NIS2 Archive - SITS

NIS2 Compliance through Implementation of ISO/IEC 27001:2022

NIS2 sets out numerous requirements for managing cyber risks. This is intended to protect network and information systems, their users and other persons within the EU from circumstances, events or actions that compromise the availability, authenticity, integrity and/or confidentiality of data or services. In order to achieve this, appropriate processes – called “cyber security practices” in the NIS2 context – and measures – called “cyber security hygiene” in the NIS context – must be effectively implemented.

Both the definition of the required processes and the implementation of suitable measures are best carried out as part of an information security management system (ISMS). The key standard for an ISMS, which applies throughout the EU in particular, is ISO/IEC 27001. Even when the NIS2 Directive was being drafted, a close reference to ISO/IEC 27001 was clearly evident from the requirement in Article 21 (1) in conjunction with Recital 79: Relevant international standards such as the ISO/IEC 27000 series must be included in the prevention of cyber risks!

New controls from Annex A of ISO/IEC 27001, which are described in more detail in the new version of ISO/IEC 27002, are even perfectly suited to implementing NIS2 requirements. When fulfilling NIS2 requirements, however, essential components from the part of ISO/IEC 27001:2022 to be fulfilled directly as part of certification are also required. It is worth taking a closer look here.

Alignment of Risk Management

Traditional information security primarily protects the security objectives of availability, integrity and confidentiality of data and services. In the NIS2 context, authenticity is added as an independent security objective.

In the usual risk analysis, only the impact on the direct operator of the network and information systems within the scope of their ISMS is considered. In the NIS2 context, this is extended to undesirable risks for society.

In contrast to its predecessor, the new version of ISO/IEC 27001 now requires the fulfillment of security objectives to be monitored and criteria for ISMS processes to be defined and managed in accordance with these criteria. This is where the two frameworks converge. A criterion for the quality to be implemented is specified by the desired manageability against undesired impairments, which can also affect users and other persons. At the same time, this noticeably and significantly increases the resilience achieved against existing cyber threats. So both sides win.

NIS2-specific controls from ISO/IEC 27001:2022:

  • The existing threat landscape must be explicitly analyzed (A.5.7)
  • Data to be protected must be classified according to all four security objectives (A.5.13)
  • The complete life cycle of identities must be considered when defining access rights (A.5.16)
  • Established cyber security practices in the supply chain must be explicitly monitored (A.5.19 – A.5.22)
  • Lessons learned from incidents must be used to improve cyber security (A.5.27)
  • Network and information systems must be aligned to meet business continuity objectives and serve resilience (A.5.30)
  • Deployed personnel and interested parties must be trained on specific cyber security requirements (A.6.3)
  • Maintaining physical security requires constant monitoring (A.7.4)
  • Network and information systems must be configured securely (A.8.9)
  • Unusual system behavior must be monitored (A.8.16)
  • Only secure networks and network devices are to be integrated (A.8.20)

The controls listed above are in fact closely related to NIS2 requirements as part of the new version of ISO/IEC 27001 and therefore actively contribute to NIS2 conformity.

Several birds with one stone

By consistently implementing NIS2 requirements as part of an ISMS aligned with ISO/IEC 27001:2022, not only NIS2 compliance is achieved, but a forward-looking ISMS is also implemented or enhanced. This is therefore more readily certifiable and in turn serves as proof of effectively implemented NIS2 compliance of cyber security practices in the supply chain.

The experts at SITS will help you to make your ISMS NIS2-compliant or in accordance with the new version of ISO/IEC 27001, as well as to establish suitable, target-oriented and effective measures for cyber security hygiene and implement them in practice.

Risk management according to NIS2

NIS2 is intended to protect network and information systems, their users and other persons within the EU from cyber threats. This includes all circumstances, events or actions that affect the availability, authenticity, integrity and/or confidentiality of data and services. These are the security objectives pursued by the NIS2 Directive.

The more exposed a company is, the more likely it is to be targeted by attackers. Attackers are increasingly reaching their actual victims via the supply chain. For this good reason, in addition to the sector reference and the now significantly lower threshold values for the number of employees and annual turnover or annual balance sheet total, NIS2 now also focuses on the supply chain. NIS2 looks at the impact of a cyber threat and only allows minimal impairment of the four security objectives mentioned.

Indicators for Effective Risk Management

The following key questions should be answered to ensure effective risk management in accordance with NIS2:

  • Are all network and information systems used considered in the risk analysis?
  • Is an explicit reference made to all four security objectives?
  • Is the influence of the supply chain sufficiently reviewed?
  • Has robust risk acceptance criteria been defined that is understood by different people and leads to comparable results?
  • Is it ensured that, at the end of the risk management process, impairments of the four safety objectives are limited to a reasonably justifiable level?
  • Does the risk analysis address context-related and actually relevant cyber threats instead of general threat lists?
  • Is risk management controlled by central specifications from a guideline or directive?
  • Are identified risks and their sources regularly reviewed?
  • Are the measures to address existing risks already operationally recorded and are they having the intended effect?
  • Can the effectiveness of the implemented measures be documented in a comprehensible manner?
  • Does such evidence explicitly include all processes involved?
  • Is the current state of the art consistently adhered to during implementation?

If you can answer all of these questions with a clear yes for your organization, you are one of the lucky few who are already well prepared for NIS2! However, if there are any doubts or uncertainties, you will most likely need specialist support. In this case, the SITS NIS2 assessment can help.

Heading into the new cyber age

As part of the NIS2 directive, security managers are faced with a lot of new vocabulary that they still need to get used to. Processes are now understood as “cyber security practice”. Measures, in turn, are used for “cyber security hygiene”.

In addition to risk management, NIS2-compliant processes also require emergency management, incident management, supply chain management and personnel management that are geared towards NIS2. Employees must also be explicitly made aware of cyber security. This includes managers as well as executive staff.

The measures, in turn, are primarily geared towards preventing data leakage. Measures are required for vulnerability and patch management, password management, system hardening, network segmentation, data backup and the prevention of threats to physical security as well as the supply of electricity and internet. You need to be prepared for human and technical errors and be able to recognize and, if possible, fend off malicious attacks.

In short: in the context of cyber security, there is a lot of work to be done by those responsible for security at affected organizations, and it has to be done within a short implementation period. And if an organization fails to do so, or fails to do so completely or accurately enough, it could face significantly higher administrative sanctions than under the previous guidelines and, under certain circumstances, even the dismissal of members of its management board.

What’s more: National legislators within the EU may tighten these regulations even further as part of their national implementation.

NIS2: Are you affected?

On the one hand, NIS2 therefore covers institutions that are now directly addressed due to their sector affiliation. Checking whether this is the case is quite challenging. We have prepared an Online Check for you that provides the relevant information. On the other hand, NIS2 also covers facilities that operate as part of the supply chain. And again, regardless of their size. Optimistic estimates assume at least a factor of 10 for newly obligated organizations and companies. The reality is likely to be significantly higher.