According to the NIS Directive, Member States should adopt a common set of baseline security requirements to ensure a minimum level of harmonized security measures across EU and enhance the overall level of security of operators providing essential services (OES) and digital service providers (DSP).
The NIS Directive sets three primary objectives:
- to improve the national information security capabilities of the Member States;
- to build mutual cooperation at EU level; and
- to promote a culture of risk management and incident reporting among actors (OES and DSP) of importance for the maintenance of key economic and societal activities in the Union.
To assist organizations in meeting compliance with the Directive, the European Union Agency for Cybersecurity (ENISA) and the UK’s National Cyber Security Center (NCSC) have developed assessment frameworks.
ENISA’s Guidelines on Assessing DSP and OES Compliance
According to the NIS Directive Articles 14, 15 and 16, one of the key objectives is to introduce appropriate security measures for OES as well as for the DSP to achieve a common level of information security within the EU network and information systems. Information security audits and self–assessment/ management exercises are the two major enablers to achieve this objective.
Figure 1: Information Security Audit Lifecycle. Source: ENISA
The main objective of the ENISA guidelines is to facilitate National Competent Authorities (NCA) conducting audits and to assist DSP and OES across all EU Member States in complying with the requirements of the NIS Directive in the effort to achieve a baseline security level.
The objective of the guidelines is achieved by:
- Proposing the information security audit and self-assessment/management frameworks that can be applied by DSP and (Read more...)
*** This is a Security Bloggers Network syndicated blog from The State of Security authored by Anastasios Arampatzis. Read the original post at: https://www.tripwire.com/state-of-security/regulatory-compliance/assessment-frameworks-nis-directive-compliance/