Dette indlæg er skrevet til de praktikere derude, der allerede nu så småt vil i gang med at danne sig et overblik over, hvad NIS2 konkret betyder, når NIS2 forventeligt vedtages endeligt i år, samt hvad man skal gribe fat i for at få metode i opgaveløsningen.
Som bekendt ligger de væsentligste krav til enhederne i NIS2 i artikel 18, stk. 2. Vi har derfor belyst artikel 18, stk. 2-kravene gennem de relevante standarder.
Og så skal det med, at NIS2 selv angiver i artikel 22, stk. 1, følgende:
“In order to promote the convergent implementation of Article 18(1) and (2), Member States shall, without imposing or discriminating in favour of the use of a particular type of technology, encourage the use of European or internationally accepted standards and specifications relevant to the security of network and information systems.”
Inspireret af artikel 22, stk. 1, har vi således givet os i kast med at finde standarder for hvert krav i artikel 18, stk. 2. Se umiddelbart nedenfor. Dog skal det med, at listen ikke er fuldstændig. Der kan være variationer fra land til land.
Det skal også bemærkes, at de danske myndigheder i samråd med EU-institutioner skal komme med mere konkret vejledning om implementering, så nedenstående er blot en foreløbig anskueliggørelse af NIS2-kravene. Men, som nævnt, vil vejledningsindsatsen forventeligt bestå i omsætning af de relevante standarder, så vores gæt er, at nedenstående vil danne baggrund for de vejledninger, der løber ud af NIS2.
Og sidst men ikke mindst: Mapningen er sket i forhold til den nye 2022-version af ISO27002, og har du behov for enten implementering af denne eller opdatering fra 2013-versionen, er du velkommen til at tage fat i Jacob Georg Naur.
Art. 18, stk. 2, litra a: risk analysis and information system security policies
ISO27002:2022 5.1 Policies for Information Security
ISO27001:2017 Clause 5.2 (Policy), Clause 6.1 (Actions to address risks and opportunities), mere specifikt måske Clause 6.1.2 (information securty risk assessment) og Clause 6.1.3 (Information Security risk treatment)
NIST SP 800-53r5 Denne har ikke som udgangspunkt et overordnet politikkrav – det ligger i de enkelte foranstaltninger, f.eks. AC-1 Policy and Procedures (AC er Access Control)
Art. 18, stk. 2 litra b: incident handling
ISO27002:2022 5.24 Information security incident management planning and preparation
ISO27002:2022 5.25 Assessment and decision on information security events
ISO27002:2022 5.26 Response to information security incidents
ISO27002:2022 5.27 Learning from information security incidents
ISO27002:2022 5.28 Collection of evidence
ISO27002:2022 6.8 Information security event reporting
Art. 18, stk. 2 litra c: business continuity, such as backup management and disaster recovery, and crisis management
ISO27002:2022 5.24 Information security during disruption
ISO27002:2022 5.30 ICT readiness for business continuity
NIST SP800-53 rev 5.1 Contingency Planning
Art. 18, stk. 2 litra d: supply chain security including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers
NIST SP 800-53r5 Denne har et helt område om dette. Supply Chain Risk Management (SR foranstaltninger)
ISO27002:2022 5.19 Information security in supplier relationships
ISO27002:2022 5.20 Addressing information security within supplier agreements
ISO27002:2022 5.21 Managing information security in the ICT supply chain
ISO27002:2022 5.22 Monitoring, review and change management of supplier services
ISO27002:2022 5.23 Information security for use of cloud services
Art. 18, stk. 2 litra e: security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosure
ISO27002:2022 5.7 Threat intelligence
ISO27002:2022 8.20 Networks security
ISO27002:2022 8.21 Security of network services
ISO27002:2022 8.25 Secure development life cycle
ISO27002:2022 8.26 Application security requirements
ISO27002:2022 8.27 Secure system architecture and engineering principles
ISO27002:2022 8.28 Secure coding
ISO27002:2022 8.29 Security testing in development and acceptance
ISO27002:2022 8.31 Separation of development, test and production environments
Art. 18, stk. 2 litra f: policies and procedures to assess the effectiveness of cybersecurity risk management measures
ISO27001:2017 Clause 9.1 Overvågning, måling, analyse og evaluering
Art. 18, stk. 2 litra fa: basic computer hygiene practices and cybersecurity training;
Cyber Essentials UK Cyber Essentials program
(https://www.ncsc.gov.uk/cyberessentials/overview)
ISO27002:2022 6.3 Information security awareness, education, and training
Art. 18, stk. 2 litra g: policies and procedures regarding the use of cryptography and, where appropriate, encryption
ISO27002:2022 8.24 Use of cryptography
Art. 18, stk. 2 litra ga: human resources security, access control policies and asset management;
ISO27002:2022 6.X People controls (HR området)
ISO27002:2022 5.1 Policies for information security (topic specific policies – access control policy)
ISO27002:2022 5.15 Access control
ISO27002:2022 5.9 Inventory of information and associated assets
ISO27002:2022 5.10 Acceptable use of information and associated assets
ISO27002:2022 5.11 Return of assets
Art. 18, stk. 2 litra gb: the use of multi-factor authentication or continuous authentication solutions, secured voice, video and text communications and secured emergency communications systems within the entity, where appropriate.
ISO27002:2022 5.15 Access Control (din politik for adgang til data kan kræve MFA eller andre typer for sikker identifikation/autentifikation, herunder kontinuert autentifikation ikke kun ved login, men løbende gennem hele sessionen)
ISO27002:2022 5.15 ICT Readiness for business continuity