NIS2 measures and duties checklist

Last updated: 2024-11-07

NIS2 outlines essential appropriate and proportionate technical and organizational measures that organizations have to take. The following list of ten essential NIS2 measures and duties ensures the minimum requirements to be covered.  

  1. Asset management
  2. Risk management
  3. Data and information security
  4. Employee management
  5. IT governance
  6. Managing suppliers and IT services
  7. Incident handling and reporting
  8. Business continuity
  9. Security policies
  10. Implement measures and continuously improve

1. Asset management

Asset management is in place if you have described your assets (data, software, hardware, infrastructure and purchased services) and if you know their interdependencies and sources of risk.

  • Key data (Primary Assets) are identified and documented
  • Support assets are known, identified, and described. Critical systems are known, identified, and described
  • Dependencies of primary assets on IT infrastructure (software, hardware, and services) are described

2. Risk management

Risk management is in place when the following points are met

  • Critical risks are known, described, and managed
  • Key threats are known, described, and managed
  • Vulnerabilities are known, described, and managed
  • Risks are prioritized, assessed, and managed
  • Risks are assessed and actions are planned
  • The risk management system works in relation to assets

3. Data and information security

You have mastered the processes for people and technology to access and manage information and data permissions when the following points are met:

  • Information and data sharing outside the company are controlled
  • Employees with access to information are screened
  • Onboarding is controlled
  • Authorization for job changes is under control
  • Changes to authorizations during employment are controlled
  • Employee exit process is under control
  • Privileged users, accounts, and administrators and accounts are under control

4. Employee management

Employee awareness and training is in place when the following points are met:

  • Onboarding training is in place
  • Regular training and coaching are in place
  • Training processes are planned and documented
  • Training includes knowledge of information literacy, information, and cyber security risks
  • Employees are regularly and continuously informed about internal regulations and news

5. IT governance

IT infrastructure security is in place and managed when the following points are met:

  • Regular scheduled maintenance of software, hardware, and other IT infrastructure (support assets) is in place
  • Preventive protection against external attacks is in place
  • Preventive protection against attacks from within the company is in place
  • Preventive protection against attacks from mail is in place
  • Data backup is in place
  • Data recovery is in place
  • Adequate data protection (cryptography, encryption) is in place
  • IT decommissioning processes are under control

6. Vendor management, managing suppliers and purchased services  

Purchased IT services are managed when the following measures are in place:

  • Critical services provided by suppliers are known, identified, and described
  • Service suppliers are identified and documented
  • IT service suppliers are under control
  • Maintenance suppliers are under control
  • Contracts with IT service providers are under control
  • Cleaning contractors are under control
  • Contracts with suppliers contain the necessary provisions for the security and protection of information and the termination of services

7. Incident handling and reporting 

Incident management is in place when the following points are met.

  • Security incidents are detected
  • Incident response processes are in place
  • Incidents are tracked and documented
  • An incident reporting system is in place

8. Business continuity

Business continuity is in place when the following points are met:

  • Protection prevention processes (backup, training, independence from individuals) are defined and in place 
  • Disaster recovery processes are defined and implemented

9. Security policies

Security policies are in place when the following points are met:

  • Security policies are documented, communicated, and evaluated
  • An incident-handling policy is in place
  • There is a policy for handling information, passwords, and assigning permissions
  • There is a policy for the maintenance of the IT infrastructure
  • There is a service provider control policy

10. Implementation of measures and their continuous reassessment

Regular evaluation of the effectiveness of the measures in place through controls, audits, and continuous improvement is in place when the following points are met:

  • Regular monitoring and auditing of measures is in place
  • Audits and controls are documented and findings are put into practice
  • Audit findings are used to improve the information security management system