NIS2 - EU 2022 - 2555 complete how to do guide
Jan_Biets
1 views
50 slides
Oct 02, 2025
Slide 1 of 50
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
About This Presentation
NIS2 framework
Slide Content
protection of critical infrastructures (Directive EU 2016/114- 1148, and Directive EU (EU) 2022/2555) akas : NIS, and NIS 2 A way forward, a great endeavour
Where does it applies on „ Critical infrastructures are organizational and physical structures and facilities of such vital importance to a nation’s society and economy that their failure or degradation would result in sustained supply shortages, significant disruption of public safety and security, or other dramatic consequence “ [1] “Kritieke infrastructuur is een installatie, systeem of een deel daarvan, van federaal belang, dat van essentieel belang is voor het behoud van vitale maatschappelijke functies, de gezondheid, de veiligheid, de beveiliging, de economische welvaart of het maatschappelijk welzijn, en waarvan de verstoring van de werking of de vernietiging een aanzienlijke weerslag zou hebben doordat die functies ontregeld zouden raken.”[2] An asset, system or part thereof located in Member States which is essential for the maintenance of vital societal functions, health, safety, security, economic or social well-being of people, and the disruption or destruction of which would have a significant impact in a Member State as a result of the failure to maintain those functions. [3] [1] Source: UP KRITIS Public-Private Partnership for Critical Infrastructure Protection [2] https://publicwiki-01.fraunhofer.de/CIPedia/index.php/Critical_Infrastructure#Belgium [3] https://publicwiki-01.fraunhofer.de/CIPedia/index.php/Critical_Infrastructure#Council_Directive_2008.2F114.2FEC
What is the aim of the directive? It proposes a wide-ranging set of measures to boost the level of security of network and information systems (cybersecurity) to secure services vital to the EU economy and society. It aims to ensure that EU countries are well-prepared and are ready to handle and respond to cyberattacks through: the designation of competent authorities, the set-up of computer-security incident response teams (CSIRTs) , and the adoption of national cybersecurity strategies. It also establishes EU-level cooperation both at strategic and technical level. Lastly, it introduces the obligation on essential-services providers and digital service providers to take the appropriate security measures and to notify the relevant national authorities about serious incidents. Source: https://eur-lex.europa.eu/legal-content/EN/LSU/?uri=uriserv:OJ.L_.2016.194.01.0001.01.ENG
What is KEY? Improving national cybersecurity capabilities EU countries must: designate one or more national competent authorities and CSIRTs and identify a single point of contact (in case there is more than one competent authority); identify providers of essential services in critical sectors such as energy, transport, finance, banking, health, water and digital infrastructure where a cyberattack could disrupt an essential service. EU countries must also put in place a national cybersecurity strategy for network and information systems, covering the following issues: being prepared and ready to handle and respond to cyberattacks; roles, responsibilities and cooperation of government and other parties; education, awareness-raising and training programmes ; research and development planning; planning to identify risks. Source: https://eur-lex.europa.eu/legal-content/EN/LSU/?uri=uriserv:OJ.L_.2016.194.01.0001.01.ENG
What required? The national competent authorities monitor the application of the directive by: assessing the cybersecurity and security policies of providers of essential services; supervising digital service providers; participating in the work of the cooperation group (comprising network and information security (NIS) competent authorities from each of the EU countries, the European Commission and the European Union Agency for Network and Information Security (ENISA) ); informing the public where necessary to prevent an incident or to deal with an ongoing incident, while respecting confidentiality; issuing binding instructions to remedy cybersecurity deficiencies. The CSIRTs are responsible for: monitoring and responding to cybersecurity incidents; providing risk analysis and incident analysis and situational awareness; participating in the CSIRTs network; cooperating with the private sector; promoting the use of standardised practices for incident and risk-handling and information classification Source: https://eur-lex.europa.eu/legal-content/EN/LSU/?uri=uriserv:OJ.L_.2016.194.01.0001.01.ENG
What is required? Security and notification requirements The directive aims to promote a culture of risk management. Businesses operating in key sectors must evaluate the risks they run and adopt measures to ensure cybersecurity. These companies must notify the competent authorities or CSIRTs of any relevant incident, such as hacking or theft of data, that seriously compromises cybersecurity and has a significant disruptive effect on the continuity of critical services and the supply of goods. To determine incidents to be notified by providers of essential services * , EU countries should take into account an incident’s duration and geographical spread, as well as other factors, such as the number of users relying on that service. Key digital service providers (search engines, cloud computing services and online marketplaces) will also have to comply with the security and notification requirements. Source: https://eur-lex.europa.eu/legal-content/EN/LSU/?uri=uriserv:OJ.L_.2016.194.01.0001.01.ENG
How it will be done? Improving EU-level cooperation The directive sets up the cooperation group whose tasks include: providing guidance to the CSIRTs network; exchange best practice on the identification of providers of essential services; assisting EU countries in building cybersecurity capabilities; sharing information and best practice on awareness-raising and training, research and development; sharing information and collecting best practice on risks and incidents; discussing modalities of incident notification. Source: https://eur-lex.europa.eu/legal-content/EN/LSU/?uri=uriserv:OJ.L_.2016.194.01.0001.01.ENG
How it will be done? sets up the CSIRT network comprising representatives of EU countries’ CSIRTS and the Computer Emergency Response Team (CERT-EU) : sharing information on CSIRT services; sharing information concerning cybersecurity incidents; supporting EU countries in the response to cross-border incidents; discussing and identifying a coordinated response to an incident reported by an EU country; discussing, exploring and identifying further forms of operational cooperation, including: categories of risks and incidents; early warnings; mutual assistance; co-ordination between countries responding to risks and incidents which affect more than one EU country; informing the cooperation group of its activities and requesting guidance; discussing lessons learnt from cybersecurity exercises; discussing the capabilities of individual CSIRTs at their request; issuing guidelines on operational cooperation. Source: https://eur-lex.europa.eu/legal-content/EN/LSU/?uri=uriserv:OJ.L_.2016.194.01.0001.01.ENG
Mutual understanding: KEY TERMS Cybersecurity: the ability of network and information systems to resist action that compromises the availability, authenticity, integrity or confidentiality of digital data or the services those systems provide. Network and information system : an electronic communications network, or any device or group of interconnected devices which process digital data, as well as the digital data stored, processed, retrieved or transmitted. Essential services : private businesses or public entities with an important role for the society and economy, as for example water supply, electricity services, etc. Source: https://eur-lex.europa.eu/legal-content/EN/LSU/?uri=uriserv:OJ.L_.2016.194.01.0001.01.ENG
Mutual understanding: KEY TERMS Cybersecurity: the ability of network and information systems to resist action that compromises the availability, authenticity, integrity or confidentiality of digital data or the services those systems provide. Network and information system : an electronic communications network, or any device or group of interconnected devices which process digital data, as well as the digital data stored, processed, retrieved or transmitted. Essential services : private businesses or public entities with an important role for the society and economy, as for example water supply, electricity services, etc. Source: https://eur-lex.europa.eu/legal-content/EN/LSU/?uri=uriserv:OJ.L_.2016.194.01.0001.01.ENG
Basic high level comparison: Aspect NIS1 (Directive 2016/1148) NIS2 (Directive 2022/2555) Scope Limited to essential services and digital service providers Broader: includes more sectors and medium/large entities Sector Coverage Energy, transport, banking, health, water, digital infrastructure Adds postal, waste, food, manufacturing, public administration Entity Size Threshold Not clearly defined Applies to entities with ≥50 employees or ≥€10M turnover Security Requirements General obligations More detailed and harmonized requirements Incident Reporting Only significant incidents Mandatory reporting within 24 hours for all major incidents Governance & Accountability Less emphasis on leadership roles Explicit responsibilities for management bodies Supply Chain Security Not addressed Explicitly included Enforcement & Penalties Vague enforcement mechanisms Stronger supervision and fines (up to €10M or 2% of turnover) Cooperation Mechanism CSIRTs and national authorities Adds EU- CyCLONe for coordinated response Compliance Burden Lower Higher, with mandatory risk management and documentation
Industry and beyond
Industry and beyond 1/3 sector deelsector Soort entiteit energie electriciteit Electriciteitsbedrijf , dat de functie verricht van “levering”. Distributiesysteembeheerders Transmissiesysteembeheerders aardolie Exploitant van oliepijpleidingen Exploitanten van voorzieningen voor de productie , raffinage en behandeling van olie, opslag en transport gas Leveringsbedrijven Distributiesysteembeheerders Transmissiesysteembeheerders Opslagsysteembeheerders LNG-systeembeheerders Aardgasbedrijven Exploitanten van voorzieningen voor de raffinage en behandeling van aardgas
Industry and beyond 2/3 sector deelsector Soort entiteit transport luchtvervoer Luchtvaartmaatschappijen Luchthavenbeheerders Luchtverkeersleidingsdiensten spoorvervoer Infrastructuurbeheerders Spoorwegondernemingen Vervoer over water Bedrijven voor vervoer over water (binnenvaart, kust- en zeevervoer) van passagiers en vracht Beheerders van havens (alsook entiteiten die werken en uitrusting in havens beheren) Exploitanten van verkeersbegeleidingssystemen Vervoer over de weg Wegenautoriteiten Exploitanten van intelligente vervoerssystemen
Industry and beyond 3/3 sector deelsector Soort entiteit bankwezen Kredietinstellingen Infrastructuur voor de financiële markt Exploitanten van handelsplatformen Centrale tegenpartijen Gezondheidszorg Zorginstellingen (waaronder ziekenhuizen en privéklinieken) Zorgaanbieders Levering en distributie van drinkwater Leveranciers en distributeurs van „voor menselijke consumptie bestemd water” Digitale infrastructuur internetknooppunten DNS- dienstverleners Rigister voor topleveldomeinnamen
Where is it based on „ Directive (EU) 2016/1148 “, and „ Directive EU (EU) 2022/2555)“ NIS1 NIS2
Executive decision Go with the – reassuring - flow Statement of Work In scope, out of scope, high level planning, and budget covenant. Rules of Engagement, communication, project organisation Statement of Applicability Infrastructure, IT /network, civil constructions, production / operations facilities Risk based approach Roll-out, roll-in [ ‘building’ ISMS] Audit, certification and ‘regular’ ISMS maintenance Note: to be used as a demo principle, only Executive management support
Today Front-Runner’s approach Critical Infrastructures Identify scope 360°, or ‘full panoramic image’ Collect “landscape” information – multiple layers: Infrastructure (construction) drawings, It (software, applications, website, touchpoints, hardware, configuration / patch mgt ,…) It network ( incl ‘cloud’) Vendor management, configuration management (tool/application), incl. housing and hosting service providers; Server room(-s) Civil / operational constructions drawings, technical operation rooms People Policies Processes Geographical location, transport modi , suppliers, environmental; Statement of Applicability ( cfr ref.: slide 7) Risk assessment, previous audit reports Identify mitigation - controls Execute / realise mitigation / solutioning Evidences and Document Audit, and certification Management / maintain control on ‘Critical Infrastructure’ protection Note: to be used as a demo principle, only Asset management register
SoA # area Description of Statement of Applicability Related standards, audit framework documents Vulnerability-Management What is the handling of known weak points like? Presentation of processes and derived measures. SANS Institute OWASP top 10 ISO 27002 IS O 31000 Risk assessment Recommendations Periodically Iterative Process description, Patch-Management Concept of measures for patch management at DL. ITIL Process definition (may be tooling’) Systemhärtung [hardening] The Contractor undertakes to harden the systems it supplies in order to minimise the impact Identify collection of tools, techniques, and Best Practises to reduce vulnerability Company wide; Fernzugang für Drittanbieter Remote access from third parties to the network of the Principal Anforderungen an die Softwareentwicklungsprozesse The software development processes of the contractor must be designed in such a … Einsatz der kryptographischen Lösungen In order to ensure that no obsolete cryptographic solutions known to be … Dokumentation The service provider shall regularly document the processes mentioned in this list (process manual). ISO 27000 , ISMS Define structure Define document process flow, access management, user profiles … … … … This is a concise example, only! For ‘demonstrative’ purposes. Note: to be used as a demo principle, only
Approach, too Elaborate & engineering, and build of a re-usable framework / template / approach for other Company’s sites Audit CIRT ISMS
EU 2016/114 - Directive 2008/114/EC of 8 December 2008 on the identification and designation of European critical infrastructures and the assessment of the need to improve their protection EU 2016/1148 - DIRECTIVE (EU) 2016/1148 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union ISO 27001 (2,3,4, and 5) - Information security management ISO (TR) 27019 - Information technology — Security techniques — Information security controls for the energy utility industry NIS NIST 800-53 Rev. 4 Control ISO 31000 - Risk management – Guidelines, provides principles, framework and a process for managing risk ITIL - Information Technology Infrastructure Library OWASP - Open Web Application Security Project ISO 15408 - Information technology – Security techniques -- Evaluation criteria for IT security ISO 21827 - Information technology — Security techniques — Systems Security Engineering — Capability Maturity Model; ISO 22301 - Societal security — Business continuity management systems — Requirements ISO 27031 - Information technology — Guidelines for ICT readiness for business continuity ISO 55001 - Asset management — Management systems — Requirements ISO (tr) 27550 - Information technology — Security techniques — Privacy engineering for system life cycle processes UP KRITIS Public -Private Partnership for Critical Infrastructure Protection KRITIS V IEC 62443 - “Security for Industrial Process Measurement and Control – Network and System Security”, Solution based on standards, frameworks, and more Non-exhaustive overview of potential applicable standards, frameworks. To be modified according the scope of the audit exercise. To be aligned with specific domain/ industry
Road ahead complexity, and more Legend: Doc : document Proc² : processes, and procedures Analysing complexity brings insights Stage ISO Standard Purpose 1. Strategic Risk Governance ISO 31000 (Risk Management) Establishes enterprise-wide risk principles, context, and governance. 2. Asset-Centric Governance ISO 55000 (Asset Management) Manages lifecycle and criticality of assets (IT/OT/data). 3. Risk Assessment Integration ISO/IEC 27005 (Information Risk) Provides methodology for assessing information security risks. 4. IT Security Management ISO/IEC 27001 (ISMS) Defines the structure for managing information security. ISO/IEC 27002 (Controls) Offers detailed control implementation guidance. 5. OT/IACS Security Management IEC/ISA 62443-2-1 (CSMS) Defines Cyber Security Management System for industrial automation. IEC/ISA 62443-3-3 (System Security Requirements) Specifies technical security requirements for IACS. IEC/ISA 62443-4-2 (Component Security) Applies to embedded systems and devices. 6. Business Continuity & Resilience ISO 22301 (BCMS) Ensures continuity of critical services during disruptions. 7. Privacy & Data Protection ISO/IEC 27701 (Privacy Extension to ISMS) Aligns ISMS with GDPR and privacy obligations.
Road ahead complexity, and more ITIL OWASP IEC 62443 ISO 15408 ISO 22301 ISO 27031 ISMS audit audit start ISO 25010 CIRT Operational certification Legend: Doc : document Proc² : processes, policies, and procedures other Internal Asset mgt register Analysing complexity brings insights ISO 21827 ISO 27019 ISO 2700x ISO 55000 ISO 31000 For ‘ readability ’ purposes , not all information is shown ISO 27002 controls SoA evidences Doc, proc² EU 2022-2555 Cybersecurity maturity assessment
Linking “Asset Management” to ISO 2700X, and vice versa What: all information assets to be considered, not only physical assets. This includes anything of value to the organisation where information is stored, processed and accessible, but it is the information that is of real interest, less so the network or device per se, although clearly they are still assets and need to be protected
Defining assets “data” Some examples: Information (or data) Intangibles – such as IP, brand and reputation People – Employees, temporary staff, contractors, volunteers etc And the physical assets associated with their processing and infrastructure: Hardware – Typically IT servers, network equipment, workstations, mobile devices etc Software – Purchased or bespoke software Services – The actual service provided to end-users (e.g. database systems, e-mail etc ) Locations & Buildings – Sites, buildings, offices etc Any type of asset can be grouped together logically according to a number of factors such as: Classification – e.g. public, internal, confidential etc Information type – e.g. personal, personal sensitive, commercial etc Financial or non-financial value
Asset Management Foundation (Tooling) 1 Register of Vendors Cross referencing supplies (hardware, IT components, plc’s, Cross referencing with configuration data (key identifiers per item) Cross referenced with maintenance management Service level management /contract (y/n), gold, silver, less… Inventory of all items (grouped, individually, types, locations, stock/warehouse, unique identifier, vendor. Risk based approach, again. What components are strategic in your organisation, or production chain Cross references are key What if Vendors is not operational anymore: what items are impacted? What if a key item is running out of life cycle? Alternative product? Alternative Supplier? In case of quality issue of item? Where are those items located in our Organisation / Production facility What components are strategic in your organisation, or production chain
Asset Management Foundation (Tooling) 2 Register of Software, and applications Cross referencing supplier Cross referencing with configuration data (key identifiers per Software, tool, application) Patch management, configuration item db Latest/active version Swift recovery Cross referenced with maintenance or service level management CMDB, ITIL, Business Continuity management, Disaster Recovery, CIRT, Communication, Compromise management, Termination management,…
Asset Management Foundation (multi layered) Bottom-up, and top – down approach Identifying the different layers, and interdependencies between each layer; Production facility /-facilities P&ID, plc automation, technical networks Process flow diagram Electrical wiring diagram, cabinets, networks, power supply, remote controllers; ICT, IT network, architectural drawing, components, firewall; touchpoints, Geographical site(-s) location, 1 – site(-s) 2 – P&ID , plc, automation, technical networks 3 – process flow diagram 4 – electrical wiring diagram 5 – ict,network , cloud 6 - geographical location Keep in mind: Iso 62443 … IEC/ISA 62443 is a comprehensive cybersecurity standard specifically designed for Industrial Automation and Control Systems (IACS)—making it essential for NIS2 compliance in OT environments.
Asset Management Foundation (layered) 1: production facility P&ID of your production facility Instrument index ( cfr slide 9) Plc, and other automation devices ( cfr slide 9) Software (versions) ( cfr slide 10) location Note: to be used as a demo principle, only Keep in mind: Iso 62443 …
Asset Management Foundation (layered) 2: production facility Process flow Diagram of your production facility vessel index ( cfr slide 9) Plc, and other automation devices ( cfr slide 9) Software (versions) ( cfr slide 10) Note: to be used as a demo principle, only Keep in mind: Iso 62443 …
Asset Management Foundation (layered) 3: production facility Risk management Physical security Vulnerability assessment Business continuity management Disaster recovery management Note: to be used as a demo principle, only Keep in mind: Iso 62443 …
Asset Management Foundation (layered) 4: ICT, network Site 1 Remote access Site 2 Remote accessible Risk management Physical security Vulnerability assessment Business continuity management Disaster recovery management Note: to be used as a demo principle, only
Asset Management Foundation (layered) 5: geographical location Xyz location access roads canals rail roads airport power supply (multiple providers) Telecom supply (multiple providers) Risk management Physical security Vulnerability assessment Business continuity management Disaster recovery management Note: to be used as a demo principle, only
Project management- follow-up budget
Project management- follow-up progress # area status Budget Vulnerability-Management Specified (n started) In draft/ready for review Review (<organization> ) Rework edited Final acceptance Budget estimate:€ Actual:€ BAC:€ Variance:€ Patch-Management Specified (n started) In draft/ready for review Review (<organization> ) Rework edited Final acceptance Budget estimate:€ Actual:€ BAC:€ Variance:€ Systemhärtung Specified (n started) In draft/ready for review Review (<organization> ) Rework edited Final acceptance Budget estimate:€ Actual:€ BAC:€ Variance:€ Fernzugang für Drittanbieter Specified (n started) In draft/ready for review Review (<organization> ) Rework edited Final acceptance estimate:€ Actual:€ BAC:€ Variance:€ Anforderungen an die Softwareentwicklungsprozesse Specified (n started) In draft/ready for review Review (<organization> ) Rework edited Final acceptance estimate:€ Actual:€ BAC:€ Variance:€ Einsatz der kryptographischen Lösungen Specified (n started) In draft/ready for review estimate:€ Actual:€ BAC:€ This is a concise example, only! For ‘demonstrative’ purposes. Note: to be used as a demo principle, only
Project management- follow-up ownership # area Ownership Contact information Vulnerability-Management <organization> Name Function/role email External – <organization> – Partner / Supplier Company Name Function/role email Service Provider Name Function/role email Patch-Management <organization> Name Function/role email External – ENGIE – Partner / Supplier Company Name Function/role email Service Provider Name Function/role email Systemhärtung <organization> Name Function/role email External – <organization> – Partner / Company Name Function/role email Service Provider Name Function/role Email This is a concise example, only! For ‘demonstrative’ purposes. Note: to be used as a demo principle, only
Risk Based approach LIKELIHOOD VERY LIKELY Moderate7 SIGNIFICANT4 High2 EXTREME2 EXTREME1 LIKELY LOW2 MODERATE2 SIGNIFICANT2 HIGH1 EXTREME3 POSSIBLE LOW4 MODERATE4 MODERATE1 SIGNIFICANT1 HIGH3 UNLIKELY LOW7 LOW1 MODERATE5 MODERATE3 SIGNIFICANT3 RARE LOW8 LOW6 LOW5 LOW3 MODERATE6 CONSEQUENCES INSIGNIFICANT MINOR MODERATE MAJOR CATASTROPHIC LIKELIHOOD VERY LIKELY Moderate7 SIGNIFICANT4 High2 EXTREME2 EXTREME1 LIKELY LOW2 MODERATE2 SIGNIFICANT2 HIGH1 EXTREME3 POSSIBLE LOW4 MODERATE4 MODERATE1 SIGNIFICANT1 HIGH3 UNLIKELY LOW7 LOW1 MODERATE5 MODERATE3 SIGNIFICANT3 RARE LOW8 LOW6 LOW5 LOW3 MODERATE6 CONSEQUENCES INSIGNIFICANT MINOR MODERATE MAJOR CATASTROPHIC 1 Note: to be used as a demo principle, only
ISO 27004 ISO 27001 ISO 22301 ISO 62443 SoA RTP LAWS, regulations, contracts Directive EU 2016/114 Directive EU 2016/1148 ISO 27001 ISO 27005 ISO 27003 ISO 27002 Business case scope INVENTORY
ISMS operational tooling AUDIT Mgt review report-4 Mgt review report-3 Mgt review report-2 Mgt review report-1 LOG-files LOG-files LOG-files LOG-files BSC metrics metrics metrics metrics CSO INCIDENT management Incident report-3 Incident report-2 Incident report-1 Information security management system Business continuity management BCP-S4 BCP-S3 BCP-S2 BCP-S1 S policies S standards S procedures S processes S guidelines External Audit report External Audit report External Audit report internal audit report internal audit report internal audit report ISO 22301 ISO 27004 ISMS internal audit
BASIC ISMS QMS Note: to be used as a demo principle, only
End Risk & issue communication and reporting tool Note: to be used as a demo principle, only
Progress status reporting Note: to be used as a demo principle, only
Focus on assets, and management of these assets Identify Determine List (inventory) Life cycle management Manage MTBF Recommended Renewal / Replacement Year Tag id Installation year, month condition rating redundancy Cost of renewal Criticality of item provider Alternative product Original item cost Instrument index Stock item; # available; stock location Version; id; patch MTTF MTTR
Inside threats outside threats physical – production facilities - security perimeter security Perimeter FIREWALL Perimeter ds ps Secure DMZ Message security honeypot DLP DHS-Einstein network security Enclaved data centre firewall Enterprise IDS/UPS VoIP protection Inline patching Web proxy content filtering NAC Enterprise message security Enterprise wireless security Enterprise remote security DLP endpoint security Desktop firewall host IDS/UPS Endpoint security enforcement FDCC Compliance Patch management DLP application security Static application testing Code review Dynamic application testing WAF Database monitoring , scanning Database secure gateway data security PKI DAR,DIM protection Data wiping , cleansing Identity access management Enterprise right management DLP Data classification Data integrity monitoring Data encryption Policy management (prevention) Penetration testing Cyber threat intelligence IT security governance Risk management Monitoring , response (operations) Security awareness training Vulnerability assessment Security architecture, design Security policies, compliance SIEM Escalation management Digital forensics Focused ops SOC/NOC monitoring Security dashboard CIRT Security SLA, reporting buildings Operation rooms scada Tubing, network Control room Motors, pump, valve controllers Remote access, controllers IoT Automation devices
Solution based on standards, frameworks, and more Intangible assets Application software Operating systems Physical assets IT infrastructure IT environment controls IT hardware IT services assets knowledge relations Trade secrets licenses patents experience Corporate reputation brands Commercial reputation Customer trust Competitive advantage ethics productivity Proprietary tools clients Business resource planning Information management utilities Database tools (e-)commerce applications servers Mobile, fixed devices Network devices buildings Data centres offices Physical media Storage rooms Identification devices Security devices Operation rooms Production facilities Stock, warehouse scada Automation (plc) Alarm, fire suppression equipment Un-interruptible power systems Power supply A/C filters dehumidifiers compressors chillers Storage devices Work stations Multifunctional equipment Laptops, tablets, smartphones IoT devices servers Modems, routers Network lines Communication devices User authentication services Process management Web-services Software maintenance Support contracts firewall Proxy servers Network services Wireless services Anti-spam Spyware intrusion detection Metering devices Pumps, controllers valves, controllers
End End of this powerpoint , but only the start of an great journey
Published standards The published ISO27K standards related to "information technology - security techniques" are: ISO/IEC 27000 — Information security management systems — Overview and vocabulary ISO/IEC 27001 — Information technology - Security Techniques - Information security management systems — Requirements. The 2013 release of the standard specifies an information security management system in the same formalized, structured and succinct manner as other ISO standards specify other kinds of management systems. ISO/IEC 27002 — Code of practice for information security controls - essentially a detailed catalog of information security controls that might be managed through the ISMS ISO/IEC 27003 — Information security management system implementation guidance ISO/IEC 27004 — Information security management — Monitoring, measurement, analysis and evaluation ISO/IEC 27005 — Information security risk management ISO/IEC 27006 — Requirements for bodies providing audit and certification of information security management systems ISO/IEC 27007 — Guidelines for information security management systems auditing (focused on auditing the management system) ISO/IEC TR 27008 — Guidance for auditors on ISMS controls (focused on auditing the information security controls) ISO/IEC 27009 — Essentially an internal document for the committee developing sector/industry-specific variants or implementation guidelines for the ISO27K standards ISO/IEC 27010 — Information security management for inter-sector and inter-organizational communications ISO/IEC 27011 — Information security management guidelines for telecommunications organizations based on ISO/IEC 27002 ISO/IEC 27013 — Guideline on the integrated implementation of ISO/IEC 27001 and ISO/IEC 20000-1 (derived from ITIL)
Published standards ISO/IEC 27014 — Information security governance. ISO/IEC TR 27015 — Information security management guidelines for financial services - Now withdrawn ISO/IEC TR 27016 — information security economics ISO/IEC 27017 — Code of practice for information security controls based on ISO/IEC 27002 for cloud services ISO/IEC 27018 — Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors ISO/IEC TR 27019 — Information security for process control in the energy industry ISO/IEC 27031 — Guidelines for information and communication technology readiness for business continuity ISO/IEC 27032 — Guideline for cybersecurity ISO/IEC 27033-1 — Network security - Part 1: Overview and concepts ISO/IEC 27033-2 — Network security - Part 2: Guidelines for the design and implementation of network security ISO/IEC 27033-3 — Network security - Part 3: Reference networking scenarios - Threats, design techniques and control issues ISO/IEC 27033-4 — Network security - Part 4: Securing communications between networks using security gateways ISO/IEC 27033-5 — Network security - Part 5: Securing communications across networks using Virtual Private Networks (VPNs) ISO/IEC 27033-6 — Network security - Part 6: Securing wireless IP network access ISO/IEC 27034-1 — Application security - Part 1: Guideline for application security ISO/IEC 27034-2 — Application security - Part 2: Organization normative framework ISO/IEC 27034-6 — Application security - Part 6: Case studies
Published standards ISO/IEC 27035-1 — Information security incident management - Part 1: Principles of incident management ISO/IEC 27035-2 — Information security incident management - Part 2: Guidelines to plan and prepare for incident response ISO/IEC 27036-1 — Information security for supplier relationships - Part 1: Overview and concepts ISO/IEC 27036-2 — Information security for supplier relationships - Part 2: Requirements ISO/IEC 27036-3 — Information security for supplier relationships - Part 3: Guidelines for information and communication technology supply chain security ISO/IEC 27036-4 — Information security for supplier relationships - Part 4: Guidelines for security of cloud services ISO/IEC 27037 — Guidelines for identification, collection, acquisition and preservation of digital evidence ISO/IEC 27038 — Specification for Digital redaction on Digital Documents ISO/IEC 27039 — Intrusion prevention ISO/IEC 27040 — Storage security ISO/IEC 27041 — Investigation assurance ISO/IEC 27042 — Analyzing digital evidence ISO/IEC 27043 — Incident investigation ISO/IEC 27050-1 — Electronic discovery - Part 1: Overview and concepts ISO/IEC 27050-2 — Electronic discovery - Part 2: Guidance for governance and management of electronic discovery ISO 27799 — Information security management in health using ISO/IEC 27002 - guides health industry organizations on how to protect personal health information using ISO/IEC 27002.
In preparation Further ISO27K standards are in preparation covering aspects such as digital forensics and cybersecurity, while the released ISO27K standards are routinely reviewed and updated on a ~5 year cycle.
Tags
Categories
TechnologyDownload
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 1
- Slides 50
- Age 62 days
Related Slideshows
11
8-top-ai-courses-for-customer-support-representatives-in-2025.pptx
JeroenErne2
48 views
10
7-essential-ai-courses-for-call-center-supervisors-in-2025.pptx
JeroenErne2
47 views
13
25-essential-ai-courses-for-user-support-specialists-in-2025.pptx
JeroenErne2
37 views
11
8-essential-ai-courses-for-insurance-customer-service-representatives-in-2025.pptx
JeroenErne2
34 views
21
Know for Certain
DaveSinNM
22 views
17
PPT OPD LES 3ertt4t4tqqqe23e3e3rq2qq232.pptx
novasedanayoga46
26 views