Reporting Obligations: NIS2 mandates strict incident reporting requirements, where entities must notify relevant national authorities about significant cybersecurity incidents with potentially severe operational impacts, within a short timeframe.

4. Supply Chain Security

  • Security of Supply Chains and Supplier Relationships: Entities need to address cybersecurity risks not only within their own operations but also across their supply chains, ensuring that suppliers meet security requirements to protect against potential vulnerabilities and threats.

5. Interoperability and Cooperation

  • Enhanced Cooperation Among States: NIS2 emphasizes improved information sharing and coordinated response among EU member states, with mechanisms for cross-border collaboration in cybersecurity threat detection, response, and recovery.

6. Security and Network Systems

  • Strengthening of Security Practices: Detailed requirements on securing network and information systems, ensuring the integrity, availability, and confidentiality of services, particularly in critical infrastructure sectors.

7. Regulatory Oversight and Compliance

  • Increased Enforcement Powers: Regulatory authorities are granted more significant powers to enforce the Directive, including the ability to conduct audits, review compliance, and impose sanctions on entities failing to meet the cybersecurity requirements.

8. Financial Penalties

  • Penalties for Non-Compliance: NIS2 introduces substantial financial penalties for non-compliance, aimed at ensuring that entities take their cybersecurity obligations seriously.

9. Cybersecurity Measures Specificity

  • Detailed Guidelines and Standards: The Directive encourages the use of established standards and specifications to fulfill the required security measures, promoting best practices in cybersecurity management.

 

This step involves a detailed review of NIS2, focusing on the obligations that directly impact the organizational processes and security measures.

Step 2: Map requirements to the ISO 27001:2022 chapters

The next step is to map relevant chapters and controls in ISO 27001:2022 to these NIS2 requirements:

  • Chapter 4 (Context of the Organization) -> NIS2 1,4,5
    • Understand external and internal issues that affect the ISMS, aligning with NIS2’s broader security requirements.
    • Identify if the company is falling into the two entity categories: Important and Essential.
    • An important step is also to identify and assess all external suppliers.
  • Chapter 5 (Leadership) -> NIS2 1,5,8
    • Ensures management’s commitment to the ISMS, mirroring NIS2’s emphasis on leadership and governance in cybersecurity.
  • Chapter 6 (Planning) -> NIS2 2,3,4,6 
    • Address the assessment and treatment of information security risks, a core component of proactive compliance under NIS2.
    • Conduct a risk assessment to identify threats, vulnerabilities, and impacts on information assets.
    • Develop a risk treatment plans to address identified risks, including mitigation, transfer, or acceptance.
  • Chapter 7 (Support) -> 5,7,9
    • Provide the framework for managing resources and operational planning,
    • Establish communication channels for reporting security incidents and seeking guidance on information security matters.
  • Chapter 8 (Operation) -> NIS2 2,3,4,6
    • Provide the framework for managing resources and operational planning, establishes incident response and business continuity plans to mitigate the impact of security incidents and disruptions, crucial for implementing the technical and organizational measures required by NIS2.
  • Chapter 9 (Performance Evaluation) -> NIS2 8,9
    • Assess the performance of the ISMS, helping to ensure continuous improvement in line with NIS2’s dynamic compliance landscape.

Disclaimer:
This mapping is author’s own interpretation based on his personal opinion and understanding of the requirements. It is not the only possible interpretation and it is most probably not the best one available.

 

Conclusion

By mapping NIS2 requirements to the structured framework provided by ISO 27001:2022, organizations can not only ensure compliance but also strengthen their overall security posture.

It is important to understand that this alignment is not a one-time effort but a continuous process of adaptation and improvement, reflecting the dynamic nature of cybersecurity threats and regulatory requirements.

As such, organizations should focus on regular reviews and updates to their ISMS, ensuring that it remains robust, responsive, and compliant.

The post Maping NIS2 requirements to the ISO 27001:2022 framework first appeared on Sorin Mustaca on Cybersecurity.

Executive summary: NIS2 Directive for the EU members (updated)

The NIS 2 Directive is a set of cybersecurity guidelines and requirements established by the European Union (EU) . It replaces and repeals the NIS Directive (Directive 2016/1148/EC) . The full name of the directive is “Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive)” .

The NIS 2 Directive aims to improve cybersecurity risk management and introduce reporting obligations across sectors such as energy, transport, health, and digital infrastructure . It provides legal measures to boost the overall level of cybersecurity in the EU .

The directive covers a larger share of the economy and society by including more sectors, which means that more entities are obliged to take measures to increase their level of cybersecurity .

The management bodies of essential and important entities must approve the cybersecurity risk-management measures taken by those entities, oversee its implementation, and can be held liable for infringements .

 

Who is affected?

The NIS 2 Directive significantly expands the sectors and type of critical entities falling under its scope.

As a ground rule, companies from certain areas that meet these conditions are affected:

Essential Entities (EE):

  • at least 250 employees and
  • 50 Mil € revenue

Important Entities (IE):

  • at least 50 employees and
  • 10 Mil € revenue

 

NIS 2 covers areas such as

  • Essential Entities:
    • energy (electricity, district heating and cooling, oil, gas and hydrogen);
    • transport (air, rail, water and road); banking;
    • financial market infrastructures;
    • health including  manufacture of pharmaceutical products including vaccines;
    • drinking water;
    • waste water;
    • digital infrastructure (internet exchange points; DNS service providers;
    • TLD name registries; cloud computing service providers;
    • data centre service providers;
    • content delivery networks;
    • trust service providers;
    • providers of  public electronic communications networks and publicly available electronic communications services);
    • ICT service management (managed service providers and managed security service providers), public administration and space.

Important Entities:

    • postal and courier services;
    • waste management;
    • chemicals;
    • food;
    • manufacturing of medical devices, computers and electronics, machinery and equipment, motor vehicles, trailers and semi-trailers and other transport equipment;
    • digital providers (online market places, online search engines, and social networking service platforms) and research organisations.

Note:
An entity may still be considered “essential” or “important” even if it does not meet the size criteria, in specific cases such as when it is the sole provider of a critical service for societal or economic activity in a Member State.

 

Deadlines

The Member States have until October 17, 2024, to adopt and publish the measures necessary to comply with the NIS 2 Directive. They shall apply those measures from October 18, 2024 .

The benefits of the NIS 2 directive include creating the necessary cyber crisis management structure (CyCLONe), increasing the level of harmonization regarding security requirements and reporting obligations, encouraging Members States to introduce new areas of interest such as supply chain, vulnerability management, core internet, and cyber hygiene in their national cybersecurity strategies, bringing novel ideas such as peer reviews for enhancing collaboration and knowledge sharing amongst Member States .

In order to comply with the NIS 2 directive, entities will need to take measures to increase their level of cybersecurity. This may include following training for members of management bodies of essential and important entities as well as offering similar training to their employees on a regular basis .

How does the NIS 2 Directive differ from the previous directive?

The NIS 2 Directive replaces the previous Network and Information Security (NIS) Directive, which was the first piece of EU-wide legislation on cybersecurity. Its specific aim was to achieve a high common level of cybersecurity across the Member States .

While the NIS Directive increased the Member States’ cybersecurity capabilities, its implementation proved difficult, resulting in fragmentation at different levels across the internal market. To respond to the growing threats posed by digitalization and the surge in cyber-attacks, the Commission submitted a proposal to replace the NIS Directive and thereby strengthen security requirements, address security of supply chains, streamline reporting obligations, and introduce more stringent supervisory measures and stricter enforcement requirements, including harmonized sanctions across the EU .

 

Consequences

The proposed expansion of the scope covered by NIS 2, by effectively obliging more entities and sectors to take measures, would assist in increasing the level of cybersecurity in Europe in the longer term . The NIS 2 Directive establishes very strict sanctions for breaches of its obligations. In contrast to the previous NIS Directive, which merely required Member States to set forth effective, proportionate and dissuasive penalties for non-compliance, the NIS 2 Directive introduces a much stricter regime .

NIS 2 will introduce a fining regime for non-compliance. The potential maximum fines for non-compliance could reach either

(i) €10 million or 2% of global annual turnover for “essential” entities or

(ii) €7 million or 1.4% of global annual turnover for “important” entities .

What’s next, if you are in a hurry

Try to identify the following topics in your ISMS and map them to the NIS2 requirements.

1. Scope of Application

  • Expansion of Affected Entities: NIS2 extends its requirements beyond the sectors covered by the original NIS Directive, including essential and important entities across various sectors such as energy, transport, health, and digital services.

2. Risk Management Measures

  • Comprehensive Security Requirements: Entities are required to implement appropriate technical and organizational measures to manage the risks posed to the security of network and information systems, including measures for incident handling, business continuity, and supply chain security.

3. Incident Response and Reporting

  • Incident Reporting Obligations: NIS2 mandates strict incident reporting requirements, where entities must notify relevant national authorities about significant cybersecurity incidents with potentially severe operational impacts, within a short timeframe.

4. Supply Chain Security

  • Security of Supply Chains and Supplier Relationships: Entities need to address cybersecurity risks not only within their own operations but also across their supply chains, ensuring that suppliers meet security requirements to protect against potential vulnerabilities and threats.

5. Interoperability and Cooperation

  • Enhanced Cooperation Among States: NIS2 emphasizes improved information sharing and coordinated response among EU member states, with mechanisms for cross-border collaboration in cybersecurity threat detection, response, and recovery.

6. Security and Network Systems

  • Strengthening of Security Practices: Detailed requirements on securing network and information systems, ensuring the integrity, availability, and confidentiality of services, particularly in critical infrastructure sectors.

7. Regulatory Oversight and Compliance

  • Increased Enforcement Powers: Regulatory authorities are granted more significant powers to enforce the Directive, including the ability to conduct audits, review compliance, and impose sanctions on entities failing to meet the cybersecurity requirements.

8. Financial Penalties

  • Penalties for Non-Compliance: NIS2 introduces substantial financial penalties for non-compliance, aimed at ensuring that entities take their cybersecurity obligations seriously.

9. Cybersecurity Measures Specificity

  • Detailed Guidelines and Standards: The Directive encourages the use of established standards and specifications to fulfill the required security measures, promoting best practices in cybersecurity management.

 

By addressing these key topics, NIS2 aims to significantly raise the level of cybersecurity across the EU, ensuring a uniform level of security in critical sectors and enhancing the resilience of the internal market against cyber threats.

Sources:
1. cybertalk.org
2. nis-2-directive.com
3. digital-strategy.ec.europa.eu
4. enisa.europa.eu
5. europarl.europa.eu
6. mondaq.com
7. rapid7.com
8. https://digital-strategy.ec.europa.eu/en/faqs/directive-measures-high-common-level-cybersecurity-across-union-nis2-directive-faqs

The post Executive summary: NIS2 Directive for the EU members (updated) first appeared on Sorin Mustaca on Cybersecurity.

NIS-2: 10 common misconceptions about the regulation

We wrote here about NIS2 and we will continue to add more content about it.

Because we are getting closer to October 17th, many people are getting more and more nervous about NIS2.

Despite its significance, there are numerous misconceptions and misinterpretations circulating about the scope and implications of this regulation.

This article aims to clarify some of the misconceptions,  which I collected mostly from LinkedIn and articles about NIS-2.

 

Note:

“NIS2” and “NIS-2” are exactly the same thing. I am using both in this article only because of SEO.

 

 

1. NIS2 starts being applied in the EU starting 17.10.2024

Truth is that the regulation is already applicable in the EU since it was approved. This deadline applies to the individual countries of the EU to convert and apply the NIS2 requirements in local laws.

If national authorities fail to properly implement EU laws, the Commission may launch a formal infringement procedure against the country in question. If the issue is still not settled, the Commission may eventually refer the case to the Court of Justice of the European Union.

 

2. Limited scope of application

Contrary to the belief that NIS-2 only applies to large tech companies, the directive significantly broadens its scope compared to its predecessor, NIS.

NIS-2 extends beyond just critical infrastructure sectors like energy and transport, encompassing a wide array of sectors such as digital services, public administration, and healthcare.

It mandates a security and incident reporting framework that applies to both Essential and Important Entities, significantly expanding the list of sectors and services affected.

3. NIS-2 Is Just About Cybersecurity

While cybersecurity is a core component, NIS-2 is not merely about preventing cyberattacks. The directive emphasizes a comprehensive approach to security, which includes resilience against a wide range of threats.

This includes but it is not limited to:

  • supply chain security,
  • incident response, and
  • crisis management.

It establishes a baseline for security measures and incident notifications that entities must adhere to, ensuring a uniform level of security across member states.

4. NIS-2 compliance is the same across all EU countries

Although NIS-2 sets a framework for cybersecurity across the EU, member states have some flexibility in implementation. This means that there can be variations in how directives are enforced from one country to another, depending on local laws and regulations.

Companies operating across multiple jurisdictions need to be aware of and comply with local variations to ensure full compliance.

5. Heavy penalties are the main compliance driver

While it is true that NIS-2 can impose hefty fines for non-compliance, focusing solely on penalties misses the broader objective of the directive.

NIS-2 is designed to cultivate a culture of security and resilience. It encourages entities to proactively manage their cybersecurity risks and to collaborate with national authorities.

This cooperative approach is fundamental to enhancing the overall cybersecurity posture of the EU.

6. NIS-2 does not affect third-party suppliers

NIS-2 places explicit requirements on the security practices of third-party suppliers. Entities covered under the directive are required to ensure that their supply chains are secure.

This includes mandatory risk assessments and incident reporting requirements that extend to service providers, reflecting an understanding that security is only as strong as the weakest link in the supply chain.

 

7. NIS-2 contains rules for AI, IoT, Industry 4.0.

NIS-2 sets a framework for cybersecurity and it does not address anything in particular. However, the rules described can be very well applied to companies in the fields like those mentioned that fall under the regulation applicability.

The companies active in Digital Infrastructure Services (Internet Nodes, DNS Service Providers, TLD Registries, Cloud Providers, Data Centers, Content Delivery Networks, Trust Services, Communication Networks, Communication Services ) and in

ICT Service Management (B2B only) (Managed Services (IT, Networks/Infrastructure, Applications), Managed Security Services (Risk and Cyber Security) ) are potentially directly affected by the regulation. However, there are clear criteria about which companies are affected.

 

8. Any company with activity in the domains marked as Important and Essential is affected by NIS-2

Although the domains are under the NIS-2 regulation, a company is affected if it meets the criteria:

  • Essential Entities (EE):
    • at least 250 employees and
    • 50 Mil € revenue
  • Important Entities (IE):
    • at least 50 employees and
    • 10 Mil € revenue

If a company doesn’t have these characteristics, then, in general, it is not affected by the regulation directly. It is highly recommended that even in such cases the companies follow the regulation’s requirements, since it will increase their resilience against cyber attacks.

However, an entity may still be considered “essential” or “important” even if it does not meet the size criteria, in specific cases such as when it is the sole provider of a critical service for societal or economic activity in a Member State.

 

9. All affected companies must certify for NIS-2

A the time of writing this post there is no certification for NIS-2. This might change in the future, especially when because we don’t know at this time how the regulation will be implemented in each of the EU member states.

There are consulting companies that sell consulting services and guarantee that a company will get the “NIS-2  certification” if they bus their services. While buying consulting is in general a good thing, the only thing that can be obtained is help in meeting the requirements of the regulation.

I recommend to stay away from offers that promise things that don’t exist.

 

10. Companies can buy software/hardware products to become conform with NIS-2

Although conformity is sometimes made easier by using specialized software and hardware products, there is no requirement or recommendation to purchase anything.

Some security providers and consulting companies are offering On The Shelf  (OTS) products that promise immediate conformity with NIS-2 (or guarantee obtaining a “certification” – see point 9 above).

If you look at the series of articles in the NIS2 area of this website, you will see that actually quite a lot of  steps involve an ISMS, a cybersecurity framework, cybersecurity products and so on.

These can be implemented with commercial or open source products, but there is still need to know where and how to install them in order to become conform.

I can very well imagine that there will be soon commercial offerings with sets of templates for implementing the NIS-2 requirements, just like there are with ISO 27001, TISAX and other certifications.

The post NIS-2: 10 common misconceptions about the regulation first appeared on Sorin Mustaca on Cybersecurity.

Demystifying cybersecurity terms: Policy, Standard, Procedure, Controls, Framework, Zero Trust

I am often asked what is the difference between Policy, Standard, Procedure in cybersecurity.

Well, here it is:

1. Cybersecurity Standard

A cybersecurity standard is a set of guidelines, criteria, or best practices that organizations follow to ensure that their security controls and procedures align with industry standards or regulatory requirements. Standards provide a benchmark for measuring security maturity and often serve as a reference for audits and assessments. Common cybersecurity standards include ISO 27001, NIST Cybersecurity Framework, and CIS Controls.

2. Cybersecurity Framework

A cybersecurity framework is a structured approach to managing and improving an organization’s cybersecurity posture. It’s a comprehensive set of best practices, guidelines, and tools designed to help organizations assess, develop, and enhance their cybersecurity programs. Frameworks provide a strategic perspective and often include a collection of policies, procedures, controls, and standards. Prominent frameworks include NIST Cybersecurity Framework, CIS Critical Security Controls, and ISO 27001.

As can be seen, a standard often doesn’t come alone, it comes with a framework, which allows the implementer to start quickly and create a basis for the cybersecurity implementation.

3. Cybersecurity Policy

A cybersecurity policy is a foundational document that sets the overarching principles and guidelines for an organization’s security posture. It is a high-level, strategic document that outlines the organization’s commitment to security, the roles and responsibilities of individuals and departments in safeguarding assets, and the consequences of non-compliance. Cybersecurity policies are essential for aligning security efforts with business goals and regulatory requirements.

4. Cybersecurity Procedure

While policies provide a high-level framework, procedures are the detailed step-by-step instructions that help employees or security personnel implement the policies effectively. Procedures are specific and actionable, often detailing how to respond to security incidents, configure software securely, or conduct security audits. They ensure consistency and best practices are followed in day-to-day operations.

5. Cybersecurity Control

Controls are measures, safeguards, or countermeasures that organizations put in place to protect their information systems and data. Controls can be technical, administrative, or physical in nature. They are designed to mitigate risks by preventing, detecting, or responding to security threats. Examples include firewalls, access controls, encryption, and antivirus software.

In summary, these four terms play distinct but interrelated roles in the world of cybersecurity. Policies set the overarching goals and principles, procedures provide the detailed instructions for implementation, controls are the measures and safeguards in place to protect against threats, and standards offer a reference point to ensure compliance with established best practices.

Effective cybersecurity requires a holistic approach that encompasses all these elements. By establishing clear policies, well-documented procedures, robust controls, and adherence to industry standards, organizations can better defend themselves against the ever-evolving threat landscape and protect their sensitive data and digital assets.

6. Zero Trust

Zero Trust in Cybersecurity: from myth to the guide

 

7. Authentication and Authorization

https://www.sorinmustaca.com/authentication-vs-authorization

 

The post Demystifying cybersecurity terms: Policy, Standard, Procedure, Controls, Framework, Zero Trust first appeared on Sorin Mustaca on Cybersecurity.

Zero Trust in Cybersecurity: from myth to the guide

Every single day I read news on various portals and on LinkedIn and I encounter a lot of buzz words.

Most of the time I just smile recognizing the marketing b**it, and continue to scroll…

This time, I found an article from the Germany’s Federal Bureau of Information Security (BSI) and it was about Zero Trust (DE). Note, this is summary, meant to be full of buzzwords, not a guide or anything similar.

I have to say that Zero Trust used to be a lot more prominent in the Corona years, between 2020 and 2022 than it is now. This shows also the history on IT Security News and Google Trends.

 

What is Zero Trust?

Zero Trust is a cybersecurity framework designed to address the limitations of traditional perimeter-based security models. Oh, if you didn’t read the article on cybersecurity framework, go there and give it a try.

In the past, companies would rely on firewalls and trust the inside network while treating the outside as a potential threat.

Zero Trust, on the other hand, assumes that threats can originate from both inside and outside the network. It promotes a “never trust, always verify” approach or how we usually say, to be politically correct, “trust is good, but control is better”.

 

Core principles

1. Identity Verification

Before granting access every user, device and application attempting to access network resources must go through a verification process.

2. Limited Access Privileges

Users and systems should only have access to the resources, for their tasks; nothing

3. Micro Segmentation

The network is split into separate sections to limit the spread of threats.

4. Continuous Monitoring

Constantly observing and analyzing network activity, user actions and system well being, in time.

5. Flexible Access Control

Access permissions can adjust dynamically depending on the users actions, device security status and contextual factors.

 

Why Zero Trust is such a popular term

Zero Trust is not exclusive to any industry or company size. It can be implemented by any organization looking to enhance its cybersecurity posture. Whether you’re a business or a multinational corporation Zero Trust can be tailored according to your requirements.

Due to the COVID 19 restrictions, all companies had to increase the reliance on cloud services, implement remote work, and proliferate mobile devices, which resulting in an expanded traditional network perimeter.

This transformation has made organizations more vulnerable to cyberattacks.

To summarize, these are the main reasons why Zero Trust has become so popular:

1. Changing Nature of Cyber Threats

With cyber threats becoming advanced and unpredictable organizations need to take measures to defend against them.

2. Impact of Remote Work

The COVID 19 pandemic has accelerated the adoption of work rendering traditional network perimeters ineffective.

3. Embracing Cloud Services

As businesses shift towards cloud computing, data and applications are no longer limited to, on premises environments.

4. Adherence to Data Privacy Regulations

Compliance with data privacy regulations like GDPR and CCPA necessitates the implementation of data protection measures.

Implementing the Zero Trust framework

There is nothing new here, the same steps apply as to any other cybersecurity framework and ISMS.

I will not go into details about it, just go back and read these articles on ISMS and NIS2.

1. Identify and classify your digital assets

2. Implement strong user authentication methods, verify their identities before granting access

3. Ensure that users and systems have the minimum necessary access permissions.

4. Segment your network into smaller zones to limit lateral movement in case of a breach.

5. Deploy real-time monitoring and analysis tools to track anomalies

6. Implement Adaptive Access Control

7. Encrypt data both in transit and at rest

8. Conduct regular security audits

9. Educate employees about the importance of security

10. Develop an Incident Response Plan

 

The post Zero Trust in Cybersecurity: from myth to the guide first appeared on Sorin Mustaca on Cybersecurity.

NIS2: 3.Establish a cybersecurity framework

We wrote here https://www.sorinmustaca.com/how-to-nis2-eu-directive/ that the 3rd  step in implementing the requirements of the directive is to establish a cybersecurity framework.

If you haven’t read what a cybersecurity framework means, then you should read article: https://www.sorinmustaca.com/demystifying-cybersecurity-terms-policy-standard-procedure-controls-framework/ .

 

Establishing a cybersecurity framework is critically important for organizations of all sizes and types because it is the basis on which you build your cybersecurity. The cybersecurity framework is the basis of the ISMS, which represents the plan of your cybersecurity strategy.

 

Why it is essential to have a cybersecurity framework

In case you still wonder if you need a cybersecurity framework, here are several key reasons why it is essential:

  1. Protection against Cyber Threats
    Cyber threats are constantly evolving and becoming more sophisticated. A cybersecurity framework provides a structured approach to identifying and mitigating these threats, reducing the risk of data breaches, cyberattacks, and other security incidents.
  2. Risk Management
    Cybersecurity frameworks help organizations assess their cybersecurity risks and prioritize their efforts to address the most critical vulnerabilities. This risk-based approach ensures that resources are allocated where they are needed most.
  3. Compliance and Legal Requirements
    Many industries and regions have specific cybersecurity regulations and legal requirements that organizations must adhere to. A cybersecurity framework provides a roadmap for meeting these compliance obligations, reducing the risk of fines and legal repercussions.
  4. Business Continuity
    Cybersecurity incidents can disrupt business operations, leading to downtime, financial losses, and damage to reputation. A well-structured cybersecurity framework helps organizations prepare for and respond to incidents, minimizing their impact and ensuring business continuity.
  5. Protection of Sensitive Data
    Organizations store vast amounts of sensitive and confidential data, including customer information, financial records, and intellectual property. A cybersecurity framework helps safeguard this data from unauthorized access or theft.
  6. Preservation of Reputation
    A security breach can seriously damage an organization’s reputation and erode customer trust. Implementing a cybersecurity framework demonstrates a commitment to security, which can enhance the organization’s reputation and instill confidence among customers, partners, and stakeholders.
  7. Cost Savings
    Proactively addressing cybersecurity through a framework can ultimately save an organization money. Preventing security incidents is more cost-effective than dealing with the aftermath of a breach, which can involve significant financial and legal expenses.
  8. Consistency and Standardization
    Cybersecurity frameworks promote consistency and standardization of security practices across an organization. This is especially important in larger enterprises with multiple locations, business units, or teams, ensuring that security measures are applied uniformly.
  9. Continuous Improvement
    Cyber threats and technology evolve rapidly. A cybersecurity framework emphasizes the importance of ongoing monitoring, assessment, and improvement, helping organizations stay ahead of emerging threats and vulnerabilities.
  10. Competitive Advantage
    Having a robust cybersecurity framework can be a competitive advantage. It can differentiate an organization in the eyes of customers, partners, and investors who prioritize security when choosing business partners.

Steps to Choose or Create a Cybersecurity Framework

Choosing a cybersecurity framework is a tedious process and potentially long. If you want to succeed, then you need to plan for it. In order to create a project plan, follow these milestones:

  1. Assess Organizational Needs and Objectives
    Begin by understanding your organization’s specific cybersecurity needs, objectives, and goals. Consider the industry you operate in, the types of data you handle, and your organization’s size and complexity.
  2. Identify Relevant Regulations and Standards
    Determine which cybersecurity regulations, standards, and compliance requirements are applicable to your organization. These may include GDPR, HIPAA, ISO 27001, NIST, CIS Controls, TISAX, ISO 21434 and industry-specific regulations.
  3. Conduct a Risk Assessment
    Perform a comprehensive risk assessment to identify potential cybersecurity threats, vulnerabilities, and the potential impact of security incidents. This assessment will help you prioritize security measures.
  4. Define Your Scope
    Clearly define the scope of your cybersecurity efforts. Consider which systems, data, and assets are in scope for protection and compliance efforts. Document this scope in detail.
  5. Research Existing Frameworks
    Investigate existing cybersecurity frameworks and standards that align with your organization’s needs and objectives. Consider well-established frameworks like NIST Cybersecurity Framework, ISO 27001, CIS Controls, and others.
    Have a look here to view a comparison. Consider country-specific frameworks like the recommendations or requirements from your country’s information security agency.
  6. Evaluate Framework Alignment
    Evaluate how closely each candidate framework aligns with your organization’s requirements, risk assessment findings, and compliance obligations. Consider factors like ease of implementation and ongoing maintenance.
  7. Customization vs. Adoption
    Decide whether to adopt an existing framework as-is or customize it to fit your organization’s specific needs. Customization may be necessary to address unique risks or industry-specific requirements.
  8. Engage Stakeholders
    Involve key stakeholders, including senior leadership, IT teams, compliance experts, and legal advisors, in the decision-making process. Ensure their input and buy-in throughout the framework selection or development process.
  9. Develop Framework Documentation
    If you choose to customize or create a framework, develop comprehensive documentation that outlines the framework’s policies, procedures, controls, and guidelines. This documentation serves as a roadmap for the implementation of the ISMS.
  10. Implement and Test
    Begin implementing the selected or customized framework within your organization. Test its effectiveness in addressing cybersecurity risks and compliance requirements.
  11. Training and Awareness
    Train employees and raise awareness about the cybersecurity framework, its policies, and best practices. Ensure that everyone in the organization understands their role in maintaining security.
  12. Continuous Monitoring and Improvement
    Establish ongoing monitoring and assessment processes to ensure the framework’s effectiveness. Regularly review and update the framework to adapt to evolving threats and technology.

 

Key Considerations When Choosing or Creating a Cybersecurity Framework

There are some things to keep in mind when implementing the project plan for choosing the cybersecurity framework. The project can easily go out of scope because of the security landscape continuously changing.

Please review regularly these considerations and make sure you go through the list before taking any big decisions.

  1. Alignment with Objectives: Ensure that the chosen framework aligns with your organization’s cybersecurity objectives, risk profile, and compliance requirements.
  2. Applicability: Consider the framework’s applicability to your industry and specific business needs.
  3. Resource Requirements: Assess the resources (financial, human, and technological) required for framework implementation and maintenance.
  4. Scalability: Determine whether the framework can scale with your organization’s growth and evolving cybersecurity needs.
  5. Integration: Ensure that the framework can integrate with existing security technologies and processes within your organization.
  6. Cost vs. Benefit: Evaluate the cost-effectiveness of implementing and maintaining the framework relative to the expected security benefits and risk reduction.
  7. Accessibility of Expertise: Consider the availability of expertise and training resources related to the chosen framework.
  8. Audit and Certification: If compliance or certification is a goal, verify that the framework is recognized and accepted by relevant certification bodies or authorities.
  9. Legal and Privacy Considerations: Ensure that the framework supports compliance with relevant data protection and privacy laws.
  10. Flexibility: Assess the framework’s flexibility to adapt to changing threat landscapes and emerging technologies.

 

Conclusions

Having a robust cybersecurity framework can be a competitive advantage. It can differentiate an organization in the eyes of customers, partners, and investors who prioritize security when choosing business partners.

Remember that selecting or creating a cybersecurity framework is not a one-size-fits-all process. It should be a thoughtful and strategic decision that aligns with your organization’s unique needs and circumstances.

Establishing a cybersecurity framework is essential to protect an organization’s digital assets, manage risks effectively, comply with legal requirements, and maintain the trust of stakeholders.

 

The post NIS2: 3.Establish a cybersecurity framework first appeared on Sorin Mustaca on Cybersecurity.

How to implement an Information Security Management System (ISMS)

We wrote here https://www.sorinmustaca.com/how-to-nis2-eu-directive/ that the 3rd  step in implementing the requirements of the directive is to establish a cybersecurity framework.

If you haven’t read what a cybersecurity framework means, then you should read article: https://www.sorinmustaca.com/demystifying-cybersecurity-terms-policy-standard-procedure-controls-framework/ .

An ISMS is typically based on the ISO 27001 standard, which provides a framework for establishing, implementing, maintaining, and continually improving information security within an organization.

Establishing a cybersecurity framework is usually achieved together with, or while implementing an Information Security Management System (ISMS) based on a standard like ISO 27001. So, before going to the NIS2 Step 3, I must explain why is it important to have a “good” ISMS.

This article will guide you through the steps to create a solid foundation for the ISMS which uses a cybersecurity framework.

 

Here are the steps you must follow to implement your ISMS:

  1. Get Top Management Support
    • Before you start, synchronize with the top management in order to define company’s goals in this regard. Usually it should be clear, since the company strives to receive a certification like ISO 27001, ISO 16949, TISAX, CSMS, etc..
    • Then secure the commitment and support of senior management by helping them understand the necessary resources and efforts.
    • In all standards that require an ISMS it is imperative to have the commitment of the management because their feedback and support are required in several places along the way.
  2. Scope Definition
    • Define the scope of your ISMS: determine which assets, processes, and locations will be covered by the ISMS.
    • This will help in setting boundaries for your security efforts. Some certifications require an assessment per location and scope, so this needs to be developed properly and in accordance with company’s goals.
  3. Risk Assessment
    • Create policies that help identify and assess information security risks.
    • This involves:
      • How to identifying assets: List all the information assets your organization handles, such as data, hardware, software, and personnel, intellectual property.
      • How to identify threats and vulnerabilities: Determine potential risks and vulnerabilities that could impact your assets.
      • How to assess risks: Analyze the likelihood and potential impact of these risks.
      • How to calculate risk levels: Prioritize risks based on their severity.
  4. Risk Treatment
    • Develop a policy for risk treatment plan:
      • How to implement controls: Select and implement security controls and measures to mitigate identified risks.
      • Document policies and procedures that enforce the creation of security controls.
      • Allocate responsibilities: Assign roles and responsibilities for managing and monitoring security measures.
      • Set risk acceptance criteria: Determine which risks can be accepted, mitigated, or transferred.
  5.  Establish the ISMS Framework
    • Establish the ISMS framework based on ISO 27001:
      • Define information security objectives.
      • Develop an information security policy.
      • Create a risk assessment methodology.
      • Define criteria for risk acceptance.
      • Develop and implement security controls.
  6. Implementation
    • Execute the ISMS based on the established framework:
      • Train employees: Provide information security training to all staff members.
      • Implement security controls: Put in place the technical, administrative, and physical controls identified in your risk treatment plan.
      • Monitor and review: Continuously monitor the effectiveness of your controls and review your risk assessment.
  7. Measurement and Evaluation
    • Regularly measure and evaluate the performance of your ISMS to ensure that it remains effective and aligned with your objectives.
      • Conduct internal audits.
      • Perform security testing (e.g., penetration testing, vulnerability scanning).
      • Analyze security incident data.
  8. Management Review
    • Conduct regular management reviews to assess the ISMS’s performance and effectiveness.
      • Ensure that the ISMS is aligned with the organization’s strategic goals.
      • Make improvements based on review findings.
  9. Continual Improvement
    • Use the results of audits, reviews, and incidents to continually improve the ISMS.
      • Update policies and procedures as needed.
      • Enhance security controls based on new threats and vulnerabilities.
      • Maintain employee awareness and training.
  10. Certification (Optional):
    • If your organization desires ISO 27001 or any other certification, engage an accredited certification body to perform an external audit and certification assessment.
    • Be careful because several certification require a pre-certification or pre-assessment performed either with in-house auditors (internal) or external auditors.
  11. Documentation
    • Maintain detailed documentation of all ISMS activities, including policies, procedures, risk assessments, and audit reports.
    • Maintain a log of all changes in time, because this demonstrates continual improvement and usage.
  12. Training and Awareness
    • Continuously educate and raise awareness among employees regarding information security policies and best practices.
  13. Incident Response and Recovery
    • Develop an incident response plan to address security incidents promptly and effectively.

 

Remember, and make sure that your management remembers as well, that implementing and maintaining an ISMS is an ongoing process. Even if certifications are renewed only after 3 years (usually) it is important that in these 3 years the ISMS is lived.

Regularly update your risk assessments and adapt your security controls to evolving threats and business needs. Continuous improvement is key to the success of your ISMS.

 

The post How to implement an Information Security Management System (ISMS) first appeared on Sorin Mustaca on Cybersecurity.

NIS2: 2.Designate a responsible person or team

We wrote here https://www.sorinmustaca.com/how-to-nis2-eu-directive/ that the second step in implementing NIS2 requirements is to designate a responsible person or team.

Appointing an individual or a team responsible for overseeing the implementation of the NIS2 directive within your company is critical to ensure its success.

NIS2 implementation and compliance is a project, and as any project must have a dedicated team that is actively working on its implementation.

Due to the fact that the the NIS2 requirements are demanding a continuous activity, there must be a continuity of the project after its implementation. This means that there has to be a team appointed to this project that is responsible for continuously monitoring and adapting the activities required for NIS2 compliance. To effectively manage these challenges, companies should establish a new dedicated team or name an existing team to be responsible for cybersecurity and compliance.

In this article, we will explore the reasons behind the need for such a team and identify existing teams within a company that could take on these vital responsibilities.

Cyber threats are constantly evolving, becoming more sophisticated and persistent. From data breaches and ransomware attacks to regulatory changes, companies are exposed to a multitude of risks that can have significant consequences.

Here’s why a dedicated cybersecurity and compliance team is essential:

  1. Proactive Threat Mitigation: A dedicated team can stay ahead of emerging threats by continuously monitoring the threat landscape, analyzing vulnerabilities, and implementing proactive security measures. They can assess potential risks and ensure that the company is well-prepared to defend against cyberattacks.
  2. Regulatory Compliance: Compliance with industry-specific regulations (ISO 27001, TISAX, ISO 21434) and data protection laws (such as GDPR or HIPAA) is a legal requirement. A dedicated team can ensure that the company adheres to these regulations, avoiding costly fines and legal repercussions.
  3. Incident Response: In the unfortunate event of a cybersecurity breach, a well-prepared team can swiftly respond to contain the damage, investigate the incident, and minimize the impact on the business and its customers.

 

Good news: existing teams can take on cybersecurity and compliance roles!

Identifying the right team to assume the responsibility of cybersecurity and compliance is crucial.

Below are some existing teams within a company that could take on these roles. However, be aware that due to the complex nature of the task, most chances of success has an interdisciplinary team.

 

  • IT Department: IT professionals are typically responsible for managing the company’s technology infrastructure. They can play a critical role in implementing security measures, monitoring networks, and ensuring that software and hardware are up to date with security patches.

Be aware, the IT teams may not have the specialized expertise needed for compliance and may benefit from additional support. With the right people on board, they can take over this critical task.

 

  • Legal and Compliance Teams: Legal and compliance departments are already well-versed in navigating complex regulatory frameworks. They can take on the compliance aspect of cybersecurity, ensuring that the company aligns with industry-specific laws and regulations.

L&C teams may require additional cybersecurity expertise to address the technical aspects of protection.

 

  • Dedicated Cybersecurity Team: For companies with significant digital assets and a higher level of exposure to cyber threats, establishing a dedicated cybersecurity team is advisable.

This team would focus exclusively on safeguarding the company’s digital assets, monitoring threats, conducting penetration testing, and developing comprehensive cybersecurity policies and strategies.

 

  • Cross-Functional Cybersecurity Team: In some cases, it may be beneficial to establish a cross-functional committee that includes representatives from various departments, including IT, legal, compliance, and risk management.

This team can collaborate to address cybersecurity and compliance challenges effectively.

 

Important activities that must be performed for NIS2 compliance

As part of the NIS2 requirements, the team responsible make sure that these activities are performed.

However, due to the fact that so many areas are involved, it is quite clear that the entire company must be involved.

 

  1. Risk Assessment and Management:
    • Identifying and assessing cybersecurity risks and vulnerabilities across the organization.
    • Developing risk mitigation strategies and prioritizing security measures based on the level of risk.
  2. Compliance Monitoring:
    • Ensuring the company complies with relevant industry-specific regulations, data protection laws, and compliance standards (e.g., GDPR, HIPAA, ISO 27001).
    • Conducting regular compliance audits and assessments to identify and address non-compliance issues.
  3. Policy Development and Enforcement:
    • Developing and maintaining comprehensive cybersecurity policies, procedures, and guidelines that align with regulatory requirements and industry best practices.
    • Enforcing these policies throughout the organization and ensuring employees are aware of and adhere to them.
  4. Security Awareness Training:
    • Providing cybersecurity awareness training to employees and stakeholders to enhance their understanding of security risks and best practices.
    • Promoting a security-conscious culture within the organization.
  5. Incident Response Planning:
    • Developing and maintaining an incident response plan that outlines the steps to take in the event of a security incident or data breach.
    • Conducting tabletop exercises and simulations to test the effectiveness of the incident response plan.
  6. Security Auditing and Testing:
    • Conducting regular security audits and assessments to identify vulnerabilities and weaknesses in the company’s systems and processes.
    • Performing penetration testing and vulnerability scanning to proactively detect and address security flaws.
  7. Security Architecture and Design:
    • Collaborating with IT teams to ensure that security is integrated into the design and architecture of systems, applications, and networks.
    • Evaluating and selecting security technologies and solutions to protect the organization’s assets.
  8. Threat Intelligence and Monitoring:
    • Monitoring the threat landscape to stay informed about emerging cybersecurity threats and trends.
    • Collecting and analyzing threat intelligence to proactively identify potential risks to the organization.
  9. Security Incident Investigation:
    • Investigating security incidents and breaches to determine their scope, impact, and root causes.
    • Collecting and preserving digital evidence for potential legal and regulatory purposes.
  10. Vendor and Third-Party Risk Management:
    • Assessing the cybersecurity practices of third-party vendors and partners who have access to the company’s data or systems.
    • Implementing risk mitigation strategies for third-party relationships.
  11. Reporting and Communication:
    • Reporting cybersecurity and compliance status and incidents to senior management, the board of directors, and relevant stakeholders.
    • Maintaining open lines of communication with legal, IT, risk management, and other relevant departments.
  12. Continuous Improvement:
    • Continuously evaluating and improving the organization’s cybersecurity posture based on lessons learned from security incidents and evolving threats.
    • Staying updated on cybersecurity trends and best practices to adapt security measures accordingly.
  13. Business Continuity and Disaster Recovery Planning:
    • Developing and maintaining business continuity and disaster recovery plans to ensure the organization can recover from disruptive events, including cybersecurity incidents.
  14. Regulatory Liaison:
    • Interacting with regulatory authorities and auditors during compliance assessments and audits.
    • Ensuring timely responses to regulatory inquiries and requests for information.

 

Cybersecurity and compliance are ongoing commitments that require dedicated attention and expertise. By establishing a specialized team or task force responsible for these crucial aspects, companies can better protect their data, reputation, and financial stability. Whether by empowering existing teams or creating new ones, the commitment to cybersecurity and compliance is an investment in the long-term success and resilience of the organization.

The post NIS2: 2.Designate a responsible person or team first appeared on Sorin Mustaca on Cybersecurity.

NIS2: 1. Perform a gap analysis

We wrote here https://www.sorinmustaca.com/how-to-nis2-eu-directive/ that the first step in implementing NIS2 requirements is to perform a gap analysis.

 

The most critical part when performing a gap analysis is to define upfront against which standard or security framework are you comparing the existing situation.

It is usual when performing a gap analysis of security maturity to compare against ISO 27000 standard, the ISO 27001 in particular.

Performing a gap analysis on the security stance of a company following ISO 27001 involves comparing its current security measures and practices against the requirements specified in the ISO 27001 standard.

This analysis helps identify areas where the company’s security posture aligns with the standard (compliance) and areas where there are gaps or deficiencies (non-compliance). Here’s a technical breakdown of the process:

 

  1. Familiarize with ISO 27001
    Understand the ISO 27001 standard and its security requirements. This includes studying the Annex A controls, which represent a comprehensive set of security best practices.
  2. Define the Scope
    Determine the scope of the analysis, starting with which areas of the organization’s security management system (SMS) will be assessed, such as specific departments, processes, assets, or locations.
    Then focus on which parts of the company’s operations will be assessed. This could include networks, systems, applications, physical security, personnel, and other relevant components.
    Keep in mind that usually the goal of the company is not reaching ISO 27001 compliance but to see their maturity level and see how prepared they are cybersecurity events and incidents.
    This means that the parallel to ISO 27001 controls (see below) should not be extremely strict, unless the goal really is achieving the ISO 27001 certification.
  3. Conduct Interviews and Gather Information
    Collaborate with key stakeholders, security personnel, and IT staff to collect relevant documentation.
    Relevant documentation is anything related to the company’s security practices, policies, procedures, risk assessments, and controls.
    This includes also security manuals, configuration details, system logs, incident reports, risk assessments, and other related documents.
  4. Create a Gap Analysis Checklist
    Develop a detailed checklist that maps the ISO 27001 controls to the company’s existing security controls and practices. The checklist should include relevant information for each control, such as descriptions, implementation status, supporting evidence, and any gaps or deviations. Always keep in mind what was decided in “2. Define the scope”, because this will give you the depth of the analysis.
  5. Assess Current Security Controls for Non-Compliance
    For each control in the checklist, assess whether the company has implemented the control as specified by ISO 27001. Evaluate the effectiveness of the existing controls in meeting the standard’s requirements. Identify gaps and areas where the company’s security measures do not meet the standard’s expectations. These gaps may include missing controls, insufficient implementation, inadequate documentation, or deviations from best practices.
  6. Prioritize and Rate the Gaps
    Classify the identified gaps based on their severity and potential impact on security. Assign a risk rating to each gap to help prioritize remediation efforts.
  7. Propose Remediation Measures
    For each identified gap, suggest specific remediation measures to address the deficiencies. These measures should align with ISO 27001 requirements and aim to improve the company’s security posture.
  8. Create an Action Plan
    Create a detailed action plan that outlines the steps to be taken to address each identified gap. This plan should include timelines, responsibilities, and resources required for implementation.
  9. Reassess and Update
    Periodically repeat the gap analysis process to assess the company’s security stance and ensure continuous improvement. Regularly review and update the action plan based on new threats, changes in the organization’s structure, or updates to the ISO 27001 standard.
  10. Monitor and Review Progress
    Once the action plan is underway, monitor the progress of each remediation effort and periodically review the improvements made. Track the status of the gaps and ensure that the company is moving towards full compliance with ISO 27001.

 

 

References:

The post NIS2: 1. Perform a gap analysis first appeared on Sorin Mustaca on Cybersecurity.

How-To: NIS2 EU Directive

The NIS2 Directive is a European Union legislative text on cybersecurity that supersedes the first NIS (Network and Information Security) Directive, adopted in July 2016.

NIS vs. NIS2

While the first NIS (Network and Information Security) Directive increased the Member States’ cybersecurity capabilities, its implementation proved difficult, resulting in fragmentation at different levels across the internal market. To respond to the growing threats posed with digitalisation and the surge in cyber-attacks, the Commission has submitted a proposal to replace the NIS Directive and thereby strengthen the security requirements, address the security of supply chains, streamline reporting obligations, and introduce more stringent supervisory measures and stricter enforcement requirements, including harmonised sanctions across the EU.

NIS2 strengthens security requirements in the EU by expanding the NIS scope to more sectors and entities, taking into account

  • the security of supply chains,
  • streamlining reporting obligations,
  • introducing monitoring measures,
  • introducing more stringent enforcement requirements,
  • adding the concept of “management bodies” accountability within companies, and
  • harmonizing and tightening sanctions in all Member States.

To achieve the above mentioned goals, NIS2 requires member states to take a number of measures that forces them to work together:

  • Establish or improve information sharing between member states and a common incident response plan that coordinates with other member state plans
  • Establish a national Computer Emergency Response Team
  • Strengthen cooperation between public and private sector entities

 

In a nutshell, companies can stay compliant with the NIS2 Directive by

  • establishing an effective monitoring system that can detect intrusions, detect suspicious activities, and alert the authorities when necessary
  • developing comprehensive plans that detail how they will respond to an attack and what steps they will take to recover from it.

 

The official website of the EU for the NIS2 Directive has prepared an FAQ with many good questions and answers.

However, what the website is not saying (for good reasons) is how should companies start to prepare for implementing the directive.

 

How to start the compliance path

In order to successfully start implementing the requirements, the following steps should be implemented in this order. We will publish articles about pretty much each of these topics.

 

1.Conduct a gap analysis

Assess your company’s current cybersecurity practices, policies, and infrastructure against the requirements of the NIS2 directive.

Identify any gaps or areas that need improvement to comply with the directive.

Dedicated article:  https://www.sorinmustaca.com/nis2-1-perform-a-gap-analysis/

 

2.Designate a responsible person or team

Appoint an individual or a team responsible for overseeing the implementation of the NIS2 directive within your company. This could be a dedicated cybersecurity team or an existing department with relevant expertise.

Dedicated article: https://www.sorinmustaca.com/nis2-2-designate-a-responsible-person-or-team/

 

3.Establish a cybersecurity framework

Develop or update your company’s cybersecurity framework to align with the NIS2 directive. This framework should include policies, procedures, and technical controls to protect your network and information systems effectively.

Dedicated article: https://www.sorinmustaca.com/nis2-3-establish-a-cybersecurity-framework/

 

4.Perform a risk assessment

Conduct a comprehensive risk assessment of your company’s network and information systems. Identify potential threats, vulnerabilities, and risks that may impact the availability, integrity, and confidentiality of critical systems and data. This assessment will help you prioritize security measures and allocate appropriate resources. Risk management and assessments are an ongoing process. Once one risk assessment is carried out, it is important to schedule regular updates to ensure all steps are maintained.

Dedicated article: https://www.sorinmustaca.com/nis2-perform-a-risk-assessment/

 

5.Implement security measures

Based on the risk assessment findings, implement appropriate security measures to mitigate identified risks. This may include network segmentation, access controls, intrusion detection systems, incident response procedures, encryption, employee training, and regular security updates, among others.

Dedicated article:

 

6.Establish incident response capabilities

Develop an incident response plan and establish procedures for detecting, responding to, and recovering from cybersecurity incidents. Ensure the assigned employees are trained on how to recognize and report security breaches promptly. Business continuity is a very complex topic, which must be planned with a lot of time in advance and it requires extra resources (both human and financial).

Dedicated article:

 

7.Continuously Monitor and review

Implement mechanisms to continuously monitor and assess your network and information systems for potential threats. Regularly review and update your cybersecurity measures to adapt to emerging risks and changes in the threat landscape.

Dedicated article:

 

8. Maintain documentation and records

Keep comprehensive documentation of your cybersecurity measures, risk assessments, incident response activities, and any other relevant information. This documentation will serve as evidence of compliance and may be required for regulatory audits or investigations. A good record might save your company legal and regulatory repercussions in case of a major incident (cyber related or not).

Dedicated article:

 

9.Engage with regulatory authorities

Stay informed about any reporting or notification obligations outlined in the NIS2 directive. Establish communication channels with the relevant regulatory authorities and comply with any reporting requirements or inquiries they may have. NIS2 strives to improve EU-wide communication and sharing of cyber events in order to better prepare answers and reactions. Communication has never been more important than now.

Dedicated article:

 

10. Define KPIs for cybersecurity and measures taken based on them

In order to measure the effectiveness of the cybersecurity, you need to define metrics that allow identifying and quantifying changes. Example of metrics are number of incidents, types of incidents,  how many trainings have been made, how many people were trained, how many pentests were made and how many issues were identified, and many more.

Dedicated article:

 

 

 

The post How-To: NIS2 EU Directive first appeared on Sorin Mustaca on Cybersecurity.