Achieving NIS 2 compliance is a comprehensive process where individual starting points converge towards the same goal. It simply means that you are going on a journey of maturity that can take several years depending on your starting point. The path towards the goal is generally the same for everyone, but the size of the challenges that arise along the way can vary considerably.
Based on our considerable expertise and experience in cyber and information security has Unitas developed a transparent and pragmatic process that is based on the ISO27001/2 standard.
The individual steps
The process begins with a workshop, where together we identify the challenges and barriers that must be overcome to achieve the goal. We establish a common understanding of management's responsibilities in relation to NIS 2 and draw up a plan for the rest of the process.
We thenperform a Gap analysis. By comparing the existing measures with either the ISO27002 measures or by carrying out a CIS Controls analysis, we get a clear sense of your current situation and the milestones that must be met along the way. We naturally start from what the organization may already have in the form of relevant documentation.
A key part of implementing NIS 2 when following the ISO2700x approach is to anchor an information security policy with the management. On this basis, an overview of the measures from ISO27002 that already exist, which must be improved or established in the organization for the first time, is prepared. These measures are translated into requirements that must be complied with by the IT department in particular, both internally and in relation to IT suppliers/data processors. We then describe the requirements more simply and comprehensibly in an easy-to-read employee-oriented handbook that deals with specific areas related to the individual work functions in the organization. Depending on the circumstances, handbooks can be prepared targeting, for example, Procurement, HR and Facility.
The documentation is crucial! The documentation is established and maintained by creating an information security management system (ISMS) that collects the work above. But the ISMS must be revised and not least improved and used actively for the future. It requires IT support. If you already have an IT system that you use to manage cyber and information security, we naturally start from that. Alternatively, we can help identify your needs. We thus have tools such as Wired Relations and Cyberday available that can lift the task, as well as possibly include compliance with other sources of requirements as far as cyber and information security are concerned, such as, but not exclusively, GDPR, PCI DSS, customers' special needs, sector legislation, etc. All systems, measures and annual processes must be documented and managed in the IT system that supports the work with the ISMS.
Operation and improvement
When the documentation is in place in the IT system that supports your ISMS, you must comply with the measures that have been selected. Remember that each measure, depending on your current level, means that you must change your normal activities in light of the measure. Typically, one would therefore speak of each measure being linked to a policy that must be followed. In our method, the policies are translated into easier-to-understand handbooks. The word policy thus simply means that the organization has decided to carry out a certain activity in a certain way.
Example: Procurement must comply with measures that contain requirements that cyber and information security must be included in the IT contracts, and that it must be checked that the IT suppliers actually comply with the security requirements. It may also be that your passwords need to be improved in light of selected measures that require it.
The adjustment of your daily activities across the organization is called the operational phase. In the operational phase, as mentioned, the measures that have been selected are carried out. The aim is to improve the implementation of the measures, and action is therefore naturally taken on any non-implemented measures found by assessing what is hindering the implementation and possibly revising the policy that describes what needs to be done. Finally, it is ensured that the policies are properly communicated to the right people in the organisation.
You are on target!
After a successful period of operation are you able to document compliance with the NIS 2 requirements, as well as adjust how you comply with NIS 2 when the Danish NIS 2 legislation is in place. If desired, compliance can be sought to be demonstrated by staying The D brand. However, the D mark is not a guarantee that the authorities also believe that you fully comply with NIS 2, but merely an indication of this.
You are now ready to try our NIS 2 price calculator.