Chronicle NIS V2 - Episode 3
Introduction
How can companies comply with the NIS V2 directive when some national cybersecurity authorities have yet to publish their specific requirements ?
October 17, 2024, marks a pivotal moment for European companies, with the entry into force of the NIS V2 directive. This directive imposes increased cybersecurity requirements, particularly for companies in critical sectors. However, it has been noted that some national cybersecurity authorities may publish their specific NIS V2 requirements later.
This raises a crucial question for companies: should they wait for these guidelines before starting their compliance efforts ? The answer is no !
The NIS V2 directive applies now, and companies should not wait. In this article, we provide a mapping based on the NIS V2 requirements and ISO 27001/27002 standards, offering an initial approach to structuring compliance while anticipating measures that might be introduced by national authorities.
This document will be updated once the official guidelines are available, but it is already robust enough to be used right away.
How can companies leverage existing practices to proactively comply ?
For companies already aligned with or relying on ISO 27001/27002 standards, compliance with NIS V2 is simplified. It is not a disruption but a logical continuation. The mapping presented here shows how ISO requirements overlap with those of NIS V2, emphasizing the specific areas where NIS V2 goes further or introduces new elements.
It is possible to rely on these existing practices right away, without waiting for potential guidelines from the competent authorities. By using this document as a working base, companies can structure their compliance efforts based on what is already outlined in the NIS V2 directive. Therefore, it is essential to start compliance now, without waiting for future guidelines.
Summary table: leveraging the mapping between ISO 27001:2022 and NIS V2
Detailed analysis of the mapping between ISO 27001:2022 and NIS V2
Organization and security responsibilities
In the context of ISO 27001, roles and responsibilities in terms of security are clearly defined, including the segregation of duties, contacts with authorities, and specific interest groups. NIS V2 does not fundamentally change this approach but places greater emphasis on the explicit need to define cybersecurity responsibilities. This aspect is critical in the directive because a lack of clarity in these roles can lead to organizational weaknesses.
Specific NIS V2 Element: N/A. No additional requirements are specified compared to ISO standards.
Security policies
Security policies must be formalized within companies, as required by ISO 27001. NIS V2 does not add new requirements but emphasizes the need to adapt security policies to the specific risks of the company. In other words, it's not just about having a standard security policy but tailoring it based on the actual threats the company faces.
Specific NIS V2 Element: N/A. No additional requirements are specified compared to ISO standards.
Risk management planning
Risk management is a core pillar for both ISO and NIS V2. The risk management process is fundamental in both frameworks. However, NIS V2 emphasizes regular validation and documentation by management, with continuous involvement in risk monitoring.
Specific NIS V2 Element: N/A. No additional requirements are specified compared to ISO standards.
Assessment, validation, and monitoring of risk treatment plans
ISO standards already emphasize the need to assess and monitor risks, but NIS V2 requires formal approval by management of identified risks and the measures to mitigate them. This validation reinforces the idea that risk management should not be solely delegated to technical teams but should be addressed at the highest level.
Specific NIS V2 Element: N/A. No additional requirements are specified compared to ISO standards.
Security reviews and performance monitoring
The performance monitoring of security measures is covered by audits and reviews in ISO standards. NIS V2 follows this approach but emphasizes risk management by management. Once again, the directive stresses the responsibility of management in continuous monitoring and corrective actions.
Specific NIS V2 Element: N/A. No additional requirements are specified compared to ISO standards.
Human resources security
Cybersecurity awareness is well-covered in ISO 27001 and ISO 27002, but NIS V2 particularly emphasizes the inclusion of management in these training sessions. The directive assumes that awareness should be carried out at all levels of the organization, including the top.
Specific NIS V2 Element: Awareness of management. Training should be adapted to their level of responsibility, especially regarding risk management.
Security in design, development, and maintenance activities
ISO thoroughly addresses security management in the development cycle, including vulnerability management and logging. NIS V2 does not add additional requirements in this area, merely applying ISO principles.
Specific NIS V2 Element: N/A. No additional requirements are specified compared to ISO standards.
Access control
Access control is covered by both ISO standards with comprehensive requirements on access rights, authentication, and identity management. NIS V2, however, introduces a clear requirement: the mandatory use of multi-factor authentication (MFA) for critical systems.
Specific NIS V2 Element: Mandatory MFA. This requirement is reinforced in NIS V2, with an explicit obligation to implement MFA for the most sensitive systems.
Incident management and threat monitoring
Once again, ISO and NIS V2 align in many ways, but NIS V2 introduces an obligation to notify incidents to the local control autority within 24 hours (early warning) and 72 hours (complete notification). This requirement is specific to NIS V2 and does not exist in ISO.
Specific NIS V2 Element: Notification to local control autority within 24 to 72 hours. This level of responsiveness is crucial for preventing and mitigating the impacts of incidents.
Business continuity and disaster recovery plans
ISO standards already impose business continuity and disaster recovery plans. NIS V2 does not change these requirements but ensures that these plans are adapted to current threats.
Specific NIS V2 Element: N/A. No additional element is explicitly mentioned in NIS V2.
Management of information assets
The management of information assets is a fundamental element of the ISO 27001 standard. These standards require companies to identify, classify, and protect all their information assets, whether they are data, software, hardware, or associated services. This involves establishing a detailed and regularly updated inventory, allowing for the assessment of each asset's value and the determination of appropriate protection measures.
NIS V2 does not modify this approach but reinforces the importance of protecting critical assets. The directive emphasizes the need to identify assets essential to the functioning of critical services and to ensure they are adequately protected against current threats.
Specific NIS V2 Element: N/A. No additional element is explicitly mentioned in NIS V2.
Compliance with regulations and contracts
The ISO 27001 standard emphasizes compliance with legal, regulatory, and contractual requirements in information security. Companies must identify applicable laws and regulations, ensure their compliance, and maintain appropriate documentation. This also includes respecting contractual obligations towards clients, partners, and suppliers.
NIS V2 reinforces this requirement by obliging companies in critical sectors to comply with specific cybersecurity obligations, notably incident notification and cooperation with competent authorities. However, the directive does not add new requirements compared to existing ISO standards.
Specific NIS V2 Element: N/A. No additional element is explicitly mentioned in NIS V2.
Managing supply chain security
Supply chain security is extensively covered by ISO 27001 and ISO 27002 standards, which require companies to assess and manage risks associated with suppliers and partners. This includes implementing specific contractual clauses, continuous monitoring of suppliers' services, and integrating security requirements into procurement processes.
NIS V2 also emphasizes the management of risks related to the supply chain, particularly for critical partners. The directive encourages companies to proactively monitor key suppliers to ensure they meet the necessary security requirements. However, it does not specify additional requirements compared to the ISO standards.
Specific NIS V2 Element: N/A. No additional element is explicitly mentioned in NIS V2.
How does Eunoia Security Hub facilitate compliance with NIS V2 ?
Eunoia Security Hub is the ideal solution to help companies comply with the most demanding cybersecurity frameworks, including NIS V2. By integrating the requirements of NIS V2, our solution allows organizations to precisely track the specifics of this directive, while leveraging existing best practices in information security management.
Conclusion
The mapping between ISO 27001/27002 standards and NIS V2 shows that the directive largely aligns with the recognized best practices in security management. However, NIS V2 introduces specific elements, particularly regarding responsibilities, management involvement, and incident notification. For companies already engaged in an ISO process, compliance with NIS V2 is therefore simplified, but there are key areas to focus on, notably management involvement and incident notification.
While awaiting the specific requirements from competent authorities, which may introduce additional measures, companies can already begin preparing with this mapping. It is crucial not to wait for these guidelines to take action.
Comments