WHAT IS IT
On 17 January 2023, the
NIS 2 Directive, Network and Information Security , entered into force.
This is a European
Cybersecurity Directive aimed at
improving the overall level of cybersecurity and standardizing cyber resilience across the EU.
The
NIS 2 Directive strengthens management and cooperation in relation to
cyber risk management measures and reporting obligations adopted in all regulated sectors,
eliminating divergences in security requirements and in the implementation of cybersecurity measures
in different Member States.
The entry into force of the
LEGISLATIVE DECREE 4 September 2024, n. 138, transposing the NIS 2 directive , in order to strengthen resilience to current and future cyber threats, introduces
new requirements and obligations for Italian organizations concerning:
- Identify, assess and mitigate cyber risks
- Evaluate safety posture
- Manage business continuity of services
- Take steps to protect privileged access
- Strengthen organizational and technological defenses
- Monitor the supply chain
- Formalize the incident response plan
- Train staff by creating awareness about cybersecurity
How CSQA Can Help Your Company Comply with NIS 2
-
TRAINING AIMED AT TOP MANAGEMENT
CSQA training is aimed in the initial phase at Top Management with the aim of:
- provide a complete understanding of the NIS 2 Directive and its impacts on cybersecurity,
- create awareness regarding the responsibilities of management (accountability),
- understand the scope of the directive, evaluate its impact on organizations' operations and implement effective strategies to ensure compliance,
- know any sanctions applicable in case of non-compliance.
-
GAP ANALYSIS
Through the use of a specifically designed checklist, CSQA defines the organization's level of compliance with the following reference standards:
- EU Directive 2022/2555 – NIS 2 on network and information security,
- Legislative Decree 138/2024 transposing the NIS 2 Directive,
- ISO 27001:2022 and ISO 22301:2019
- EU 2024/2690 - Regulation and methods of application of the NIS 2 Directive
The carrying out of the activity includes:
- the verification of the existing documentation and the adequacy and efficiency of the corporate cyber policies adopted by the customer,
- interviews with the staff involved on both organizational and technological aspects,
- identification of the client company's cybersecurity positioning,
- Identification of any admissible exclusions to be documented,
- identification of gaps to be resolved in the face of any critical issues and non-conformities.
Deliverables:
- Report on the level of adequacy of regulatory requirements and safety controls
- List of areas for adaptation and improvement
-
RETURN PLAN: RISK ANALYSIS, POLICY AND PROCEDURES, TECHNOLOGICAL COUNTERMEASURES
This phase is the responsibility of the client organization.
-
GAP ANALYSIS FOLLOW UP
Once all the countermeasures have been implemented by the client organisation, CSQA carries out a Follow UP activity with respect to the GAPs highlighted in the first phase and returns a report highlighting the organisation's new Cyber posture.
Deliverables:
Report of the state level of the level of adequacy of the implemented improvement actions.
-
CYBER TRAINING FOR ALL STAFF
If in the first phase CSQA training is aimed at Top Management and the first levels, in the second phase the training is addressed to all staff with the aim of providing participants with practical skills to evaluate and deal with cybersecurity risks in the face of threats to public and private organizations, as well as the entire supply chain in relationships with suppliers.
-
INTERNAL AUDIT MONITORING
This phase is the responsibility of the client organization.
-
VERIFICATION OF THE CYBER SECURITY OF THE SUPPLY CHAIN
The national cybersecurity strategy provides for the verification of cybersecurity along the supply chain of ICT products and services.
CSQA carries out part II audits with the aim of verifying:
- comply with the cybersecurity requirements established in the contract,
- define the requirements for information security,
- ensure the protection of accessible company assets,
- formalize contractual documents in which the required safety requirements are reported.
CSQA carries out both the verification of the existing contractual documentation, carrying out a document inspection, and an field audit at the suppliers which also includes interviews with the personnel involved with the aim of verify compliance with the cyber policies defined by the client in the contractual phase.
The output of the inspection activities will highlight the supplier's level of compliance with the stipulated contract and compliance with the cyber policies and procedures shared at the signing of the contract.
-
ISSUE OF ISO 27001 AND ISO 22301 CERTIFICATIONS
CSQA recommends the importance of certifications according to the two standards ISO/IEC 27001 and ISO 22301, which, in addition to facilitating compliance with NIS 2 requirements, more generally represent for customers:
framework available to organizations to deal with and above all prevent constantly evolving cyber risks,
tangible evidence of compliance in terms of adequacy of the technological and organizational measures adopted with a view to IT resilience.
The ISO 27001 and ISO 22301 certifications are not mandatory but represent tangible proof of compliance in terms of the adequacy of the technical and organizational measures adopted and IT resilience.
Check if NIS 2 applies to your organization
REQUEST FOR FREE
