How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regulations?
The EU has implemented a range of regulations aimed at strengthening its cybersecurity posture. In this context, the ISO/IEC 27001 standard offers a comprehensive framework for managing and safeguarding sensitive information, such as personal data.
The webinar delves into a comprehensive array of topics essential for anyone navigating the complexities of information security and compliance. Participants get a solid foundation for ISO/IEC 27001 by quickly reviewing its 2013 edition and its 2022 update. In addition, it provides an in-depth comparison between ISO/IEC 27001 and various legislative frameworks, illustrating the complex interplay between standards and laws. Additionally, the webinar provides insights into the evolving regulatory framework of EU Cyber Legislation. It also addresses vital considerations and consequences for organizations striving to maintain compliance. With the constant changes in mind, the webinar concludes by offering strategies on how to effectively stay ahead in the ever-changing circumstances of information security and compliance.
In the article below, the speakers, Peter Geelen and Jean- Luc Peeters, address some questions on the topic:
Question: Can you talk about the new Data Loss Protection control?
Answer: While data loss is a significant indicator of the impact of an incident, the NIS2 legislation does not specifically focus on data loss protection controls. Nonetheless, operators are expected to have a business continuity and disaster recovery plan to minimize the impact of cybersecurity issues on essential and critical services.
However, note that Article 31.3 requires that the (NIS) competent authority will work in close collaboration with the Data Privacy authority.
The ISO/IEC 27001 has an increased focus on data loss, but business continuity and disaster recovery has been in the ISO/IEC 27001 already for a while (previously Annex 17).
Question: What are customers in the scope of NIS?
Answer: If we take a look at NIS2 legislation Annex I and Annex II, there are sectors of High Criticality (Annex I) and the other critical sectors. Within those, we distinguish essential (more stringent oversight) and important entities. All those entities will need to comply with the NIS directive. The EU countries’ transpositions might add additional measures to comply with.
Question: Would National authority be a governmental entity like “GDPR authority control”?
Answer: Short answer: Yes, the approach is pretty similar. Articles 31 and 32 lay down the rules and mandate of the (to be created, appointee) supervisory authority. This goes from: onsite inspection, off-site supervision, audits (done on their own or by an independent body) requests for documentation and information, designation of a monitoring officer.This was not discussed in the Webinar in detail, due to the time, but the NIS2 provides details on how the EU governments need to align cybersecurity and incident management.
Depending on the national organizations it can be handled by the central government but it does not need to be, as some countries have more complex political organizations and the central cybersecurity authority might be under the control of different departments for each country.
Question: How about the national and private CSIRT/CSOC for OES?
Answer: The NIS2 does cover the reporting obligations by CSIRT/CSOC for OES (Operators of Essential Services) or more correctly, under NIS2, Essential or Important entities.
The security guidelines laid down in NIS2 refer to the need to implement state-of-the-art measures to detect and respond to incidents. It does actually not oblige you to create a (private) CSIRT, the question remains if you actually can implement state-of-the-art incident response without a formal (in or out-sourced) structure.
The NIS2 Directive clearly obliges member states to create one or more CSIRTS, even under an existing competent authority. Detailed tasks and duties can be found in Article 11. CSIRTs’ tasks include monitoring and analyzing cyber threats for essential entities, providing early warnings, incident response, forensic data analysis, and proactive scanning to detect vulnerabilities.
They may prioritize tasks based on a risk-based approach and cooperate with other CSIRTs.
Question: What are the fundamental aspects on which we can rely on ISO/IEC 27001 to better comply with European regulations on cybersecurity?
Answer: Various components of the ISO/IEC 27001, if not all, need to be implemented in one way or another to comply with NIS2.
For example, but not limited to:
- Company context definition, knowing if you are in an impacted sector
- Management support
- Risk management
- Information security policies
- Incident response
- Business continuity and disaster recovery
- Awareness and training, including training of management
- Supply chain security
- Legal and compliance
- Threat intelligence
Question: If the scope of ISMS is now given minimal boundaries for organizations under NIS2 – will the IMS2 from PECB change to encompass this more explicitly or will the training include more on defining the necessary boundaries for the ISMS?
Answer: The IMS2 approach will not change, as it can perfectly cover the NIS2 requirements for ISMS (ISO/IEC 27001).
The answer to this question is in the new NIS2 course that will be launched with the PECB Insights Conference 2023, there is a Pre-Conference tract that will cover the NIS2 and how you can use the IMS2 to fulfill the NIS2 requirements with ISMS.
Question: Is it correct that the EU does not treat the Defense sector as neither important nor essential?
Answer: Firstly, it must be noted that some of the sectors are “out-of-scope” for direct application by the NIS2 because some important sectors are covered by other legislations or regulations that are superseding NIS2.
Article 2 (Scope): “7. This Directive does not apply to public administration entities that carry out their activities in the areas of national security, public security, defense or law enforcement, including the prevention, investigation, detection, and prosecution of criminal offenses.”
Within NIS/NIS2 the answer is two-fold:
- As essential operator
- As supplier to essential operators (in defense)
Therefore, you will not be considered within NIS2, however, there are other legislation superseding NIS2. The defense sector has its own set of regulations, and laws in each member state there is no direct reference to this sector in NIS2. However, keep in mind that you might be part of a supply chain that in the end delivers services to an important or essential entity. And you can expect even more stringent expectations from this legislation in defense.
Question: How to note if those directives are applicable to our organization?
Answer: The easy answer is: you are expected to know the law. First of all, you can check the sectors covered in the NIS, NIS2, and CER and see if your organization belongs to these sectors mentioned in Annex I and II.
Secondly, there are certain activities and sectors nominated by the national government.
Therefore, you better follow the course of national implementation of the NIS2 by the various countries. As the NIS2 is a directive, national legislation is required for implementation by October, 2024. A central point of view will be ENISA, which offers an overview of the various national legislations.
Question: There is no data protection without cybersecurity! Does this statement suggest or imply that whatever measures are taken in protecting data are a non-starter if they have not covered elements of cybersecurity? Does this statement hold even in instances where systems are not fully web-based?
Answer: Web-based is slightly different than “Internetconnected”, cybersecurity is pointing at systems and operations that are connected to the Internet, not necessarily web-based. However, certainly, if you are system is disconnected from the Internet, it will be a lot easier to protect it from cyber-attacks. Nonetheless, one needs to be aware that there are well-known cases of ‘airgapped” systems that have been attacked via intermediate systems or devices. With that in mind, the short answer is yes, you need to cover cybersecurity in your data protection, as we all live in an Internet-connected era.
Question: Are logistic companies and semiconductor companies subjected to NIS2, despite their size and revenue?
Answer: NIS2 Annex II, topic 5 covers manufacturing. And within Chapter 5, part (b) covers “Manufacture of computer, electronic and optical products”.
Question: In summary, can we say that: DORA is the regulation on Operational Resilience for Financial institutions and IT 3rd parties, while NIS2 is the equivalent, for other sectors (industries, energy, etc.)?
Answer: Yes.
Question: When does NIS2 start?
Answer: It has been activated already. Voted in December 2022, published 27.12.2022, and activated 20 days later, in January 2023. EU governments are expected to have implementing acts by October 2024.
Question: Would it make sense to integrate NIS into your ISMS implementation and certification?
Answer: Yes, certainly. All areas covered by NIS2 are covered and can be covered by the current ISO/IEC 27001.
Question: Can you use it as a method to report compliance with NIS?
Answer: Yes, certain countries already have accepted ISO/IEC 27001 certification as an equivalent and valid proof of compliance for the NIS implementation. NIS2 implementation is still in progress, with the deadline on October, 2024, and more news is to come on the various national implementations of the NIS 2 legislation.