Scribd Logo
Upload

Welcome to Scribd!

  • 781 views

    NIS 2 and ISO 27001

    Uploaded by

    kaye
    NIS2 and ISo

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content

    You might also like

    NIS 2 and ISO 27001

    Uploaded by

    kaye
    781 views2 pages
    NIS2 and ISo

    Original Title

    NIS 2 and ISO 27001

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    NIS2 and ISo

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    781 views2 pages

    NIS 2 and ISO 27001

    Uploaded by

    kaye
    NIS2 and ISo

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    of 2

    NIS 2 Cybersecurity risk-management measures mapping to ISO 27001:2022

    1.0, 29.12.2022

    NIS 2 ISO 27001:2022


    General measures
    Article 21.2 a) 5.2 Policy
    Policies on risk analysis and 6.1.2 Information security risk assessment
    information system security 6.1.3 Information security risk treatment
    8.2 Information security risk assessment
    8.3 Information security risk treatment

    Annex A. Information security controls reference:


    • 5.1 Policies for information security
    Article 21.2 b) Annex A. Information security controls reference:
    Incident handling • 5.24 Information security incident management planning
    and preparation
    • 5.25 Assessment and decision on information security
    events
    • 5.26 Response to information security incidents
    • 5.27 Learning from information security incidents
    • 5.28 Collection of evidence
    • 6.8 Information security event reporting
    Article 21.2 c) Annex A. Information security controls reference:
    Business continuity, such as backup • 5.29 Information security during disruption
    management and disaster recovery, • 5.30 ICT readiness for business continuity
    and crisis management • 8.13 Information backup
    • 8.14 Redundancy of information processing facilities
    Article 21.2 d) Annex A. Information security controls reference:
    Supply chain security, including • 5.19 Information security in supplier relationships
    security-related aspects concerning the • 5.20 Addressing information security within supplier
    relationships between each entity and agreements
    its direct suppliers or service providers • 5.21 Managing information security in the ICT supply chain
    • 5.22 Monitoring, review and change management of
    supplier services
    • 5.23 Information security for use of cloud services
    Article 21.2 e) Annex A. Information security controls reference:
    Security in network and information • 5.37 Documented operating procedures
    systems acquisition, development and • 8.8 Management of technical vulnerabilities
    maintenance, including vulnerability • 8.9 Configuration management
    handling and disclosure
    • 8.20 Network security
    • 8.21 Security of network services
    Article 21.2 f) 9.1 Monitoring, measurement, analysis and evaluation
    Policies and procedures to assess the 9.2 Internal audit
    effectiveness of cybersecurity risk- 9.3 Management review
    management measures
    Annex A. Information security controls reference:
    • 5.35 Independent review of information security

    by Andrey Prozorov, CISM, CIPP/E, CDPSE, LA 27001


    www.patreon.com/AndreyProzorov
    NIS 2 Cybersecurity risk-management measures mapping to ISO 27001:2022
    1.0, 29.12.2022

    Article 21.2 g) 7.3 Awareness


    Basic computer hygiene practices and 7.4 Communication
    cybersecurity training
    Annex A. Information security controls reference:
    • 6.3 Information security awareness, education and training
    Article 21.2 h) Annex A. Information security controls reference:
    Policies and procedures regarding the • 8.24 Use of cryptography
    use of cryptography and, where
    appropriate, encryption
    Article 21.2 i) Annex A. Information security controls reference:
    Human resources security, access • 6.1 Screening
    control policies and asset management • 6.2 Terms and conditions of employment
    • 6.4 Disciplinary process
    • 6.5 Responsibilities after termination or change of
    employment
    • 6.6 Confidentiality or non-disclosure agreements

    • 5.15 Access control


    • 5.16 Identity management
    • 5.17 Authentication information
    • 5.18 Access rights

    • 5.9 Inventory of information and other associated assets


    • 5.10 Acceptable use of information and other associated
    assets
    Article 21.2 j) Annex A. Information security controls reference:
    The use of multi-factor authentication • 5.16 Identity management
    or continuous authentication solutions, • 5.17 Authentication information
    secured voice, video and text • 5.14 Information transfer
    communications and secured
    emergency communications systems
    within the entity, where appropriate
    Other
    Article 21.3 Annex A. Information security controls reference:
    Secure development procedures • 8.25 Secure development life cycle
    • 8.26 Application security requirements
    • 8.27 Secure system architecture and engineering principles
    • 8.28 Secure coding
    • 8.29 Security testing in development and acceptance
    • 8.30 Outsourced development
    • 8.31 Separation of development, test and production
    environments
    • 8.32 Change management
    • 8.33 Test information
    Article 21.4 10.2 Nonconformity and corrective action
    Appropriate and proportionate
    corrective measures
    (if not comply)

    by Andrey Prozorov, CISM, CIPP/E, CDPSE, LA 27001


    www.patreon.com/AndreyProzorov

    You might also like