NIS2 Compliance through Implementation of ISO/IEC 27001:2022
NIS2 sets out numerous requirements for managing cyber risks. This is intended to protect network and information systems, their users and other persons within the EU from circumstances, events or actions that compromise the availability, authenticity, integrity and/or confidentiality of data or services. In order to achieve this, appropriate processes – called “cyber security practices” in the NIS2 context – and measures – called “cyber security hygiene” in the NIS context – must be effectively implemented.
Both the definition of the required processes and the implementation of suitable measures are best carried out as part of an information security management system (ISMS). The key standard for an ISMS, which applies throughout the EU in particular, is ISO/IEC 27001. Even when the NIS2 Directive was being drafted, a close reference to ISO/IEC 27001 was clearly evident from the requirement in Article 21 (1) in conjunction with Recital 79: Relevant international standards such as the ISO/IEC 27000 series must be included in the prevention of cyber risks!
New controls from Annex A of ISO/IEC 27001, which are described in more detail in the new version of ISO/IEC 27002, are even perfectly suited to implementing NIS2 requirements. When fulfilling NIS2 requirements, however, essential components from the part of ISO/IEC 27001:2022 to be fulfilled directly as part of certification are also required. It is worth taking a closer look here.
Alignment of Risk Management
Traditional information security primarily protects the security objectives of availability, integrity and confidentiality of data and services. In the NIS2 context, authenticity is added as an independent security objective.
In the usual risk analysis, only the impact on the direct operator of the network and information systems within the scope of their ISMS is considered. In the NIS2 context, this is extended to undesirable risks for society.
In contrast to its predecessor, the new version of ISO/IEC 27001 now requires the fulfillment of security objectives to be monitored and criteria for ISMS processes to be defined and managed in accordance with these criteria. This is where the two frameworks converge. A criterion for the quality to be implemented is specified by the desired manageability against undesired impairments, which can also affect users and other persons. At the same time, this noticeably and significantly increases the resilience achieved against existing cyber threats. So both sides win.
NIS2-specific controls from ISO/IEC 27001:2022:
- The existing threat landscape must be explicitly analyzed (A.5.7)
- Data to be protected must be classified according to all four security objectives (A.5.13)
- The complete life cycle of identities must be considered when defining access rights (A.5.16)
- Established cyber security practices in the supply chain must be explicitly monitored (A.5.19 – A.5.22)
- Lessons learned from incidents must be used to improve cyber security (A.5.27)
- Network and information systems must be aligned to meet business continuity objectives and serve resilience (A.5.30)
- Deployed personnel and interested parties must be trained on specific cyber security requirements (A.6.3)
- Maintaining physical security requires constant monitoring (A.7.4)
- Network and information systems must be configured securely (A.8.9)
- Unusual system behavior must be monitored (A.8.16)
- Only secure networks and network devices are to be integrated (A.8.20)
The controls listed above are in fact closely related to NIS2 requirements as part of the new version of ISO/IEC 27001 and therefore actively contribute to NIS2 conformity.
Several birds with one stone
By consistently implementing NIS2 requirements as part of an ISMS aligned with ISO/IEC 27001:2022, not only NIS2 compliance is achieved, but a forward-looking ISMS is also implemented or enhanced. This is therefore more readily certifiable and in turn serves as proof of effectively implemented NIS2 compliance of cyber security practices in the supply chain.
The experts at SITS will help you to make your ISMS NIS2-compliant or in accordance with the new version of ISO/IEC 27001, as well as to establish suitable, target-oriented and effective measures for cyber security hygiene and implement them in practice.