PECB Event Collaterals: How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regulations?
?? Peter GEELEN
Sustainable secure & safe. Community & learning geek #ISMS, GDPR/Privacy, Cyber & Cloud. IAM. Trainer. Audit. Freelance! Life hacker. Know when to break rules. No nonsense, to the point. Better done than half purfect.
This article contains all collaterals, also questions and answers of the?PECB?Webinar session on "How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regulations?"
Latest Update (2023-07-28):
Recorded session & presentation download
The session has been recorded and published on Youtube and Slideshare by PECB , please check the links below after the event.
PECB publishes event recording and slides at the PECB webinars page, you can also review past webinars: https://pecb.com/past-webinars
PECB Publication
To go to the published event recording and slide deck directly you can use this link: https://pecb.com/past-webinars/how-can-isoiec-27001-help-organizations-align-with-the-eu-cybersecurity-regulations
Event recording video link on YouTube
Direct link: https://youtu.be/rsjwwF5zlK8
Original Presentation on SlideShare by PECB
Q&A in PECB Insights Magazine
In the next publication of the PECB insights magazine, the Q&A of this session will be covered in an article. More info when published.
You can read the PECB Insights magazine here:
Session Introduction
There is a pretty impressive amount of EU Cybersecurity legislation that puts a lot of pressure to companies to maintain a high level of security for their business, data and infrastructure.
Customers, partners, employees expect you to be on top of your game to protect their data...
How do you cope with this and keep up to date with current (and future) legislation...?
Session Agenda
Agenda (draft)
Presenters
Our first presenter for this webinar is Peter Geelen, director and managing consultant at CyberMinute and Owner of Quest for Security, Belgium. Over more than 20 years, Peter has built strong experience in enterprise security & architecture, Identity & Access management, but also privacy, information & data protection, cyber- and cloud security. Last few years, the focus is on ISO/IEC 27001 and other ISO certification mechanisms. Peter is accredited Lead Auditor for ISO/IEC 27001, ISO 9001, PECB Trainer and Fellow in Privacy. Committed to continuous learning, Peter holds renowned security certificates as certified ISO/IEC 27701 lead implementer and lead auditor, ISO/IEC 27001 Master, Sr. Lead Cybersecurity Manager, ISO/IEC 27002 lead manager, ISO/IEC 27701 Lead Implementer, cDPO, Risk management, Lead Incident Mgr., Disaster Recovery, and many more.
Jean-Luc PEETERS
Our second presenter is Jean-Luc PEETERS, Head of CERT.be - Centre for Cybersecurity Belgium, Trainer, CISO
Q&A (to be completed after event)
All questions from the event will be answered, and documented in the section below.
1.?????What about ECB Cyber Resilience Oversight Expectations guidance?
The ECB (European Central Bank) guidelines are covered by DORA.
We did not focus the webinar on specific market like finance, banking, defence... as for these markets there is more specific legislation that applies superseding NIS2.
2.?????Can you talk about the new Data Loss Protection control?
While data loss is a significant indicator to the impact of an incident, the NIS 2 legislation is not specifically focusing on data loss protection controls. Still operators are expected to have a business continuity and disaster recovery plan to minimize impact of cybersecurity issues on the essential and critical services.
However note that article 31 point 3 requires that the (NIS) competent authority will work in close collaboration with the Data Privacy authority.
The ISO27001 has an increased focus on data loss, but business continuity and disaster recovery has been in the ISO27001 already for a while (previously Annex 17)
3.?????What are customers in scope of NIS?
See NIS2 legislation Annex I and Annex II.
There are sectors of High Criticality (Annex I) and the other critical sectors. Within those we distinguish essential (more stringent oversight) and important entities. All those entities will need to comply to the NIS directive. The EU countries transpositions might add additional measures to comply for.
4.?????Would National authority be governmental entity like "GDPR authority control”?
Short answer: yes, approach is pretty similar.
Article 31 and 32 lay down the rules and mandate of the (to be created, appointed) supervisory authority. This goes from: onsite inspection, off site supervision, audits (done on their own or by and independent body) request for documentation and information, designation of a monitoring officer.
Detailed answer: we did not cover this in detail, but the NIS 2 is providing details how the EU governments need to align the cybersecurity and incident management.
Depending on the national organisation it can be central government but it doesn't need to be, as some countries have a more complex political organisation and the central cybersecurity authority might be under control of different departments for each country...
5.?????Do you accept ISO 9001 Auditors from other institutes? I am interested.
This question is out of scope of the NIS 2 webinar, as it rather links to the PECB Certification program for ISO9001. Better ask the question directly to PECB, via the contact form or via a ticket if you already have a registered user profile.
6.?????How about the national and private CSIRT/CSoC for OES?
We didn't cover this topic in detail in the webinar, but the NIS 2 does cover the reporting obligations by CSIRT/CSOC for OES (Operators of Essential Services) or more correct under NIS 2 Essential or Important entities.
The security guidelines laid down in NIS 2 refer to the need to implement state of the art measures to detect and respond to incidents. It does actually not oblige to create a (private) CSIRT, the question remains if you actually can implement state of the art incident response without a formal (in or out-sourced)?structure.
The NIS directive clearly obliges Member states to create on or more CSIRTS (even under an existing Competent authority). Detailed tasks and duties can be found in article 11. CSIRTs' tasks include monitoring and analyzing cyber threats for essential entities, providing early warnings, incident response, forensic data analysis, and proactive scanning to detect vulnerabilities.
They may prioritize tasks based on a risk-based approach and cooperate with other CSIRTs.
7.?????What are the fundamental aspects on which we can rely on ISO 27001 to better comply with European regulations on cybersecurity?
Various components of the ISO27001 (if not all) need to be implemented in one way or another to comply with NIS 2.
For example (but not limited to)
8.?????If the scope of ISMS is now given minimal boundaries for organizations under NIS2 - will the IMS2 from PECB change to encompass this more explicitly or the training include more on defining the necessary boundaries for the ISMS ?
The IMS2 approach will not change, as it can perfectly cover the NIS2 requirements for ISMS (ISO27001).
The answer to this question is in the new NIS 2 course that will be launched with the PECB Insights Conference 2023, there is a pre-conference tract that will cover the NIS 2 and how you can use the IMS2 to fullfil the NIS 2 requirements with ISMS.
9.?????Is it correct that EU doesn't treat the Defense-sector as neither important nor essential?
First of all, you must understand that some of the sectors are "out-of-scope" for direct application by the NIS 2, because some important sectors are covered by other legislations or regulations that are superseding NIS 2.
Art. 2 (Scope):
"7. This Directive does not apply to public administration entities that carry out their activities in the areas of national security, public security, defence or law enforcement, including the prevention, investigation, detection and prosecution of criminal offences"
Within NIS/NIS2 the answer is two-fold,
So, you'll not be considered within NIS 2,... but there is other legislation superseding NIS 2...
The defense sector has its own set of regulations, laws in each member state, there is no direct reference to this sector in NIS2.
However keep in mind that you might be part of a supply chain that at the end delivers services towards an Important or essential entity.
And you can expect even more stringent expectations from this legislation in defence.
10.??How to know if those directives are applicable to our organization?
The easy answer is: you're expected to know the law.
First of all, you can check the sectors covered in the NIS, NIS2 and CER and see if your organisation belongs to these sectors mentioned in Annex I and II.
Secondly, there are certain activities and sectors nominated by the national government. So, you better follow the course of national implementation of the NIS2 by the various countries... As the NIS 2 is a directive, national legislation is required for implementation by october 2024.
A central point of view will be ENISA, that offers an overview of the various national legislations...
11.??There is no data protection without cybersecurity! Does this statement suggests or imply that whatever measures taken in protecting data are a non-starter if they have not covered elements of cyber? Does this statement holds even in cases where systems are not excessfully web based?
Web based is slightly different than "internet connected"... cybersecurity is pointing at systems and operations that are connected to internet... not necessarily web based... there is more...
But of course, if you're system is disconnected from internet, it will be a lot easier to protect it from cyber attacks.
But please be aware that there are well known cased of 'air-gapped" systems that have been attacked via intermediate systems or devices...
So the short answer is yes, you need to cover cybersecurity in your data protection, as we all live in an internet connected era.
12.??Are logistic company and semiconductor company subjected to NIS 2 ... whatever their size and revenue?
NIS 2 Annex II, topic 5 covers manufacturing.
领英推荐
And within Chapter 5, part (b) covers "Manufacture of computer, electronic and optical products".
13.??In summary, can we say that: DORA is the regulation on Operational Resilience for Financial institution and IT 3rd parties, while NIS2 is the equivalent, for other sectors (industries, energy,) ?
Yes.
14.??When does NIS 2 start?
It has been activated already.
Published on voted december 2022, published 27.12.2022, activated 20 days later, in january 2023.
EU governments are expect to have implementing acts by october 2024.
15.??Can the NIS (s) be integrated into the ISO scope statement on cert, and then SOA. Would putting the NIS into my ISO 27001 cert be helpful? Could i use that as a method of reporting compliance with NIS?
Can you integrate NIS into your scope: yes.
Should you do it, it depends...
Would it make sense to integrate NIS into your ISMS implementation and certification?
Yes, certainly. All areas covered by NIS 2 are covered and can be covered by the current ISO 27001.
Can you use it as a method to report compliance with NIS?
Yes, certain countries already have accepted ISO27001 certification as a equivalent and valid proof of compliance for the NIS implementation.
Eg, check the Belgian implementation of NIS...
NIS 2 implementation is still in progress (deadline october 2024).. more news to come on the various national implementations of the NIS 2 legislation.
NIS 2 Course on PECB Insights conference
In september and october PECB will launch the new NIS Directive 2.0 Training Course, register at:
Other interesting NIS2 references
NIS2 page at ENISA
EU Cybersecurity regulations
(as complete as possible, but non-exhaustive... Keep us informed if references are missing...)
Extensive overview in this blog:
CFREU (Charter of Fundamental Rights of the EU)
GDPR (regulation 2016/679)
NIS 1 (Directive 2016/1148)
NIS 2 (Directive 2022/2555)
DORA
CER
DSA
DMA
DGA
ePrivacy
Ammended :
Cyberdefense policy
Cybersecurity Act
RED (Radio Equipment Directive)
MDR
eIDAS
Other info
More info and other legislations: https://identityunderground.wordpress.com/2023/04/03/overview-of-cybersecurity-relevant-european-laws-directives-regulations-and-policies/
Credits & sources
Understanding Cybersecurity in the European Union by Georg Philip Krog
O?????????????? ???? ?????? ???? ???????????????????? ?????????????????? by Nicolas Ameye
Reference material
ISO27001:2022 (ISO, published 2022-10-25)
ISO27002:2022 (ISO, published 2022-02-15)
ISO27005:2022 (ISO, published 2022-10-25)
PECB Webinars
Past PECB Webinars on ISO27001 (search for 27001)
Recent PECB Webinar on ISO27002
Other PECB Webinars
PECB Webinars:?https://pecb.com/en/webinars
See also
ISO27001 PECB webinar series (with collateral information) on LinkedIn
Need more?
(to be completed)
magazijnmedewerker, verbinder, mantelzorger, out of the box ; ADHD met ADD
1 年Graag deze bijdrage in beeld gebracht binnen mijn netwerk