Archive for category: Post

We wrote here https://www.sorinmustaca.com/how-to-nis2-eu-directive/ that the 3rd  step in implementing the requirements of the directive is to establish a cybersecurity framework.

If you haven’t read what a cybersecurity framework means, then you should read article: https://www.sorinmustaca.com/demystifying-cybersecurity-terms-policy-standard-procedure-controls-framework/ .

An ISMS is typically based on the ISO 27001 standard, which provides a framework for establishing, implementing, maintaining, and continually improving information security within an organization.

Establishing a cybersecurity framework is usually achieved together with, or while implementing an Information Security Management System (ISMS) based on a standard like ISO 27001. So, before going to the NIS2 Step 3, I must explain why is it important to have a “good” ISMS.

This article will guide you through the steps to create a solid foundation for the ISMS which uses a cybersecurity framework.

Here are the steps you must follow to implement your ISMS:

Get Top Management Support

Before you start, synchronize with the top management in order to define company’s goals in this regard. Usually it should be clear, since the company strives to receive a certification like ISO 27001, ISO 16949, TISAX, CSMS, etc..
Then secure the commitment and support of senior management by helping them understand the necessary resources and efforts.
In all standards that require an ISMS it is imperative to have the commitment of the management because their feedback and support are required in several places along the way.

Scope Definition

Define the scope of your ISMS: determine which assets, processes, and locations will be covered by the ISMS.
This will help in setting boundaries for your security efforts. Some certifications require an assessment per location and scope, so this needs to be developed properly and in accordance with company’s goals.

Risk Assessment

Create policies that help identify and assess information security risks.
This involves:

How to identifying assets: List all the information assets your organization handles, such as data, hardware, software, and personnel, intellectual property.
How to identify threats and vulnerabilities: Determine potential risks and vulnerabilities that could impact your assets.
How to assess risks: Analyze the likelihood and potential impact of these risks.
How to calculate risk levels: Prioritize risks based on their severity.

Risk Treatment

Develop a policy for risk treatment plan:

How to implement controls: Select and implement security controls and measures to mitigate identified risks.
Document policies and procedures that enforce the creation of security controls.
Allocate responsibilities: Assign roles and responsibilities for managing and monitoring security measures.
Set risk acceptance criteria: Determine which risks can be accepted, mitigated, or transferred.

 Establish the ISMS Framework

Establish the ISMS framework based on ISO 27001:

Define information security objectives.
Develop an information security policy.
Create a risk assessment methodology.
Define criteria for risk acceptance.
Develop and implement security controls.

Implementation

Execute the ISMS based on the established framework:

Train employees: Provide information security training to all staff members.
Implement security controls: Put in place the technical, administrative, and physical controls identified in your risk treatment plan.
Monitor and review: Continuously monitor the effectiveness of your controls and review your risk assessment.

Measurement and Evaluation

Regularly measure and evaluate the performance of your ISMS to ensure that it remains effective and aligned with your objectives.

Conduct internal audits.
Perform security testing (e.g., penetration testing, vulnerability scanning).
Analyze security incident data.

Management Review

Conduct regular management reviews to assess the ISMS’s performance and effectiveness.

Ensure that the ISMS is aligned with the organization’s strategic goals.
Make improvements based on review findings.

Continual Improvement

Use the results of audits, reviews, and incidents to continually improve the ISMS.

Update policies and procedures as needed.
Enhance security controls based on new threats and vulnerabilities.
Maintain employee awareness and training.

Certification (Optional):

If your organization desires ISO 27001 or any other certification, engage an accredited certification body to perform an external audit and certification assessment.
Be careful because several certification require a pre-certification or pre-assessment performed either with in-house auditors (internal) or external auditors.

Documentation

Maintain detailed documentation of all ISMS activities, including policies, procedures, risk assessments, and audit reports.
Maintain a log of all changes in time, because this demonstrates continual improvement and usage.

Training and Awareness

Continuously educate and raise awareness among employees regarding information security policies and best practices.

Incident Response and Recovery

Develop an incident response plan to address security incidents promptly and effectively.

Remember, and make sure that your management remembers as well, that implementing and maintaining an ISMS is an ongoing process. Even if certifications are renewed only after 3 years (usually) it is important that in these 3 years the ISMS is lived.

Regularly update your risk assessments and adapt your security controls to evolving threats and business needs. Continuous improvement is key to the success of your ISMS.

The post How to implement an Information Security Management System (ISMS) first appeared on Sorin Mustaca on Cybersecurity.

The NIS2 Directive is a European Union legislative text on cybersecurity that supersedes the first NIS (Network and Information Security) Directive, adopted in July 2016.

NIS vs. NIS2

While the first NIS (Network and Information Security) Directive increased the Member States’ cybersecurity capabilities, its implementation proved difficult, resulting in fragmentation at different levels across the internal market. To respond to the growing threats posed with digitalisation and the surge in cyber-attacks, the Commission has submitted a proposal to replace the NIS Directive and thereby strengthen the security requirements, address the security of supply chains, streamline reporting obligations, and introduce more stringent supervisory measures and stricter enforcement requirements, including harmonised sanctions across the EU.

NIS2 strengthens security requirements in the EU by expanding the NIS scope to more sectors and entities, taking into account

the security of supply chains,
streamlining reporting obligations,
introducing monitoring measures,
introducing more stringent enforcement requirements,
adding the concept of “management bodies” accountability within companies, and
harmonizing and tightening sanctions in all Member States.

To achieve the above mentioned goals, NIS2 requires member states to take a number of measures that forces them to work together:

Establish or improve information sharing between member states and a common incident response plan that coordinates with other member state plans
Establish a national Computer Emergency Response Team
Strengthen cooperation between public and private sector entities

In a nutshell, companies can stay compliant with the NIS2 Directive by

establishing an effective monitoring system that can detect intrusions, detect suspicious activities, and alert the authorities when necessary
developing comprehensive plans that detail how they will respond to an attack and what steps they will take to recover from it.

The official website of the EU for the NIS2 Directive has prepared an FAQ with many good questions and answers.

However, what the website is not saying (for good reasons) is how should companies start to prepare for implementing the directive.

How to start the compliance path

In order to successfully start implementing the requirements, the following steps should be implemented in this order. We will publish articles about pretty much each of these topics.

1.Conduct a gap analysis

Assess your company’s current cybersecurity practices, policies, and infrastructure against the requirements of the NIS2 directive.

Identify any gaps or areas that need improvement to comply with the directive.

2.Designate a responsible person or team

Appoint an individual or a team responsible for overseeing the implementation of the NIS2 directive within your company. This could be a dedicated cybersecurity team or an existing department with relevant expertise.

3.Establish a cybersecurity framework

Develop or update your company’s cybersecurity framework to align with the NIS2 directive. This framework should include policies, procedures, and technical controls to protect your network and information systems effectively.

4.Perform a risk assessment

Conduct a comprehensive risk assessment of your company’s network and information systems. Identify potential threats, vulnerabilities, and risks that may impact the availability, integrity, and confidentiality of critical systems and data. This assessment will help you prioritize security measures and allocate appropriate resources. Risk management and assessments are an ongoing process. Once one risk assessment is carried out, it is important to schedule regular updates to ensure all steps are maintained.

5.Implement security measures

Based on the risk assessment findings, implement appropriate security measures to mitigate identified risks. This may include network segmentation, access controls, intrusion detection systems, incident response procedures, encryption, employee training, and regular security updates, among others.

6.Establish incident response capabilities

Develop an incident response plan and establish procedures for detecting, responding to, and recovering from cybersecurity incidents. Ensure the assigned employees are trained on how to recognize and report security breaches promptly. Business continuity is a very complex topic, which must be planned with a lot of time in advance and it requires extra resources (both human and financial).

7.Continuously Monitor and review

Implement mechanisms to continuously monitor and assess your network and information systems for potential threats. Regularly review and update your cybersecurity measures to adapt to emerging risks and changes in the threat landscape.

8. Maintain documentation and records

Keep comprehensive documentation of your cybersecurity measures, risk assessments, incident response activities, and any other relevant information. This documentation will serve as evidence of compliance and may be required for regulatory audits or investigations. A good record might save your company legal and regulatory repercussions in case of a major incident (cyber related or not).

9.Engage with regulatory authorities

Stay informed about any reporting or notification obligations outlined in the NIS2 directive. Establish communication channels with the relevant regulatory authorities and comply with any reporting requirements or inquiries they may have. NIS2 strives to improve EU-wide communication and sharing of cyber events in order to better prepare answers and reactions. Communication has never been more important than now.

10. Define KPIs for cybersecurity and measures taken based on them

In order to measure the effectiveness of the cybersecurity, you need to define metrics that allow identifying and quantifying changes. Example of metrics are number of incidents, types of incidents,  how many trainings have been made, how many people were trained, how many pentests were made and how many issues were identified, and many more.

Next:

We will address the first topic: Perform a gap analysis.

​

​Read More 

The NIS 2 Directive is a set of cybersecurity guidelines and requirements established by the European Union (EU) . It replaces and repeals the NIS Directive (Directive 2016/1148/EC) . The full name of the directive is “Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive)” .

The NIS 2 Directive aims to improve cybersecurity risk management and introduce reporting obligations across sectors such as energy, transport, health, and digital infrastructure . It provides legal measures to boost the overall level of cybersecurity in the EU .

The directive covers a larger share of the economy and society by including more sectors, which means that more entities are obliged to take measures to increase their level of cybersecurity .

The management bodies of essential and important entities must approve the cybersecurity risk-management measures taken by those entities, oversee its implementation, and can be held liable for infringements .

Who is affected?

The NIS 2 Directive significantly expands the sectors and type of critical entities falling under its scope.

As a ground rule, companies from certain areas that meet these conditions are affected:

Essential Entities (EE):

at least 250 employees and
50 Mil € revenue

Important Entities (IE):

at least 50 employees and
10 Mil € revenue

NIS 2 covers areas such as

Essential Entities:

energy (electricity, district heating and cooling, oil, gas and hydrogen);
transport (air, rail, water and road); banking;
financial market infrastructures;
health including  manufacture of pharmaceutical products including vaccines;
drinking water;
waste water;
digital infrastructure (internet exchange points; DNS service providers;
TLD name registries; cloud computing service providers;
data centre service providers;
content delivery networks;
trust service providers;
providers of  public electronic communications networks and publicly available electronic communications services);
ICT service management (managed service providers and managed security service providers), public administration and space.

Important Entities:

postal and courier services;
waste management;
chemicals;
food;
manufacturing of medical devices, computers and electronics, machinery and equipment, motor vehicles, trailers and semi-trailers and other transport equipment;
digital providers (online market places, online search engines, and social networking service platforms) and research organisations.

Note:
An entity may still be considered “essential” or “important” even if it does not meet the size criteria, in specific cases such as when it is the sole provider of a critical service for societal or economic activity in a Member State.

Deadlines

The Member States have until October 17, 2024, to adopt and publish the measures necessary to comply with the NIS 2 Directive. They shall apply those measures from October 18, 2024 .

The benefits of the NIS 2 directive include creating the necessary cyber crisis management structure (CyCLONe), increasing the level of harmonization regarding security requirements and reporting obligations, encouraging Members States to introduce new areas of interest such as supply chain, vulnerability management, core internet, and cyber hygiene in their national cybersecurity strategies, bringing novel ideas such as peer reviews for enhancing collaboration and knowledge sharing amongst Member States .

In order to comply with the NIS 2 directive, entities will need to take measures to increase their level of cybersecurity. This may include following training for members of management bodies of essential and important entities as well as offering similar training to their employees on a regular basis .

How does the NIS 2 Directive differ from the previous directive?

Next

​

​Read More 

The NIS 2 Directive is a set of cybersecurity guidelines and requirements established by the European Union (EU) . It replaces and repeals the NIS Directive (Directive 2016/1148/EC) . The full name of the directive is “Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive)” .

The NIS 2 Directive aims to improve cybersecurity risk management and introduce reporting obligations across sectors such as energy, transport, health, and digital infrastructure . It provides legal measures to boost the overall level of cybersecurity in the EU .

The directive covers a larger share of the economy and society by including more sectors, which means that more entities are obliged to take measures to increase their level of cybersecurity .

The management bodies of essential and important entities must approve the cybersecurity risk-management measures taken by those entities, oversee its implementation, and can be held liable for infringements .

Who is affected?

The NIS 2 Directive significantly expands the sectors and type of critical entities falling under its scope.

As a ground rule, companies from certain areas that meet these conditions are affected:

Essential Entities (EE):

at least 250 employees and
50 Mil € revenue

Important Entities (IE):

at least 50 employees and
10 Mil € revenue

NIS 2 covers areas such as

Essential Entities:

energy (electricity, district heating and cooling, oil, gas and hydrogen);
transport (air, rail, water and road); banking;
financial market infrastructures;
health including  manufacture of pharmaceutical products including vaccines;
drinking water;
waste water;
digital infrastructure (internet exchange points; DNS service providers;
TLD name registries; cloud computing service providers;
data centre service providers;
content delivery networks;
trust service providers;
providers of  public electronic communications networks and publicly available electronic communications services);
ICT service management (managed service providers and managed security service providers), public administration and space.

Important Entities:

postal and courier services;
waste management;
chemicals;
food;
manufacturing of medical devices, computers and electronics, machinery and equipment, motor vehicles, trailers and semi-trailers and other transport equipment;
digital providers (online market places, online search engines, and social networking service platforms) and research organisations.

Note:
An entity may still be considered “essential” or “important” even if it does not meet the size criteria, in specific cases such as when it is the sole provider of a critical service for societal or economic activity in a Member State.

Deadlines

The Member States have until October 17, 2024, to adopt and publish the measures necessary to comply with the NIS 2 Directive. They shall apply those measures from October 18, 2024 .

The benefits of the NIS 2 directive include creating the necessary cyber crisis management structure (CyCLONe), increasing the level of harmonization regarding security requirements and reporting obligations, encouraging Members States to introduce new areas of interest such as supply chain, vulnerability management, core internet, and cyber hygiene in their national cybersecurity strategies, bringing novel ideas such as peer reviews for enhancing collaboration and knowledge sharing amongst Member States .

In order to comply with the NIS 2 directive, entities will need to take measures to increase their level of cybersecurity. This may include following training for members of management bodies of essential and important entities as well as offering similar training to their employees on a regular basis .

How does the NIS 2 Directive differ from the previous directive?

Next

​

​Read More