This post is written for the practitioners out there who already now little by little want to get an overview of what NIS2 actually means when NIS2 is expected to be finally adopted this year, as well as what needs to be done in order to get a method in the task solution.
As is known, the most important requirements for the units in NIS2 are in Article 18, paragraph 2. We have therefore clarified Article 18, subsection 2 requirements through the relevant standards.
And then it must be said that NIS2 itself states in Article 22, paragraph 1, the following:
"In order to promote the convergent implementation of Article 18(1) and (2), Member States shall, without imposing or discriminating in favor of the use of a particular type of technology, encourage the use of European or internationally accepted standards and specifications relevant to the security of network and information systems.”
Inspired by Article 22, paragraph 1, we have thus set out to find standards for each requirement in Article 18, paragraph 2. See immediately below. However, it must be noted that the list is not complete. There may be variations from country to country.
It should also be noted that the Danish authorities in consultation with EU institutions must come up with more concrete guidance on implementation, so the following is just a preliminary overview of the NIS2 requirements. But, as mentioned, the guidance effort will be expected to consist of the implementation of the relevant standards, so our guess is that the following will form the background for the guidance that flows from NIS2.
And last but not least: The mapping has been done in relation to the new 2022 version of ISO27002, and if you need either implementation of this or an update from the 2013 version, you are welcome to take Jacob George Naur.
Nature. 18 pcs. 2, letter a: risk analysis and information system security policies
ISO27002:2022 5.1 Policies for Information Security
ISO27001:2017 Clause 5.2 (Policy), Clause 6.1 (Actions to address risks and opportunities), more specifically perhaps Clause 6.1.2 (information security risk assessment) and Clause 6.1.3 (Information Security risk treatment)
NIST SP 800-53r5 This does not basically have an overarching policy requirement – it lies in the individual measures, e.g. AC-1 Policy and Procedures (AC is Access Control)
Nature. 18 pcs. 2 letter b: incident action
ISO27002:2022 5.24 Information security incident management planning and preparation
ISO27002:2022 5.25 Assessment and decision on information security events
ISO27002:2022 5.26 Response to information security incidents
ISO27002:2022 5.27 Learning from information security incidents
ISO27002:2022 5.28 Collection of evidence
ISO27002:2022 6.8 Information security event reporting
Nature. 18 pcs. 2 letter c: business continuity, such as backup management and disaster recovery, and crisis management
ISO27002:2022 5.24 Information security during disruption
ISO27002:2022 5.30 ICT readiness for business continuity
NIST SP800-53 rev 5.1 Contingency Planning
Nature. 18 pcs. 2 letter d: supply chain security including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers
NIST SP 800-53r5 This has a whole section on this. Supply Chain Risk Management (SR measures)
ISO27002:2022 5.19 Information security in supplier relationships
ISO27002:2022 5.20 Addressing information security within supplier agreements
ISO27002:2022 5.21 Managing information security in the ICT supply chain
ISO27002:2022 5.22 Monitoring, review and change management of supplier services
ISO27002:2022 5.23 Information security for use of cloud services
Nature. 18 pcs. 2 letter e: security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosure
ISO27002:2022 5.7 Threat intelligence
ISO27002:2022 8.20 Network security
ISO27002:2022 8.21 Security of network services
ISO27002:2022 8.25 Secure development life cycle
ISO27002:2022 8.26 Application security requirements
ISO27002:2022 8.27 Secure system architecture and engineering principles
ISO27002:2022 8.28 Secure coding
ISO27002:2022 8.29 Security testing in development and acceptance
ISO27002:2022 8.31 Separation of development, test and production environments
Nature. 18 pcs. 2 letter f: policies and procedures to assess the effectiveness of cybersecurity risk management measures
ISO27001:2017 Clause 9.1 Monitoring, measurement, analysis and evaluation
Nature. 18 pcs. 2 liters fa: basic computer hygiene practices and cybersecurity training;
Cyber Essentials UK Cyber Essentials programme
(https://www.ncsc.gov.uk/cyberessentials/overview)
ISO27002:2022 6.3 Information security awareness, education, and training
Nature. 18 pcs. 2 letter g: policies and procedures regarding the use of cryptography and, where appropriate, encryption
ISO27002:2022 8.24 Use of cryptography
Nature. 18 pcs. 2 letter ga: human resources security, access control policies and asset management;
ISO27002:2022 6.X People controls (HR area)
ISO27002:2022 5.1 Policies for information security (topic specific policies – access control policy)
ISO27002:2022 5.15 Access control
ISO27002:2022 5.9 Inventory of information and associated assets
ISO27002:2022 5.10 Acceptable use of information and associated assets
ISO27002:2022 5.11 Return of assets
Nature. 18 pcs. 2 liters gb: the use of multi-factor authentication or continuous authentication solutions, secured voice, video and text communications and secured emergency communications systems within the entity, where appropriate.
ISO27002:2022 5.15 Access Control (your data access policy may require MFA or other types of secure identification/authentication, including continuous authentication not only at login, but continuously throughout the session)
ISO27002:2022 5.15 ICT Readiness for business continuity