NIS2: 1. Perform a gap analysis

We wrote here that the first step in implementing NIS2 requirements is to perform a gap analysis.   The most critical part when performing a gap analysis is to define upfront against which standard or security framework are you comparing the existing situation. It is usual when performing a gap analysis of security maturity to compare against ISO 27000 standard, the ISO 27001 in particular. Performing a gap analysis on the security stance of a company following ISO 27001 involves comparing its current security measures and practices against the requirements specified in the ISO 27001 standard. This analysis helps identify areas where the company’s security posture aligns with the standard (compliance) and areas where there are gaps or deficiencies (non-compliance). Here’s a technical breakdown of the process:   Familiarize with ISO 27001 Understand the ISO 27001 standard and its security requirements. This includes studying the Annex A controls, which represent a comprehensive set of security best practices. Define the Scope Determine the scope of the analysis, starting with which areas of the organization’s security management system (SMS) will be assessed, such as specific departments, processes, assets, or locations. Then focus on which parts of the company’s operations will be…

No Image

How-To: NIS2 EU Directive

The NIS2 Directive is a European Union legislative text on cybersecurity that supersedes the first NIS (Network and Information Security) Directive, adopted in July 2016. NIS vs. NIS2 While the first NIS (Network and Information Security) Directive increased the Member States’ cybersecurity capabilities, its implementation proved difficult, resulting in fragmentation at different levels across the internal market. To respond to the growing threats posed with digitalisation and the surge in cyber-attacks, the Commission has submitted a proposal to replace the NIS Directive and thereby strengthen the security requirements, address the security of supply chains, streamline reporting obligations, and introduce more stringent supervisory measures and stricter enforcement requirements, including harmonised sanctions across the EU. NIS2 strengthens security requirements in the EU by expanding the NIS scope to more sectors and entities, taking into account the security of supply chains, streamlining reporting obligations, introducing monitoring measures, introducing more stringent enforcement requirements, adding the concept of “management bodies” accountability within companies, and harmonizing and tightening sanctions in all Member States. To achieve the above mentioned goals, NIS2 requires member states to take a number of measures that forces them to work together: Establish or improve information sharing between member states and a common incident…

Executive summary: NIS2 Directive for the EU members

  The NIS 2 Directive is a set of cybersecurity guidelines and requirements established by the European Union (EU) . It replaces and repeals the NIS Directive (Directive 2016/1148/EC) . The full name of the directive is “Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive)” . The NIS 2 Directive aims to improve cybersecurity risk management and introduce reporting obligations across sectors such as energy, transport, health, and digital infrastructure . It provides legal measures to boost the overall level of cybersecurity in the EU . The directive covers a larger share of the economy and society by including more sectors, which means that more entities are obliged to take measures to increase their level of cybersecurity . The management bodies of essential and important entities must approve the cybersecurity risk-management measures taken by those entities, oversee its implementation, and can be held liable for infringements . Who is affected? The NIS 2 Directive significantly expands the sectors and type of critical entities falling under its scope….

%d bloggers like this: