How can compliance teams prepare for NIS 2?
Despite the limited guidance available, there is a lot of work for compliance teams to do.
Firstly, they should carry out a mapping exercise with updated risk assessments and look at what existing controls and frameworks are in place within their organisation. As experts in guiding businesses through compliance, we find that employees working in the affected areas usually have a good understanding of what the challenges are and where the organisation should be making improvements.
With this better understanding of the risk picture, teams should then prioritise actions and allocate resources based on the level of risk posed to an organisation.
Basic cyber hygiene, awareness and training are areas that require a lot of work but are vital for resilience. Strong cyber hygiene can help prevent security breaches and stop cybercriminals from installing different types of malwares and stealing personal information. Every employee needs to understand basic cyber hygiene practices and their role in protecting and maintaining the organisation’s IT systems and devices. This will facilitate quicker and more efficient incident responses and provide immediate and effective defences against attacks.
If compliance teams have the time and capacity, implementing the controls of a standard like ISO/IEC 27001 would also be a worthwhile undertaking. We see a lot of new EU legislation encourage organisations to become compliant through EU and international standards. This is the case for NIS 2, which is directly mentioned in article 25.