NIS2 measures and duties checklist

Last updated: 2023-05-25
See our solution:
NIS2 Compliance SoftwareNIS2 Compliance Software
Was this article helpful?
7 of total 7 found this helpful.

NIS2 outlines essential appropriate and proportionate technical and organizational measures that organizations have to take. The following list of ten essential NIS2 measures and duties ensures the minimum requirements to be covered.  

  1. Risk management
  2. Security policies
  3. Data and information security
  4. Basic safety management processes
  5. IT infrastructure security
  6. IT service providers
  7. Employee awareness and training
  8. Incident management and reporting
  9. Business continuity of operation
  10. Auditing and improving the system

1. Risk management and analysis 

Risk management is in place when the following points are met

  • Information assets are known, identified and described
  • Critical processes and known, identified and described
  • Critical services and known, identified and described
  • Vulnerabilities and threats are managed
  • Risks are identified
  • Risks are prioritized, evaluated and mitigated
  • Measures are defined

2. Security policies

Security Policies are in place when the following points are met

  • Security policies are documented, communicated and assessed
  • Incident handling policies exists
  • Information handling policies exists
  • IT infrastructure maintenance policies exists
  • Service providers, vendor management policies exists

4. Basic processes of information security

The basic processes of information security in a company work when the following processes are in place.

  • Assigning authorizations during onboarding is under control
  • Authorization changes during employment are under control
  • Removal of authorizations offboarding) is under control
  • Assignments, changes, and removals are documented

3. Data and information security 

Appropriate and proportionate technical and organizational measures are in place

  • Key company data and information are identified and documented
  • Data acquisition and maintenance processes are described
  • Processes, methods, and techniques of data and information protection are described
  • Data protection is in place (cryptography, encryption, backup, recovery) 

5. Security of software and IT infrastructure

IT infrastructure security is in place and managed when the following points are met:

  • Critical IT infrastructure (software, applications, physical IT infrastructure) is identified and documented
  • User authentication and authorization is under control
  • Application, software and IT infrastructure administration is under control
  • Access logging is implemented
  • Regular scheduled maintenance is in place

6. IT Service providers  

Supply chain security risks of service providers are in place when the following points are met:

  • Critical IT services provided by suppliers are known, identified, and described
  • Service suppliers are identified and documented

7. Employee awareness and training

Both initial and regular security training processes are in place

  • Employee initial training during onboarding is in place
  • Regular training and education is in place
  • Training processes are documented

8. Security incident management 

Incident management is in place when the following points are met.

  • Security incidents are detected
  • Incident response processes are in place
  • Incidents are tracked and documented
  • An incident reporting system is in place

9. Business continuity and crisis management

Business continuity of operation is established when the following points are met.

  • Protection and prevention processes are defined and implemented (backup, training, independence from individuals)
  • Disaster recovery processes are defined and implemented

10. Auditing and continuous improvement

Regular control, audits and improvement are implemented when the following points are met.

  • A regular control and audit of measures works
  • Audits are documented
  • The outputs from the audits are used to improve the information security management system