NIS2 outlines essential appropriate and proportionate technical and organizational measures that organizations have to take. The following list of ten essential NIS2 measures and duties ensures the minimum requirements to be covered.
- Risk management
- Security policies
- Data and information security
- Basic safety management processes
- IT infrastructure security
- IT service providers
- Employee awareness and training
- Incident management and reporting
- Business continuity of operation
- Auditing and improving the system
1. Risk management and analysis
Risk management is in place when the following points are met
- Information assets are known, identified and described
- Critical processes and known, identified and described
- Critical services and known, identified and described
- Vulnerabilities and threats are managed
- Risks are identified
- Risks are prioritized, evaluated and mitigated
- Measures are defined
2. Security policies
Security Policies are in place when the following points are met
- Security policies are documented, communicated and assessed
- Incident handling policies exists
- Information handling policies exists
- IT infrastructure maintenance policies exists
- Service providers, vendor management policies exists
4. Basic processes of information security
The basic processes of information security in a company work when the following processes are in place.
- Assigning authorizations during onboarding is under control
- Authorization changes during employment are under control
- Removal of authorizations offboarding) is under control
- Assignments, changes, and removals are documented
3. Data and information security
Appropriate and proportionate technical and organizational measures are in place
- Key company data and information are identified and documented
- Data acquisition and maintenance processes are described
- Processes, methods, and techniques of data and information protection are described
- Data protection is in place (cryptography, encryption, backup, recovery)
5. Security of software and IT infrastructure
IT infrastructure security is in place and managed when the following points are met:
- Critical IT infrastructure (software, applications, physical IT infrastructure) is identified and documented
- User authentication and authorization is under control
- Application, software and IT infrastructure administration is under control
- Access logging is implemented
- Regular scheduled maintenance is in place
6. IT Service providers
Supply chain security risks of service providers are in place when the following points are met:
- Critical IT services provided by suppliers are known, identified, and described
- Service suppliers are identified and documented
7. Employee awareness and training
Both initial and regular security training processes are in place
- Employee initial training during onboarding is in place
- Regular training and education is in place
- Training processes are documented
8. Security incident management
Incident management is in place when the following points are met.
- Security incidents are detected
- Incident response processes are in place
- Incidents are tracked and documented
- An incident reporting system is in place
9. Business continuity and crisis management
Business continuity of operation is established when the following points are met.
- Protection and prevention processes are defined and implemented (backup, training, independence from individuals)
- Disaster recovery processes are defined and implemented
10. Auditing and continuous improvement
Regular control, audits and improvement are implemented when the following points are met.
- A regular control and audit of measures works
- Audits are documented
- The outputs from the audits are used to improve the information security management system