NIS-2 synergies with ISMS

The implementation of NIS2 into the Czech legislation in the form of a new law on cyber security will take place by 18 October 2024. The binding implementation of the new legislative framework will come into effect in 2025. If you don’t know whether your company verifies or not, you can check it here in a quick assessment test; if you know that your company does not verify, you may feel free to skip. 

An Information Security Management System (ISMS) is a structured framework consisting of policies, processes, and technologies aimed at managing an organization’s sensitive data securely; and this technology will be vital for implementing NIS-2 correctly. 

Incident management

The ISO/IEC 27035 standard, part of the broader ISMS framework, focuses specifically on incident management. By combining ISO/IEC 27035 processes with NIS-2’s mandatory incident reporting requirements, organizations can enhance their capacity to handle incidents more effectively, reduce downtime, and meet legal reporting deadlines.

Continuous improvement

For meeting deadlines and being on top of things might ISMS help as well, as it is designed for continuous improvement, encouraging regular audits, reviews, and updates to address new vulnerabilities and threats. 

This aligns with NIS-2’s focus on adapting to the evolving cyber threat landscape. The cyclical nature of ISMS (Plan-Do-Check-Act) ensures that organizations do not remain static but constantly evolve their security posture. NIS-2 reinforces this by mandating periodic assessments and updates to security measures, ensuring that essential service providers are continuously prepared for new threats.

Supply chain – possible to do with vendor risk management

Where does ISMS system lack a bit, is in managing third-party risks, though this can be overcome. And it will need to be overcomed, for NIS-2 broadens scope of risk management to include cybersecurity obligations for key entities in the supply chain, reflecting the increasing interdependence of organizations. An ISMS can be tailored to address these third-party risks by including vendor risk management as part of its framework. 

If you are uncertain whether to acquire for your company information security management system, one last feature of NIS-2 may play in favor of it. NIS2 empowers national authorities to impose much harsher penalties for non-compliance, including fines of up to 10 million euros or 2% of global annual turnover. Authorities also have the power to issue binding instructions and temporary service suspension. As such, investment into ISMS might be a better use of money. 

Author: Oldřich Příklenk

Picture: openai.com