The NIS2 directive is the EU's latest cybersecurity legislation. This checklist will help you get started with your NIS2 compliance journey.
The NIS2 Directive is the EU-wide legislation on cybersecurity. It provides legal measures to boost the overall level of cybersecurity in the EU.
The EU cybersecurity rules introduced in 2016 were updated by the NIS2 Directive that came into force in 2023. It modernized the existing legal framework to keep up with increased digitisation and an evolving cybersecurity threat landscape. Expanding the scope of the cybersecurity rules to new sectors and entities, further improves the resilience and incident response capacities of public and private entities, competent authorities, and the EU as a whole.
Businesses identified by the Member States as operators of essential services sectors such as energy, transport, water, banking, financial market infrastructures, healthcare, and digital infrastructure, will have to take appropriate security measures and notify relevant national authorities of serious incidents. Key digital service providers, such as search engines, cloud computing services and online marketplaces, will have to comply with the security and notification requirements under the Directive.
The following is a non-exhaustive list of questions that will guide you toward cyber resiliency.
Additional security controls and questions will follow in other questionnaires/sections.
Dedicating people and resources to achieve security hygiene and resiliency.
This person or team should have defined roles and responsibilities and be responsible for implementing and enforcing the organization's security policies and procedures.
The purpose of this question is to determine whether the organization has a structured approach to managing cybersecurity risks and is taking appropriate measures to comply with the security requirements of NIS2.
Having a dedicated security manager is important for ensuring that an organization is adequately prepared to prevent, detect, and respond to security incidents, and to comply with relevant regulations and standards.
Having an information security policy is a key requirement under NIS2 for operators of essential services and digital service providers.
Such a policy should cover a range of issues related to information security, including access controls, incident response, data protection, and security awareness training, among others.
The policy should be regularly reviewed and updated to ensure it remains effective in mitigating new and evolving threats.
Dedicated security committee meetings can help to ensure that information security is given adequate attention within an organization.
Such meetings may involve regular discussions around security incidents, risk assessments, security policy development, and implementation, as well as training and awareness programs for employees.
The committee may also be responsible for monitoring compliance with security standards and regulations, and for recommending changes to security policies and procedures as needed.
Does top management undertake a periodic review of the information security program and policy?
Periodic reviews by top management are an essential component of an effective information security program.
Such reviews can help to ensure that the organization's security measures remain relevant and effective in the face of changing threats and that the organization is complying with relevant laws, regulations, and industry standards.
The review should consider factors such as the organization's risk profile, security incidents, and the effectiveness of the security controls in place.
Ongoing risk assessments are a key component of an effective information security program and are necessary to identify and mitigate potential threats to the organization's networks and systems.
Such assessments may involve identifying and assessing vulnerabilities, evaluating the likelihood and potential impact of security incidents, and developing mitigation strategies.
A risk register is a document or system that identifies, evaluates, and records risks that an organization may face, and may include information such as the likelihood of the risk occurring, its potential impact on the organization, and the mitigation strategies in place to address it.
A well-defined risk register can help an organization to better understand its risks and develop effective strategies for mitigating them.
Plan and test your business continuity policies and procedures, so you're ready when they’re really needed.
A business continuity plan is a set of documented procedures and strategies that an organization can use to recover from a significant disruption to its operations.
Such a plan typically outlines the critical business functions that must be maintained during a disruption, the steps required to restore those functions, and the roles and responsibilities of various individuals or teams involved in the recovery process.
Business continuity drills are simulated tests of an organization's business continuity plan, which are conducted to identify and address any gaps or weaknesses in the plan.
Such drills may involve testing specific components of the plan, such as communication protocols or data recovery procedures, or may simulate a complete business interruption to test the plan's overall effectiveness.
The frequency of business continuity drills may vary depending on the organization's risk profile, the complexity of its operations, and other factors.
An incident response/crisis management playbook is a documented plan that outlines the steps to be taken in response to a security incident or crisis, and may include information such as the roles and responsibilities of various individuals or teams involved in the response, communication protocols, and recovery procedures.
Does your organization have a defined contacts list for external parties that are relevant to security and privacy? Legal, regulators, law enforcement, vendors - authorities and special interest groups.
Having a defined contacts list can help the organization quickly and efficiently communicate with relevant parties in the event of a security incident, as well as provide a means of staying up-to-date on relevant regulations and best practices.
Control your assets, throughout the organization and business.
Are employees and personnel (internal, external) subject to screening/background checks, and do they have terms and conditions of employment defining their information security responsibilities?
Employee screening or background checks may include measures such as verifying references, checking for criminal records or other relevant background information, or assessing the individual's qualifications and experience.
Terms and conditions of employment defining information security responsibilities may include provisions such as confidentiality agreements, acceptable use policies, and security awareness training.
Does your organization manage an asset (systems, data) inventory list/directory? Which includes asset owners.
Managing an asset inventory list or directory is an important part of effective security management, as it can help the organization identify potential vulnerabilities or risks, assess the impact of a security incident, and prioritize security investments.
The inventory should include information such as asset types, locations, ownership, criticality, and dependencies.
Does your organization have backup systems for emergency communications? Backup email, phone and messaging channels.
Having backup systems for emergency communications can help ensure that the organization is able to continue operating and communicating effectively even in the event of an incident that affects its normal communication channels.
Backup systems may include alternative email, phone, and messaging channels that can be used to communicate, as well as processes for activating and using these channels in the event of an emergency.
Does your organization use enterprise-grade and secure voice, video, and text communication systems?
Using enterprise-grade and secure communication systems can help ensure that the organization's communications are reliable and protected against unauthorized access, interception, or manipulation.
Such systems may include secure messaging platforms, virtual private networks (VPNs), encrypted voice and video conferencing tools, and other secure communication technologies.
Ongoing measurement and having a feedback loop are key.
A vulnerability management program is an important component of effective security management, as it can help the organization identify and address vulnerabilities before they can be exploited by attackers.
Vulnerability management program may include processes for scanning systems and applications for vulnerabilities, prioritizing vulnerabilities based on severity and potential impact, and developing and implementing plans to address identified vulnerabilities.
Network and host vulnerability scanning is an important component of vulnerability management, as it can help the organization identify vulnerabilities in its systems and infrastructure that could be exploited by attackers.
Scanning may involve using automated tools to search for vulnerabilities in the organization's network and host systems, and then prioritizing and addressing the identified vulnerabilities.
Penetration testing is a type of security testing that involves attempting to exploit vulnerabilities in a system or network to identify potential weaknesses that could be exploited by attackers.
Internal and external penetration testing may involve testing from both inside and outside the organization's network to identify potential vulnerabilities that could be exploited by an attacker with either an internal or external presence.
A public bug bounty program is a formalized process in which an organization invites independent security researchers to identify and report security vulnerabilities in exchange for a reward or bounty.
With having a public bug bounty program the organization can leverage the expertise of the security research community to identify potential security issues that may not have been identified through internal testing.
Does your organization document and manage all security vulnerabilities in a central location/system?
Managing security vulnerabilities in a central location or system can help ensure that vulnerabilities are tracked, prioritized, and addressed in a timely and systematic manner.
This can involve the use of tools such as vulnerability scanners or bug trackers, as well as the establishment of clear policies and procedures for identifying, documenting, and addressing security vulnerabilities.
Does your organization have a system that aggregates logs from endpoints, databases, servers and SaaS systems?
Collecting and analyzing log data can be an important tool for identifying security incidents and monitoring for potential security threats.
By centralizing log data from different sources, organizations can gain a more comprehensive view of their IT infrastructure and identify potential security incidents that may not be apparent from individual log sources.
System logs and alerts can provide valuable insights into the security and performance of an organization's IT infrastructure.
By monitoring and analyzing these logs and alerts on an ongoing basis, organizations can detect and respond to potential security incidents in a timely manner, which can help to minimize the impact of such incidents.
Does your organization have a 3rd party/vendor risk management program? Verifying counterparty security posture.
The program involves evaluating the security posture of third-party vendors or service providers before entering into a contractual relationship, verifying that they have appropriate controls in place to protect sensitive data and systems, and monitoring their performance on an ongoing basis to ensure compliance with security requirements.
The inclusion of information security in project management is essential in ensuring that security risks are identified and mitigated throughout the project lifecycle.
It involves integrating security controls and processes into the project plan, design, and implementation phases, as well as monitoring and reporting on the security status of the project.
Data should be protected and monitored at all costs.
Email encryption software is used to encrypt the content of an email message, ensuring that only the intended recipient can read it, and that the message has not been tampered with during transmission.
Does your organization encrypt data at rest in databases and servers? Including source code.
Encrypting data at rest means converting the data into a ciphertext that can only be decrypted with the appropriate key.
This makes the data unreadable and unusable to anyone who does not have access to the key, which can significantly reduce the risk of data breaches.
Does your organization use a dedicated password manager for secure storage and sharing of passwords and credentials? Includes keys as well.
Using a password manager can help improve an organization's overall security posture by reducing the risk of unauthorized access due to weak passwords, password reuse, and password sharing.
By centralizing password management and implementing best practices for password security, organizations can better protect their sensitive data and systems.
The data protection/encryption and privacy policy should cover topics such as data classification, encryption, access control, data retention, data sharing, and data disposal.
The policy should also address compliance with relevant data protection and privacy laws and regulations
Encrypting the data backups can provide an additional layer of protection to sensitive data stored in backups. The encryption ensures that only authorized individuals with the proper key or access can view and access the backup data.
Is information classified and labeled, and have procedures for handling assets in accordance with their classification been defined?
Information classification is an important part of information security, as it helps organizations identify the sensitivity and value of their assets and apply appropriate security controls to protect them.
Organizations should have a policy that defines information classification and labeling standards, which can range from a simple three-tier system to a more complex one.
Procedures for handling assets in accordance with their classification should also be defined, including guidelines for access controls, data handling, data storage, and data disposal.
Are there procedures and controls for the removal, disposal and transit of media/devices containing company data?
Procedures and controls in place for the secure removal, disposal, or transfer of media and devices containing company data, to prevent data breaches or unauthorized access.
The gateway to your systems and organization, keep your AAA top tier.
Multi-factor authentication involves the use of something the user knows (such as a password), something the user has (such as a security token or smart card), or something the user is (such as biometric authentication).
By requiring more than one form of authentication, multi-factor authentication can help to reduce the risk of unauthorized access resulting from a compromised or stolen password.
SMS is a form of two-factor authentication (2FA) that involves sending a one-time code to a user's mobile device via text message, which is then entered as the second factor for authentication.
However, it's important to note that SMS is considered less secure than other 2FA methods because text messages can be intercepted or spoofed.
Do you monitor login and multi-factor authentication failure attempts? In order to detect malicious activities.
Monitoring failed login attempts and failed multi-factor authentication attempts can provide valuable insights into the effectiveness of the organization's security measures and can help identify potential security breaches.
By tracking and analyzing this data, security teams can detect patterns and anomalies that may indicate malicious activity, and take appropriate action to mitigate any threats.
Does your organization utilize an IAM (identity access management) system for SSO (single sign on), multi-factor authentication and onboarding/offboarding automation?
Implementation of an identity and access management system that allows users to access various systems and applications with a single set of credentials.
This system should also include multi-factor authentication to ensure that only authorized users can access critical systems and data, and also have automation capabilities for managing the onboarding and offboarding process of users, to ensure that access is granted or revoked as necessary.
Does your organization have a defined policy for onboarding and offboarding users/employees to corporate systems/applications?
Presence of a documented process that outlines the steps that must be taken when new employees join or leave the organization.
This policy should cover areas such as account creation and deactivation, access to systems and data, and any other relevant security considerations.
Does your organization manage and monitor devices (laptops, mobile phones) via a dedicated system? For system performance/anomalies and compliance.
Purpose of such a system is to track system performance, identify anomalies and enforce compliance with security policies and may include features such as device inventory, configuration management, software updates, anti-malware protection, remote device wiping, and more.
By centrally managing and monitoring devices, an organization can reduce the risk of security incidents that result from unpatched systems, outdated software, and other vulnerabilities.
Separation of development, testing, and production environments means that each environment is physically and logically separated from the others, and that access and permissions are strictly controlled.
The purpose of this is to minimize the risk of unauthorized changes to production systems, which could result in system downtime, data loss, or other negative consequences.
Is there a defined secure software development lifecycle (SSDLC) process? Internal and external (outsourced) development.
The goal of an SSDLC is to identify and address security issues as early in the development process as possible, and to prevent vulnerabilities from being introduced into the code.
This process should cover all phases of the software development lifecycle, from planning and requirements gathering, to design, coding, testing, deployment, and maintenance.