NIS2: We have mapped the requirements to the relevant standards

This post is written for the practitioners out there who already now little by little want to get an overview of what NIS2 actually means when NIS2 is expected to be finally adopted this year, as well as what needs to be done in order to get a method in the task solution.

As is known, the most important requirements for the units in NIS2 are in Article 18, paragraph 2. We have therefore clarified Article 18, subsection 2 requirements through the relevant standards.

And then it must be said that NIS2 itself states in Article 22, paragraph 1, the following:

"In order to promote the convergent implementation of Article 18(1) and (2), Member States shall, without imposing or discriminating in favor of the use of a particular type of technology, encourage the use of European or internationally accepted standards and specifications relevant to the security of network and information systems.”

Inspired by Article 22, paragraph 1, we have thus set out to find standards for each requirement in Article 18, paragraph 2. See immediately below. However, it must be noted that the list is not complete. There may be variations from country to country.

It should also be noted that the Danish authorities in consultation with EU institutions must come up with more concrete guidance on implementation, so the following is just a preliminary overview of the NIS2 requirements. But, as mentioned, the guidance effort will be expected to consist of the implementation of the relevant standards, so our guess is that the following will form the background for the guidance that flows from NIS2.

And last but not least: The mapping has been done in relation to the new 2022 version of ISO27002, and if you need either implementation of this or an update from the 2013 version, you are welcome to take Erik Dalskov, which is certified ISO 27001-Lead Implementer.

Nature. 18 pcs. 2, letter a: risk analysis and information system security policies

ISO27002:2022 5.1 Policies for Information Security

ISO27001:2017 Clause 5.2 (Policy), Clause 6.1 (Actions to address risks and opportunities), more specifically perhaps Clause 6.1.2 (information security risk assessment) and Clause 6.1.3 (Information Security risk treatment)

NIST SP 800-53r5 This does not basically have an overarching policy requirement – ​​it lies in the individual measures, e.g. AC-1 Policy and Procedures (AC is Access Control)

Nature. 18 pcs. 2 letter b:     incident action

ISO27002:2022 5.24 Information security incident management planning and preparation

ISO27002:2022 5.25 Assessment and decision on information security events

ISO27002:2022 5.26 Response to information security incidents

ISO27002:2022 5.27 Learning from information security incidents

ISO27002:2022 5.28 Collection of evidence

ISO27002:2022 6.8 Information security event reporting

Nature. 18 pcs. 2 letter c: business continuity, such as backup management and disaster recovery, and crisis management

ISO27002:2022 5.24 Information security during disruption

ISO27002:2022 5.30 ICT readiness for business continuity

 NIST SP800-53 rev 5.1 Contingency Planning

Nature. 18 pcs. 2 letter d: supply chain security including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers

NIST SP 800-53r5 This has a whole section on this. Supply Chain Risk Management (SR measures)

ISO27002:2022 5.19 Information security in supplier relationships

ISO27002:2022 5.20 Addressing information security within supplier agreements

ISO27002:2022 5.21 Managing information security in the ICT supply chain

ISO27002:2022 5.22 Monitoring, review and change management of supplier services

ISO27002:2022 5.23 Information security for use of cloud services

Nature. 18 pcs. 2 letter e:     security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosure

ISO27002:2022 5.7 Threat intelligence

ISO27002:2022 8.20 Network security

ISO27002:2022 8.21 Security of network services

ISO27002:2022 8.25 Secure development life cycle

ISO27002:2022 8.26 Application security requirements

ISO27002:2022 8.27 Secure system architecture and engineering principles

ISO27002:2022 8.28 Secure coding

ISO27002:2022 8.29 Security testing in development and acceptance

ISO27002:2022 8.31 Separation of development, test and production environments

Nature. 18 pcs. 2 letter f: policies and procedures to assess the effectiveness of cybersecurity risk management measures

ISO27001:2017 Clause 9.1 Monitoring, measurement, analysis and evaluation

Nature. 18 pcs. 2 liters fa:    basic computer hygiene practices and cybersecurity training;

Cyber ​​Essentials UK Cyber ​​Essentials programme

(https://www.ncsc.gov.uk/cyberessentials/overview)

ISO27002:2022 6.3 Information security awareness, education, and training

Nature. 18 pcs. 2 letter g: policies and procedures regarding the use of cryptography and, where appropriate, encryption

ISO27002:2022 8.24 Use of cryptography

Nature. 18 pcs. 2 letter ga: human resources security, access control policies and asset management;

ISO27002:2022 6.X People controls (HR area)

ISO27002:2022 5.1 Policies for information security (topic specific policies – access control policy)

ISO27002:2022 5.15 Access control

ISO27002:2022 5.9 Inventory of information and associated assets

ISO27002:2022 5.10 Acceptable use of information and associated assets

ISO27002:2022 5.11 Return of assets

Nature. 18 pcs. 2 liters gb: the use of multi-factor authentication or continuous authentication solutions, secured voice, video and text communications and secured emergency communications systems within the entity, where appropriate.

ISO27002:2022 5.15 Access Control (your data access policy may require MFA or other types of secure identification/authentication, including continuous authentication not only at login, but continuously throughout the session)

ISO27002:2022 5.15 ICT Readiness for business continuity