You're in the midst of preparing for tomorrow's presentation when suddenly your screen goes black, and a skull and crossbones appear. You frantically tap your keyboard, but nothing happens. Before long, you hear the same frantic typing from your colleague's desk, and it quickly dawns on you: your organisation has fallen victim to a cyberattack.
This is a scenario that no organisation wants to face.
This is especially true for companies that provide critical infrastructure to the public, supplying clean drinking water, life-saving medicine, heating for our homes, and other essentials.
The number, scale, sophistication, frequency, and impact of cyberattacks are increasing, posing a significant threat to the functionality of networks and information systems.
This is how the NIS2 directive describes the current situation.
As the person responsible for information security, it may feel as though a significant part of the responsibility for navigating these challenges rests on your shoulders. However, to meet the requirements of NIS2 and safeguard against threats, a collaborative effort must be initiated across the entire organisation.
So, take heart. We provide you with the key steps to consider, ensuring a robust and sustainable defence in accordance with NIS2.
Step 1: Overview, Overview, Overview
The very first step is, of course, to determine whether you are affected by the directive. If so, to what extent, and the next step will be to gain a comprehensive overview.
If you are already working with information security at a mature level and using a recognised framework like ISO 27001, you can relax a little, as you will already be well on your way to meeting the NIS2 requirements. Create an overview of which existing measures need to be adjusted and identify which requirements are entirely new and must be implemented from scratch.
If you are not currently working systematically with information security, it may be a good idea to conduct a gap analysis to clarify where efforts need to be focused. This can be done in-house, or you can reach out to one of our product specialists, who is ready to help you create an overview.
Step 2: Involve management
Engage with management and inform them that they should familiarise themselves with terms like ISO 27000, ransomware, and firewalls.
It is the senior management that is responsible for ensuring the organisation complies with NIS2 requirements, and the directive places significant demands on leadership commitment and their understanding of risk management. In the event of non-compliance, leaders could face a personal fine of at least 1.4% of annual turnover for important businesses and at least 2% for essential businesses. In other words, involve them early, educate them, and ensure that you are allocated the resources you need.
Step 3: Conduct risk assessments and contingency plans
Once you have gained an overview of which measures you need to work on, it’s time to create thorough risk assessments and contingency plans. Clarify how risks can be mitigated and develop contingency plans that can be activated in the event of a serious incident—such as a cyberattack. Prepare for how to respond if a crisis arises. Both tasks can be effectively managed using a GRC or ISMS system like Wired Relations.
Step 4: Manage the supply chain
"Entities (companies) must consider vulnerabilities specific to each supplier and service provider, as well as the overall quality of products and cybersecurity practices of their suppliers and service providers, including their secure development processes."
It’s no secret that supply chain security is a central concern in NIS2. NIS2 is a societal-level exercise, and one must not only protect oneself. Even if you feel you have strong agreements with your suppliers, it may be prudent to revisit those agreements to ensure they also meet NIS2 standards.
Step 5: Implement controls
Perhaps the frequency of your backups needs to be increased, or you need to test how quickly you can restore your systems. You can stay ahead of potential issues by verifying that the initiatives and procedures you have established are effective in practice.
Ready to take the next step towards NIS2 compliance?
Discover how Wired Relations can assist you in implementing NIS2 by reading our blog post, “Building a Strong NIS2 Programme with Wired Relations.” For a more tailored experience, schedule a demo with one of our specialists and receive a complimentary gap analysis to pinpoint key areas that need to be focused on.
Book your personalised demo here
NIS2: Avoid duplicate work
With Wired Relations, you can continue your existing information security efforts without duplicating documentation.