NIS2 verplichtingen

 

NIS2 obligations and ISO27001

NIS2 obligations. The NISDirective 2 is the tightened European legislation that requires organisations to structurally improve their digital resilience.
In particular, companies in essential and important sectors will have to deal with extensive NIS2 obligations that go beyond traditional security measures. This guideline focuses not only on technology, but especially on governance, risk management and administrative responsibility. Organizations must have a demonstrable grip on cyber risks, report incidents quickly and implement appropriate security measures. The NIS2 obligations include continuous monitoring, supply chain security and stricter reporting requirements to regulators.

This requires a structured and repeatable approach that goes beyond individual measures. This is where ISO/IEC 27001 comes into the picture as a proven foundation for compliance. ISO 27001 provides an integrated management system that allows organizations to systematically identify, manage and improve risks. The strong overlap between ISO 27001 and the NIS2 obligations makes it possible to efficiently reuse existing controls. This allows organizations to comply with legislation faster without duplication of efforts or fragmented processes. In addition, an ISMS based on ISO 27001 ensures demonstrability, which is crucial towards regulators and stakeholders.

In short, organizations that use ISO 27001 strategically transform NIS2 from a compliance challenge to an opportunity to structurally strengthen their digital resilience and market position.
 

 

What is NIS2

The NIS2 Directive (Network and Information Security 2, successor to NIS1) was adopted by the European Union to strengthen cybersecurity and digital resilience in EU member states. NIS2 goes further than its predecessor: more sectors, stricter security standards and incident reporting requirements. Duty of care and duty of care is an important element. From 2024, this directive will enter into force as legislation.

 

What is ISO27001

ISO 27001 is a globally recognized standard in the field of information security. The standard describes how the security of information can be handled in a process-oriented way, with the aim of ensuring the confidentiality, availability and integrity of information within one's own organization. This ISO 27001 standard contains a system of control measures to take cybersecurity and privacy protection to a higher level.

 

NIS2 and ISO27001 - similarities and differences

If the IT environment is set up in accordance with ISO27001 then an important step has already been taken. There is an information security policy, logical access security is in place, employees are aware of information security risks, an incident management process has been implemented, etc. There is already a head start on the NIS2, especially if the ISO 27001 management system is certified.
However, there are some differences. There is a duty of care and a duty to report significant cyber incidents. The organization is also supervised by a competent authority.

 

NIS2 obligations

The measures that must be taken to comply with the duty of care of NIS2:

 
  • A risk analysis and security of information systems
  • (Policy and procedures on) incident handling
  • Business continuity measures, such as maintenance management and contingency plans
  • Supply chain security
  • Security in the processing, development and maintenance of network and information systems, including vulnerability response and disclosure
  • Policies and procedures to assess the effectiveness of cybersecurity risk controls
  • Basic cyber hygiene and cybersecurity training 
  • Policies and procedures on the use of cryptography and encryption
  • Security aspects in the areas of personnel, access policies and asset management
  • The use of multi-factor authentication, secure voice, video, and text communications, and secure emergency communications systems within the entity

 

ISO27001 Annex A

In addition to the risk analysis that forms an integral part of this management system standard, a large number of additional measures apply, the so-called Annex A. These are much more comprehensive than the NIS2 obligations indicated above.

 

         5 Organizational measures    

 5.1     Information Security     Policy

 5.2     Information Security Roles and Responsibilities

 5.3     Segregation     of duties

 5.4     Management responsibilities      

 5.5     Contact with authorities     

 5.6     Contact with special interest groups      

 5.7     Threat Intelligence      

 5.8     Information Security in Project Management     

 5.9     Inventory of information and other associated assets      

 5.10    Acceptable Use of Information and Other Related Assets     

 5.11   Return of assets     

 5.12   Classification of Information      

 5.13   Labelling of information     

 5.14    Transfer of     Information

 5.15   Access security     

 5.16   Identity management      

 5.17   Authentication Information      

 5.18   Access rights      

 5.19   Information security in supplier relationships      

 5.20   Approach to information security within supplier agreements      

 5.21    Information security management in the ICT supply chain     

 5.22    Monitoring, Assessment, and Change Management of Vendor Services      

 5.23    Information security when using cloud services      

 5.24   Planning and Preparation of Information Security Incidents      

 5.25   Assessment and decision on information security events     

 5.26   Response to Information Security Incidents     

 5.27   Learning from Information Security Incidents     

 5.28   Collection of evidence      

 5.29    Information Security During Disruption      

 5.30    ICT readiness for business continuity     

 5.31   Identification of legal, statutory, regulatory and contractual requirements      

 5.32   Intellectual Property Rights     

 5.33   Data protection     

 5.34   Privacy and Protection of PII      

 5.35    Independent Information Security     Assessment

 5.36    Compliance with Information Security      Policies and Standards

 5.37   Documented Operating Procedures     

           

 6.       Measures with regard to people     

 6.1    Screening       

 6.2     Working conditions     

 6.3     Information Security     Awareness, Education and Training

 6.4     Disciplinary process      

 6.5     Responsibilities after termination or change of employment     

 6.6     Non-disclosure or non-disclosure agreements     

 6.7     Remote      Work

 6.8     Reporting of Information Security Events     

           

 7.       Physical measures      

 7.1     Physical Protection Zone     

 7.2     Physical Access Controls      

 7.3     Securing offices, rooms and facilities      

 7.4     Physical Security Monitoring      

 7.5     Protection against Physical and Environmental Threats     

 7.6     Working in secure areas     

 7.7     Clear desk, clear screen     

 7.8     Equipment Placement and Protection      

 7.9     Securing assets outside the premises     

 7.10   Storage Media      

 7.11   Supporting Systems     

 7.12   Cabling Protection      

 7.13   Equipment Maintenance      

 7.14   Safe disposal or reuse of equipment     

           

 8.       Technical measures     

 8.1     End-user equipment      

 8.2     Special access rights     

 8.3     Restriction of Access to Information      

 8.4     Access to source code     

 8.5     Secure Authentication      

 8.6     Capacity Management      

 8.7     Malware      Protection

 8.8     Technical Vulnerability      Management

 8.9     Configuration Management      

 8.10   Deleting     Information

 8.11   Data Masking      

 8.12    Data Breach     Prevention

 8.13   Backup      Information

 8.14    Redundancy of Information Processing Facilities      

 8.15  Logging       

 8.16   Monitoring of activities     

 8.17    Clock Synchronization     

 8.18   Use of Privileged Utilities      

 8.19    Installation of Software on Operational Systems      

 8.20   Network Operation     

 8.21    Security of Network Services      

 8.22    Segregation in networks     

 8.23   Web Filtering      

 8.24    Use of cryptography      

 8.25    Safe Development Lifecycle      

 8.26   Application Security Requirements     

 8.27    Secure System Architecture and Engineering Principles     

 8.28   Secure Programming      

 8.29    Security Testing in Development and Adoption      

 8.30   Outsourced development     

 8.31   Separation of Development, Test, and Production Environments      

 8.32   Change Management      

 8.33   Test Information      

 8.34    Protection of information systems during audit and testing     

 

ISMS for ISO27001, practical example

Even if you set up an ISO 27001 management system as a cloud solution in 60 seconds , working step by step towards an implemented and certifiable ISMS requires the necessary attention. Below is an example of the basic setup of an ISMS - Information Security Management System. For the required controls, our business partner again Meta-audit.nl with some overviews and the mandatory documents. (For their digital list or starter pack, click here.) Their knowledge has been incorporated into the demo environments below. 'Better to borrow well than to think badly' .... :=)
 

 

 

 

Start your free trial now

We don't have 'shiny leaflets'. Get behind the buttons right away and experience the convenience, overview and productivity improvement.
We help you online and enrich you with the experience and best practices of other users.

Start Now