nis directive and - amazon s3 · security risk appropriate organisational structures, policies, and...

NIS Directive and ISO 27001:The considerations of using your ISO certification as the foundation of your NISD compliance

Protection Group International Ltd | Email: [email protected] | Call: +44 (0) 207 887 2699 Protection Group International Ltd | Email: [email protected] | Call: +44 (0) 207 887 2699

Page: 1 Page: 1

Author:Protection Group International© 2019

Contents:

Introduction

NISD principles

NISD structure

What do Operators think?

NISD and ISO

The PGI approach

Protection Group International Ltd | Email: [email protected] | Call: +44 (0) 207 887 2699Protection Group International Ltd | Email: [email protected] | Call: +44 (0) 207 887 2699

Glossary

CA - Competent Authority

CAF - Cyber Assessment Framework

CSIRT - Computer Security Incident Response Team

NCSC - National Cyber Security Centre

NISD - Network Information Security Directive

NIST - National Institute of Standards and Technology

OES/Operators - Operator of Essential Services

SPOC - Single Point of Contact


Page: 3Page: 2

IntroductionThis paper discusses the NIS Directive framework and examines the risks and benefits of using the ISO 27001 standard as the framework for compliance under the Directive.

About the NISD

The EU Network and Information Systems Directive (NISD) came into force in the UK in May 2018. Following a period of consultation, the UK’s Technical Authority, the National Cyber Security Centre (NCSC) issued guiding principles for NIS Competent Authorities (CA) and Operators of Essential Services (Operators) to implement within their sectors.

The Directive and the resulting NCSC guidance aims to raise the overall network and information security, resilience and capabilities of the UK’s Operators of Essential Services and promote a culture of heightened risk management and incident reporting.

Under the Directive, the NCSC operates as the UK’s CSIRT (Computer Security Incident Response Team) and provides technical guidance and advice to CAs and Operators.

Protection Group International Ltd | Email: [email protected] | Call: +44 (0) 207 887 2699


Page: 1Page: 4

The NCSC’s guidance promotes an outcome-based approach through the provision of a Cyber Assessment Framework (CAF). The CAF provides CAs and Operators with four high-level objectives, 14 principles and 39 outcomes, which are provided as statements (above).

The CAF is sector-agnostic but provides a standard baseline and a set of meaningful targets for Operators, as well as clear outcomes for CAs to measure performance and maturity against.

NISD principlesNISD Objective Objective Security Principles

A: Managing Security Risk

Appropriate organisational structures, policies, and processes are in place to understand, assess and systematically manage security risks to the network and information systems supporting essential services

A1. GovernanceA2. Risk management A3. Asset management A4. Supply chain

B: Protecting against cyber attacks

Proportionate security measures are in place to protect essential services and systems from cyber-attacks.

B1. Service protection policies and processes B2. Identity and access control B3. Data security B4. System security B5. Resilient network and systemsB6. Staff training and awareness

C: Detecting cyber security events

Capabilities to ensure security defences remain effective and to detect cyber security events affecting, or with the potential to affect, essential services.

C1. Security monitoring C2: Proactive security event discovery

D: Minimising the impact of cyber incidents

Capabilities to minimise the impact of a cyber security incident on the delivery of essential services including the restoration of those services where necessary.

D1: Response and recovery planning D2: Lessons learned


Page: 7Page: 6

NISD structureNCSC have devolved regulatory compliance to CAs for each of the industry sectors they regulate. The CAs will act as the primary escalation reporting point for all incidents categorised under NISD and should maintain incident management capabilities to investigate the causes of an incident. However, NCSC—as the UK’s CSRIT—has also advised that it would be prudent to ensure that they are also notified in the event of an incident.

Due to sector-specific intricacies, each of the Operators within industry sectors identified by NISD, may be subject to additional control and guidance issued and published by their CA, acting as the regulator for that sector. Specifically, CAs have responsibility for:

• Ensuring that the NCSC guidance is tailored for each industry sector and implemented within each Operator. • Monitoring and oversight of NIS implementation within its sector to assure compliance to the Directive.

It is the role of the Operators—in conjunction with the CA—to determine the most appropriate security measure and manage the implementation. NCSC have advised that it is the purview of the CAs to provide this specialised sector advice and ensure that the control measures are being met. Each CA has released additional control and implementation guidance for the Operators.

The NISD, and its corresponding guidance and CAF, provides no assumptions about

how the principles and their desired outcomes will be achieved.

EU NIS Directive

UK NISD RegulationsNCSC Guidance and CAF

CA HealthCA Digital InfrastructureCA Drinking WaterCA TransportCA Energy

OES Gas

OES Oil

OES Electricity

OES Air

OES Rail

OES Water

OES Road

OES Drinking watersupply and distribution

OES DigitalInfrastructure

OES Healthcare

UK NISD Guidance and CAF

UK CSIRT and SPOC

UK Technical Authority UK Legislative requirement

CARegulatory Body

Operators of Essential Service (OES)


Page: 9Page: 8

What do Operators think?Consultation on the potential effects of implementation on Operators was undertaken with industry experts. From this, there were several valid concerns raised by industry specialists on how the implementation of the Directive would work in practice. In particular, there are two key areas in which Operators may need to consider their approach more carefully.

Supply chain

Firstly, concerns have been raised over how NISD will apply to the supply chain. The government has published the results of its consultation which state that it is the responsibility of the Operators to ensure that their suppliers have appropriate measures in place to manage their risk and implement controls in line with the Directive’s guidance. NISD does not apply directly to suppliers and the CA will not be auditing their compliance;therefore it is the direct responsibility of the Operators to ensure that their supply chain is adhering to the guidance. Failure to implement supply chain controls introduces an undue risk into the Operator’s environment and means that the risk is not appropriately shared or controlled.

Sectors Subsectors Designated competent authority

Energy Electricity Department for Business, Energy & Industrial Strategy and the Gas and Electrical Markets Authority (acting jointly)

The Department for Finance (Northern Ireland)

Oil Department for Business, Energy & Industrial Strategy


Gas Department for Business, Energy & Industrial Strategy and the Gas and Electrical Markets Authority (acting jointly)


Transport Air Transport Department for Transport and The Civil Aviation Authority (acting jointly)

Rail Transport Department for Transport

The Department of Finance (Northern Ireland)

Water Transport Department for Transport

Road Transport Department for Transport

The Scottish Ministers (Scotland)



Health Sector

Health care settings (including hospitals, private clinics and online settings)

Department for Health

The Welsh Ministers (Wales)



Drinking water supply and distribution

Drinking water supply and distribution

Department for Environment, Food and Rural Affairs

The Welsh Ministers (Wales)

The Drinking Water Quality Regulator for Scotland (Scotland)


Digital Infrastructure

Digital Infrastructure

Office of Communication

Protection Group International Ltd | Email: [email protected] | Call: +44 (0) 207 887 2699 Page: 11

Scope of the controls This response indicates that the Operators may believe that there is a gap between current controls applied within theirenvironment and the scope of the controls as they should be applied to the new scope of the Directive.

From the consultation, Operators were asked to elaborate on what they believed these further costs may be comprised of. The overwhelming response was that staffing would need to be increased to deal with the Directive’s additional demands e.g. recruitment of additional staff and improvement of staff training.

Responders also indicated that the purchase of new software and additional infrastructure would be required to remain compliant with the Directive’s outcomes. The final issue related to an increased cost in governance and compliance—specifically the additional monitoring and controls—needed to meet the security requirement of the Directives outcomes.

• Government response to public consultation

• Analysis of responses to public consultation


The government consultation process revealed that 71% of

respondents thought the Directive would impose additional

costs to their organisations.


Page: 1 Page: 13

NISD and ISO 27001

The NCSC Guidance, and its Cyber Assessment Framework, is closely aligned with ISO 27001, which is considered best practice. As such, many Governance, Risk and Compliance specialists argue, with good justification, that an implementation of a robust Information Security Management System aligned to ISO 27001 will provide adequate controls to meet the requirements of the Directive.

Based on this, many organisations may be planning to implement the ISO 27001 framework to demonstrate compliance to the Directive as the guidance aligns many of the principles to ISO 27001 and NIST controls. This would appear to be a sensible approach to tackling the problem of increased regulatory control.

However, the outcome of the government consultation on NISD has acknowledged the value of existing cyber security standards but it believes that there is no single existing standard that adequately covers the NISD in full.

So, what are the benefits and potential issues that Operators need to consider when using ISO 27001 as an implementation framework for NISD?

Page: 15Page: 14

There are many benefits to an organisation structuring compliance controls under the Directive to existing security frameworks. Firstly, the Guidance issued by NCSC clearly aligns the principles of the Directive to control measures within ISO 27001. Secondly, the framework is designed to integrate into existing business practices and provide an infrastructure within which to manage risk whilst providing the core policies, processes, procedures and technical control standards required to reduce an organisation’s risk profile to a level which is tolerated by the business.

Benefits



The potential issues with aligning to an ISO model mainly concerns scope and risk tolerance levels. Within ISO 27001, the organisation can self-determine the scope to which the standard’s controls apply. For example, in some organisations this may mean that the scope of the ISO 27001 certification is limited to a certain business line, process or system. However, under the Directive, the applicable scope may be much broader and operational parts of the business may need to be brought under the controls.

Like all information security implementations this can result in a requirement for additional overheads, including staff and technology, and a requirement to broaden the scope of any internal Governance Risk and Compliance teams. This approach invariably also entails the installation of new monitoring and security infrastructure which, of course, also comes with additional overheads.

Issues


Organisations may also have to revisit their risk management framework because NISD may require a lower risk tolerance level than the organisation currently employs. Where an organisation’s risk appetite is as such that it would normally accept a level of risk, or prioritise mitigation, this appetite may need to be reviewed for NISD. The existing risk management framework may need to be reviewed to match the desired risk appetite of the CAs and NISD, so particular risks may require further application of controls to reduce the risk level to one which is acceptable and aligned to the directives principles and outcomes.

The organisation may also have to examine its incident reporting and response functions. This will ensure that any incidents that occur are reported in a timely manner to the CA and that there is an appropriate function and process in place for assisting the CA if post-incident analysis is required.


Page: 1Page: 18

The PGI approachAn information security risk assessment is an integral and critical part of the information security risk management process. So, what is a sensible, pragmatic and effective way to tackle this potential gap, and understand how your organisation currently fares against the principles of the Directive?

PGI’s approach entails a practical consultative engagement. Our cybersecurity consultants examine the organisation’s current information and cybersecurity structure and controls to benchmark them against the guidance issued by NCSC and the operator’s Competent Authority. PGI uses its proprietary maturity model to provide an organisation with a roadmap to address any gaps in its maturity and provide expert consultative advice on how to achieve the principles and outcomes of the Directive.

PGI also work with Operators to confirm that the scope of the controls is wide enough to align with the Directive and that the risk management process and risk assessments are reviewed to ensure that they are reflective of any new risk appetites that may need to be considered.

Protection Group InternationalEmail: [email protected]

Call: +44 (0) 207 887 2699


nis directive and - amazon s3 · security risk appropriate organisational structures, policies, and...

Documents