Key Documentation for a Successful NIS 2 Audit
Key Documentation for a Successful NIS 2 Audit
The requirements defined by the NIS 2 directive define several deliverables (e.g.: regulations, procedural instructions) that organizations must mandatorily develop and establish to comply with the Cyber Act. It’s no surprise that these documents must also be presented during the cybersecurity audit to ensure its successful conclusion. But have we thought of everything? Here are five essential documents that must not be overlooked when aiming for a successful NIS 2 audit.
Information Security Policy (ISP)
The Information Security Policy (ISP) is a fundamental regulatory document for any organization. Many standards and laws mandate its existence, and the NIS 2 directive, which focuses on cybersecurity, is no exception. Thus, the ISP is a basic document that must be available during the NIS 2 audit.
Practical tips for ISP content:
- The ISP should include all the rules necessary for the proper and secure use of information and communication technology within the organization.
- The document must precisely define the rules, responsibilities, tasks, and authorizations for the protection of electronic information systems (EIS), including user-related policies.
- It should also reference all important related documents developed for information security, such as policies, procedures, descriptions, records, and logs. Essentially, the ISP forms a framework for the documentation presented during the NIS 2 audit.
Risk Management Strategy
Risk management is the cornerstone of cybersecurity. Without a thorough understanding of the organization's systems, threats, and appropriate control measures, information security stands on shaky ground. The NIS 2 directive emphasizes risk analysis and management, even providing specific protective measures for organizations. The related regulation also details the methodology for creating a risk management strategy.
Key considerations for documenting risk management processes:
- Be thorough! Analyze every critical business process, evaluating all assets for confidentiality, integrity, and availability, against all potential threats.
- Use the threat catalog provided in the regulation! Annex 3 of the 7/2024 (VI. 24.) MK decree lists the threats that must be considered during risk analysis concerning critical business processes.
- Don’t forget about procurement! The NIS 2 highlights the importance of secure supply chain processes for EIS, necessitating the inclusion of supply chain-related risks in the risk management strategy.
Business Continuity Plan (BCP)
In case of a cybersecurity incident, it's crucial to ensure not only the security of information but also the quick recovery or substitution of business processes. Thus, the NIS 2 directive mandates the creation and maintenance of a business continuity plan (BCP).
Useful considerations for developing a BCP:
- Define the minimum service level required for operational continuity and tailor recovery action plans for critical business processes accordingly.
- Consider substitutability! The continuity of operations can often be ensured most efficiently by introducing substitute measures.
- Assign responsibilities clearly! Establish a dedicated BCP team, and define emergency roles, responsibilities, contact persons, and their contact information.
- Define communication expectations! Include crisis communication forms and channels in the plan to enable swift corrective actions during incidents.
Training Policy and Related Documents
The NIS 2 directive prioritizes enhancing cybersecurity, which heavily relies on well-prepared and aware human resources. Awareness programs are essential for building a security-conscious culture across the organization. Therefore, significant emphasis is placed on cybersecurity training and fostering security awareness among employees.
Key aspects to consider when drafting training policies:
- Separate training materials by roles! Different roles require tailored information on cybersecurity awareness.
- Ensure access based on authorization! Training materials must be easily accessible while maintaining confidentiality.
- Develop an annual training plan! Include schedules for security awareness training sessions, participation requirements, refresher courses, and assessments.
Chief Information Security Officer (CISO) Job Description
The appointment of a Chief Information Security Officer (CISO) was a prerequisite for NIS 2 registration. Often, the choice of personnel for this role was made without careful consideration. A common issue is that the designated person receives no further information about their new responsibilities post-registration. For a successful NIS 2 audit, it is crucial to include an updated job description for the CISO, reflecting their cybersecurity responsibilities.
The CISO is accountable for the security of EIS, ensuring compliance with the organization's information security policies, and handling cybersecurity incident reporting and authority communication. These responsibilities must be detailed in the job description or - in case of an external CISO consultant – in the contract.