The EU has implemented a range of regulations aimed at strengthening its cybersecurity posture. In this context, the ISO/IEC 27001 standard offers a comprehensive framework for managing and safeguarding sensitive information, such as personal data.
Amongst others, the webinar covers:
• Quick recap on the ISO/IEC 27001:2013 & 2022
• ISO/IEC 27001 vs legislation
• The EU Cyber Legislation landscape
• Some considerations and consequences
• How to stay on top of the ever changing context
Presenters:
Peter Geelen
Peter Geelen is the director and managing consultant at CyberMinute and Owner of Quest for Security, Belgium. Over more than 20 years, Peter has built strong experience in enterprise security & architecture, Identity & Access management, but also privacy, information & data protection, cyber- and cloud security. Last few years, the focus is on ISO/IEC 27001 and other ISO certification mechanisms. Peter is accredited Lead Auditor for ISO/IEC 27001, ISO 9001, PECB Trainer and Fellow in Privacy. Committed to continuous learning, Peter holds renowned security certificates as certified ISO/IEC 27701 lead implementer and lead auditor, ISO/IEC 27001 Master, Sr. Lead Cybersecurity Manager, ISO/IEC 27002 lead manager, ISO/IEC 27701 Lead Implementer, cDPO, Risk management, Lead Incident Mgr., Disaster Recovery, and many more.
Jean-Luc Peters
Jean-Luc Peters brings 25 years of IT technology, information and cybersecurity expertise to boards, executives, and employees. Since the younger age he has held management positions in the private and government sector. He is currently the Head of the Cyber Emergency Response team for the National Cybersecurity Authority in Belgium. In addition to this, he is also a trainer, coach and trusted advisor focusing on enhancing cyber resilience.
Jean-Luc has helped in the technical implementation of the NIS 1 (Network and Information Security) Directive transposition in Belgium, defining the Baseline Security Guidelines governmental ISMS framework and many other projects. He holds several certifications, including ISO/IEC 27001 Lead Implementer, ISO/IEC 27005 Auditor, CISSP, GISP, Prince 2 Practitioner, ITIL etc.
Date: May 31, 2023
Tags: ISO, ISO/IEC 27001, Information Security, Cybersecurity
-------------------------------------------------------------------------------
Find out more about ISO training and certification services
Training: https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27001
Webinars: https://pecb.com/webinars
Article: https://pecb.com/article
Whitepaper: https://pecb.com/whitepaper
-------------------------------------------------------------------------------
For more information about PECB:
Website: https://pecb.com/
LinkedIn: https://www.linkedin.com/company/pecb/
Facebook: https://www.facebook.com/PECBInternational/
Slideshare: http://www.slideshare.net/PECBCERTIFICATION
YouTube video: https://youtu.be/rsjwwF5zlK8
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regulations?.pptx
1.
2. Agenda
• Quick recap on the ISO/IEC 27001:2013 & 2022
• ISO/IEC 27001 vs legislation
• The EU Cyber Legislation landscape
• Some considerations & consequences
• How to stay on top of the ever changing context
• Take aways
7. Most important changes (*)
• Main structure change
• From: operational security, functional organization (Meaning
A.5 > A.18)
• To: PPPT (3PT)
• Process & Policies (organizational) (A.5)
• People (A.6)
• Physical (A.7)
• Technological (A.8)
ISO/IEC 27001:2022
8. Important to know
• From 114 (v2013) to 93 (v2022) controls
• But no controls removed
• Consolidation & updates of controls
• ISO/IEC 27002:2022 Annex B
• Table B.1 mapping 2022>2013
• Table B.2 mapping 2013>2022
• 11 new controls
ISO/IEC 27001:2022
9. Update with increased focus on
• Data protection
• Cloud security
• Cyber security
ISO/IEC 27001:2022
10. Legal & regulatory in the ISO Standard
ISO/IEC 27001:2013
• Clause 4.1 Understanding the organization and its context
• Clause 4.2 Understanding the needs and expectations of
interested parties
• Clause 6 & 8 Risk management
• A.18.1 Compliance with legal and contractual requirements
ISO/IEC 27001
11. Legal & regulatory in the ISO Standard
But also
• A.14 System Acquisition, development and maintenance
• A.15 Supplier relationships
• A.16 Incident Management
• A.17 Information Security aspects of Business Continuity
Management
ISO/IEC 27001:2013
12. Legal & regulatory in the ISO Standard
ISO/IEC 27001:2022
• Clause 4.1 Understanding the organization and its context
• Clause 4.2 Understanding the needs and expectations of
interested parties
• Clause 6 & 8 Risk management
• A.5.31 Legal, statutory, regulatory and contractual requirements
ISO/IEC 27001
13. Legal & regulatory in the ISO Standard
But also
• System Acquisition, development and maintenance
• A.8.26 Application security
• A.8.27 Secure system architecture
• A.8.28 Secure coding
• A.8.29 Security testing
• Supplier relationships
• A.5.19 Information Security in supplier relationships
• A.5.20 Security in supplier agreements
• A.5.21 Supply chain
• Incident Management
• A.5.24 Incident management planning and preparation
• A.5.25…26…27 Assessment, response and learning from incidents
• A.5.28 collection of evidence
• Business Continuity Management
• A.5.29 Information security during disruption
ISO/IEC 27001:2022
14. Legal & regulatory in the ISO Standard
But also
• Business Continuity Management
• A.5.29 Information security during disruption
• A.5.30 ICT readiness for BC
Don't forget
• A.5.4 Management responsibility
• A.5.8 Threat intelligence
• A.5.9 Inventory of information and other assets
ISO/IEC 27001:2022
15. More info
• PECB Webinar: ISO/IEC 27001 & ISO/IEC 27002:2022: What you
need to know:
https://pecb.com/past-webinars/isoiec-27001--isoiec-270022022-what-
you-need-to-know
• PECB Magazine: How Does the New Revision of ISO/IEC 27002
Affect ISO/IEC 27001
https://insights.pecb.com/how-does-the-new-revision-of-iso-iec-27002-
affect-iso-iec-27001/
ISO/IEC 27001:2022
17. Best practice vs law
Best practices
• Free choice (*)
• Lots of choices
• Specific to activity, sector, region, …
• Scoping possible
• Certification options (ref. ISO)
Law
• Must
• No choice
• Scope is defined and fixed by authority
Best practices vs. legislations
18. How they influence each other
• Information security
• Privacy
• Data protection
• Cybersecurity
• Cloud security
Intersection data protection, privacy & cyber
21. Regulation vs Directive
“Regulation”
• a binding legislative act
• immediately applicable in its entirety in all Member States
• overrules national laws.
• examples: GDPR
“Directive”
• a legislative act setting objectives
• all EU countries must translate into national legislation
• within a defined time frame (2 year)
Types of legislations
22. Other useful regulatory documents
Recommendations & Advisories
• ENISA,
• EDPB
• Working groups, …
Opinions & interpretations
• a legislative act setting objectives
• all EU countries must translate into national legislation
• within a defined time frame (2 year)
Jurisprudence
• Results of legal court cases
Types of legislations
23. Other useful regulatory documents
Strategy documents by
• EC (European Commission)
• …
Types of legislations
24. What does the legislation apply to?
Scope of legislations
Technology Offerings & processes People Mgmt systems
25. What does the legislation apply to?
Technology, process-offer, people
• Securing products, what you do
• Security by design
• Security by default
• CE
(Cyber)security process implementation (management system)
• How you do it
• Process management
• Management system
• PDCA
Scope of legislations
27. A small note before we dive into cyber
• GDPR
• = Data protection as driver and example for cyber
There is
No data protection
without cybersecurity
EU legislation
28. The most prominent
• NIS 1 (2018, active, to be commissioned)
• https://www.enisa.europa.eu/topics/cybersecurity-
policy/nis-directive-new
• NIS 2 (starting, taking over NIS 1)
• CER
Focus: security measures for a high common level of
cybersecurity across the Union
EU Cyberlegislation
29. But also
• Cyber Act
• Security by design
• Security requirements for
• Products
• Offerings (services)
• People
• Ref. ISO 17065
EU Cyberlegislation
30. And …
• DORA (Resilience for Finance sector)
• DSA (Digital Service Act)
• DMA (Digital Market Act)
• DGA (Data Governance act)
• eIDAS Regulation
• Regulation on electronic identification and trust services (EIDAS)
• …
EU Cyberlegislation
31. And also
• Artificial Intelligence Act (AI act)
• ePrivacy directive
• ECC (European Communications Code)
• …
EU Cyberlegislation
34. Cybersecurity directive
• NIS “1” Directive –
• on security of network and information systems (EU)
2016/1148)
• into force in August 2016 as the 1st horizontal EU
cybersecurity legal act.
• transposed in various national laws with many variations -
• till October 2024
• boost the overall level of cybersecurity in the EU
• support cross-border communications
• applies to operators of essential services and digital service
providers
NIS 1 Directive
35. Sectors (minimum!)
• Energy
• Transport
• Banking
• Financial market infrastructures
• Health sector
• Drinking water supply and distribution
• Digital infrastructure (IXP, DNS)
“Special case: Digital service providers”
NIS 1 Directive
36. Challenges
After 5 years of experience important lessons to be drawn:
• implementation proven difficult
• fragmentation on national level
• limited in scope
• difficult enforcement
• Cyberthreats significantly increased
• society interconnectedness and dependence increased
NIS 1 Directive challenges
37. NIS 2 is NIS 1 on « steroids »
• Main ambition
• national governments to pay due attention to cybersecurity
• strengthen European cooperation among cyber authorities
• strengthen the security requirements
• more sectors included (incl. government…)
• harmonize rules to identify the “entities”
• clarify incident reporting notifications
• strengthen the supply chain security
• streamline reporting obligations
• introduce harmonized sanctions
After NIS 1 guess what NIS 2
38. Cybersecurity directive
a comprehensive legal framework intended to bolster cybersecurity
• Directive (EU) 2022/2555: measures for a high common level of
cybersecurity across the Union – approved council/parliament 14
December 2022
• Will replace the “NIS 1 Directive”
• Needs to be transposed in each EU country by 17 October 2024
NIS 2
39. General identification principles
• operates in one of the (sub)sectors and types of services listed in the annexes
of the Directive,
and
• is of a certain size.
• Overall turnover and number of people
But the devil is in the “regulation” hidden
NIS 2
40. The concept of important vs essential entities – general principles
• “forget the concept of Operators of essential services”
• You fall in the scope = designated in either ‘essential entities’ and ‘important
entities’…
• criteria met???? => you shall comply.
• Member states can designate additional entities
• Essential entities are larger SMB companies that are part of the sectors of high
criticality (Annex I)
• >= 250 employees OR 50 M€ or balance sheet >43M€(and Appendix 1)
• Important entities
• All Annex 2 or
• >=50 employees OR > 10M€ and Appendix 1
NOTE: Member states can designate additional “entities”
all medium-sized and large organizations must meet NIS 2
NIS 2
41. Various NIS 2 sectors
NIS 2 Differences
Annex 1: The sectors of high criticality Annex 2; Other critical sectors
42. Obligations
What will be expected from NIS 2 « Entities »?
• Notifications of incidents
• Accountability > Management responsibility, incl.
• Threat intel
• Management system
• Risk management – and security measures
• Supply chain
all large and medium-sized organizations must meet NIS 2
43. Incident notification art 23.
NIS 2
Required for incidents
• With significant impact on the provision of their services
• compromising the availability, authenticity, integrity or confidentiality
• of stored, transmitted or processed data or
• of the services offered by, or accessible via, network and information
systems.
(a) it has caused or is capable of causing severe operational disruption of the
services or financial loss for the entity concerned;
(b) it has affected or is capable of affecting other natural or legal persons by
causing considerable material or non-material damage.
44. Incident notification art 23 - 30
Significant incidents must now be reported to the National authority or CSIRT in 3 stages:
• an early warning within 24 hours
• a full notification within 72 hours (similarly as for the GDPR)
• a final report within the month
Notify Customers
Voluntary notification of other incidents, threats, prevented incidents
NIS 2
• Essential
entities
• Important
entities
Significant
impact
incident
• National
CSIRT
• Recipients
Information
sharing
• Others
sectors
• Others
Member
States
Cross-
border
impact
45. Management responsibility/accountability
NIS 2
• approve the cybersecurity risk management measures
• oversee cybersecurity measures implementation
• follow cybersecurity training
• offer cybersecurity training to all employees on a regular basis
• has liability for the non-compliance (accountability)
• Professional liability – fines – right to exercise…
• Fines
Essential and important Management body must (art. 20) :
46. Risk management measures (art. 21)
NIS 2
All hazard
approach
Proportionate to
risk, size, cost,
impact & severity
of incidents
State of the art or
international
standards
Risk analysis & information system security
Incident handling
Business continuity measures (back-ups, disaster recovery, crisis management)
Supply chain security
Security in acquisition, development and maintenance
Policies to assess of the other measures
Basic computer hygiene and trainings
Policies on appropriate use of cryptography and encryption
Human resource security
Use of Multi-Factor, secured voice/video/text comm & secured emergency
communication
47. Supervision (Art 31 -32
General aspects concerning supervision and enforcement
• supervisory or enforcement measures
• imposed on essential entities
• to ensure they are effective, proportionate and dissuasive.
• supervise and take the measures necessary to ensure compliance.
• prioritisation shall be based on a risk-based approach.
• the competent authorities have appropriate powers to carry out such tasks
with operational independence vis-à-vis the public administration entities
supervised.
NIS 2
48. Supervision and penalties
• Essential entities are large companies that are part of the sectors of high criticality
(Annex I)
• >= 250 employees OR 50 M€ (and Appendix 1)
• very likely much more stringent security measures
• will be more tightly controlled
• bigger fines than important entities.
• EUR 10 000 000 or 2 % worldwide annual turnover (undertaking of the essential service)
• Important entities
• All Appendix 2 or
• >=50 employees OR > 10M€ and Appendix 1
• Less stringent security measures.
• reactive supervision by authorities
• “lower financial” penalties
• EUR 7M€ or 1,4 % yearly worldwide turnover
NIS 2
49. Interesting challenges
• how to allign, ensure (kind of) harmonisation of security measures imposed to
entities in the different EU countries
• a special attention for Digital infrastructure and ICT service management (art
21.5)
• Implementing act by 17/10/2024 on the technical and the methodological
requirements of the security measures
• treatment in increase incident notificiations
• oversight/supervision alignments
• management responsibility
NIS 2
50. Annex 1 – consolidated overview
NIS 2 Overview
Courtesy: Centre for Cyber Security Belgium https://ccb.belgium.be/en/nis-2-directive-what-does-it-mean-my-organization
51. Annex 1 – Special Cases
NIS 2 Overview
Courtesy: Centre for Cyber Security Belgium https://ccb.belgium.be/en/nis-2-directive-what-does-it-mean-my-organization
52. Annex 2- Other Critical sectors
NIS 2 Overview
Courtesy: Centre for Cyber Security Belgium https://ccb.belgium.be/en/nis-2-directive-what-does-it-mean-my-organization
53. One way to map NIS 2 – ISO 27001/27002 - NIST
Example: CyberSecurity fundamentals from the Centre for Cybersecurity Belgium:
https://ccb.belgium.be/en/cyberfundamentals-framework
NIS 2 – Take a Solid basis. Map it towards standards
54. Linked to other EU legislative initiatives
The NIS 2 Directive is closely linked to two other initiatives:
• Critical Entities Resilience (CER) Directive (Directive (EU) 2022/2557)
• Digital Operational Resilience Act (DORA)
The NIS 2 and CER Directives have aligned their scopes to address the physical
and cyber resilience of critical entities comprehensively.
NIS 2
55. NIS 2 and CER Critical Entities Resilience Directive (CER)
CER (Directive (EU) 2022/2557): Strengthens the resilience of critical infrastructure to a range of
threats, including natural hazards, terrorist attacks, insider threats, or sabotage.
Eleven sectors:
1. energy,
2. transport,
3. banking,
4. financial market infrastructures,
5. health,
6. drinking water,
7. wastewater,
8. digital infrastructure,
9. public administration,
10. space and
11. food.
CER - Critical Entities Resilience Directive
56. NIS 2 and CER
Critical entities identified under CER Directive will be subject to NIS 2
cybersecurity obligations.
Cooperation and information exchange will happen between the
competent authorities one risks, cyber threats, incidents, and non-
cyber risks.
Critical Entities Resilience Directive
57. More info
NIS1 directive:
https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:194:FULL
NIS 2 directive:
https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32022L2555&from=EN
CER ( resilience of critical entities):
https://eur-lex.europa.eu/eli/dir/2022/2557/oj
Visual and recap NIS 2 from the CCB:
https://ccb.belgium.be/en/nis-2-directive-what-does-it-mean-my-organization
CyberFundamentals:
https://ccb.belgium.be/en/cyberfundamentals-framework
NIS 2 & CER
59. Take aways (most important attention points)
• Dora = Digital Operational Resilience Act (DORA)
• Focus = Financial institutions
• Published 27/dec/2022
• Together with NIS 2
DORA
60. Take aways (most important attention points)
• Published with NIS 2
• Into force since January 2023
• The new CER Directive replaces the European Critical
Infrastructure Directive of 2008.
• 3 priority areas: preparedness, response and international
cooperation.
• Encourages to conduct stress tests of entities operating
critical infrastructure, with the energy sector as a priority.
Cyber resilience (CER)
61. Take aways (most important attention points)
• electronic identification and trust services.
• range of services that include verifying the identity of
individuals and businesses online and verifying the
authenticity of electronic documents.…
• https://digital-strategy.ec.europa.eu/en/policies/eidas-
regulation
eIDAS regulation
62. A more comprehensive lists of other relevant legislations
• See event collateral page:
https://www.linkedin.com/pulse/pecb-event-collaterals-
how-can-isoiec-27001-help-align-geelen/
• Sourced from
• Understanding Cybersecurity in the European Union by Georg Philip Krog:
https://www.linkedin.com/feed/update/urn:li:activity:7041393711456378881/
• Overview of the EU regulatory landscape by Nicolas Ameye:
https://www.linkedin.com/posts/nicolasameye_eu-regulatory-landscape-
activity-7048535621560082432-rUHI/
More of it
68. Think about
• Scan and discover legislation
• (Regularly) evaluate impact on your business
• Keep documentation on evaluated legislation
• Keep informed
• Update on a regular basis
How to stay on top
69. Think about
• Contracts
• Procedures
• Internal
• External (3rd party)
• Right to audit
How to stay on top
70. Think about
• NDA (non-disclosure agreement)
• Staff / Personnel
• Suppliers
• Contractors
• Customers
• Prospects
• visitors
How to stay on top
71. Think about
• Responsible disclosure
• Staff / Personnel
• Suppliers
• Contractors
• Customers
• Prospects
• visitors
How to stay on top
72. Think about
• Setting up an ISMS, with support & integration of
• Best practices
• ISO
• NIST
• CIS controls
• IoT, ISO 62443…
How to stay on top
74. Key Take Aways
The most important action points
• Know your context
• Know the system, process, people & data you manage
• Build & maintain a legal reference list
• Manage
• Manage your supply chain security
• Contracts
• Responsibility & accountability
• Operations
• Enable Right to audit
75. Key Take Aways
The most important action points
• Know your context
• Know the system, process, people & data you manage
• Build & maintain a legal reference list
• Implement Security by design & security by default
• Implement Information security management system
• Manage your supply chain security
• Contracts
• Responsibility & accountability
• Operations
• Enable Right to audit
76. Key Take Aways
The most important action points
• Ask for help if its not your cup of tea
77. Key Take Aways
Find the standard and framework that fits your need
• Check the Secure Controls framework
https://securecontrolsframework.com/
• Mapping various best practices to standards and frameworks, incl.
• Various ISO standards
• NIST
• CIS
• …
79. Reference material
PECB Webinars
• PECB Webinar: ISO/IEC 27001 & ISO/IEC 27002:2022: What you
need to know:
• https://pecb.com/past-webinars/isoiec-27001--isoiec-270022022-
what-you-need-to-know
• PECB Magazine: How Does the New Revision of ISO/IEC 27002
Affect ISO/IEC 27001
• https://insights.pecb.com/how-does-the-new-revision-of-iso-iec-
27002-affect-iso-iec-27001/
80. Reference material
PECB Webinars
• General link: https://pecb.com/en/webinars
• https://pecb.com/past-webinars
• Search for
• ISO/IEC 27001
• ISO/IEC 27002
81. Reference material
Other reference , see Linkedin page:
https://www.linkedin.com/pulse/pecb-event-collaterals-how-can-
isoiec-27001-help-align-geelen/
82. Reference material
Overview of EU cyber legislation
Original blog post with reference list:
https://identityunderground.wordpress.com/2023/04/03/overview-of-cybersecurity-relevant-
european-laws-directives-regulations-and-policies/
Understanding Cybersecurity in the European Union (by Georg Philip Krog)
https://www.linkedin.com/feed/update/urn:li:activity:7041393711456378881/
Overview of the EU regulatory landscape in graphics (by Nicolas Ameye)
https://www.linkedin.com/posts/nicolasameye_eu-regulatory-landscape-activity-
7048535621560082432-rUHI/
87. Relevant Training
PECB ISO/IEC 27001
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27001
Lead Implementer
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-
27001/iso-iec-27001-lead-implementer
Lead Auditor
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-
27001/iso-iec-27001-lead-auditor
88. Relevant Training
PECB ISO/IEC 27002
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27002
Lead Manager
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-
27002/iso-iec-27002-lead-manager
89. Relevant Training
PECB ISO/IEC 27005 - Risk Management
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27005
Lead Risk Manager
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27005
/iso-27005-lead-risk-manager
90. Relevant Training
PECB ISO/IEC 27035 - Incident Management
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27035
Lead Incident Manager
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27035
/iso-iec-27035-lead-incident-manager