An effective information security management system (ISMS) helps you to comply with the NIS2 Directive

Article by Peter Hellström, Head of Cyber Security Management Consulting, Nixu, a DNV company.

• EU's NIS2 directive enhances cyber security with broader scope, stricter rules, and increased accountability.
• Prepare for NIS2 compliance by building an ISMS.
• An ISMS ensures resilience through a structured way of working and addressing awareness, downtime preparation, benefiting risk management and business continuity, ultimately bringing you closer to becoming and staying compliant.

To increase cyber resilience, the EU is launching a new directive NIS2 (Network and Information System Security). In addition to setting tighter sanctions and stricter requirements, the directive will require company-wide attention and awareness on cyber security, as well as a systematic way to meet all the requirements.

Here we will give you some advice on how to start getting NIS2 ready with the help of an ISMS.

The NIS2 directive in a nutshell

The NIS2 directive is a European Union legislation on cyber security, replacing the first NIS directive, adopted in 2016. The implementation is expected in January 2023 and the member states will then have approximately two years to convert the directive into national law.

What will change? Quite a lot. The NIS2 directive strengthens cyber security requirements in the EU by:

• expanding its scope to new sectors
• companies are expected to assume responsibility for their entire supply-chain
• introducing monitoring and incident reporting obligations
• setting stricter implementation requirements
• adding top management accountability
• harmonizing and tightening sanctions

For many CISOs NIS2 is an opportunity to strengthen their position from an advisor to an ambassador and leader on the decisions and actions to be taken, both on technical and business issues.

Key steps to getting started with NIS2

The enforcement of NIS2 is scheduled for October 2024. To be able to be compliant, we advise you to start working on compliance now, as the work will take some time. Here are the three key steps to take:

1. Determine if you are affected by NIS2.
2. Make a gap analysis.
3. Start implementing an Information Security Management System (ISMS).

Before anything else, it is essential to know if you are affected by NIS2. Are you a large company and an Essential Entity (EE) or an Important Entity (IE)? Even if you’re not, you might be subject to NIS2, nonetheless. And even if you’re a small or medium size company, you might want to start acting now, as the next round with a wider scope will be there. You also might be, or might want to become a subcontractor to a company that is affected, and most likely will require readiness from you, too.

The next step is to make a cyber security gap analysis to help you determine the difference in the current state of your information security and identify how far away you are from standards, such as ISO 27001. This also includes investigating status for your supply-chain security and the supplier agreements. Conducting a gap analysis will not only give you a tool to communicate your budget needs but also guide you on actions, priorities, and support you in creating a roadmap for improving compliance. Performing a periodical follow-up assessment will allow you to monitor your maturity progress.

Having an Information Security Management System (ISMS) helps you to maintain compliance and reduce cyber security risks by structuring your cyber security management with a systemic approach.

An ISMS helps you become and stay compliant with NIS2

It’s worth noting that an ISMS is not a digital system nor a policy document. Another point to make is that many companies have, or at least think they have, developed some kind of management system. But a common problem is these systems remain once-off projects that are not actively maintained.

Does this mean you need to be certified by standards such as ISO27001? Not necessarily. But you should at a minimum implement the key elements these frameworks have in common to show a continuous effort and improvement of your cyber security posture. However, certification by nature forces you to stay on the top of your game as otherwise you’ll lose it.

A good ISMS creates company-wide awareness about the implications of cyber security risks. It’s about management processes, risk management, and crisis management. It includes all legal, physical, and technical controls involved in an organisation’s information risk management processes. It helps you to put a monetary value to all identified risks. A good ISMS helps you to communicate cyber security issues and funding with top management as you get access to data that speaks for itself.

A good ISMS enables you to learn and adapt. This is necessary as crocks keep changing their modus operandi constantly. If you can’t keep up with that, you will be attacked and you will be breached, sooner or later. You need an ISMS to learn both from attacks and dealing with consequences.

A good ISMS makes sure everything is proactively in place should your business face a situation where all digital systems go down. What do you do during the recovery time that might be days or even weeks? How do you make sure all key stakeholders know the actions, roles, and responsibilities?

A NIS2-compliant ISMS sets requirements also for your cyber security partners. They need to understand all aspects of cyber security, laws and regulations concerning you, and your business. In addition to technical expertise, they need to have experience in risk management, business continuity, and crisis management. They need to be able to help you build an organisation with the necessary internal capabilities.

DNV has created one of Europe’s fastest growing cyber security services businesses by merging DNV’s existing cyber security business with two recently acquired companies – Nixu and Applied Risk. The merger brings together more than 500 cyber security experts to safeguard demanding IT and industrial control system environments across multiple industries.