The organisation has appropriate management policies and processes in place to govern its approach to the security of network and information systems.
Effective security of network and information systems should be driven by organisational management and corresponding policies and practices. There should be clear governance structures in place with well-defined lines of responsibility and accountability for the security of network and information systems.
Senior management should clearly articulate unacceptable impacts to the business (often called risk appetite), which should take into account the organisation’s role in the delivery of essential services, so decision makers at all levels can make informed decisions about risk without constantly referring decisions up the governance chain.
There should be an individual(s) who holds overall responsibility and is accountable for security. This individual is empowered and accountable for decisions regarding how services are protected. For small organisations, the governance structure can be very simple.
Your organisation’s approach to security governance needs to be an appropriate fit for your organisation. Good security governance is integrated with your business’s usual decision making structures and processes.
Decisions about risk can be made at all levels of your organisation when delegated effectively to people with the right security, business and technical knowledge, skills and experience. Clear lines of communication are also necessary.
Risk management standards
Following a standardised risk management approach can help in achieving good cyber security governance. There are many such standards to choose from. Some of the most well-known for NIS sectors are:
An Information Security Management System can aid governance of cyber security risk
An Information Security Management System (ISMS) is a set of policies, procedures, and roles designed to ensure cyber security risks are identified and managed. Traditionally an ISMS is considered to be an information risk management system, however it can be used to manage cyber security risks to essential services.
A properly scoped and implemented ISMS can help your organisation to meet the requirements of the NIS Directive by putting in place policies, procedures, and roles which govern the organisational approach to managing cyber security risks to essential services.
ISO/IEC 27001:2013 is one of many standards you can use to implement an ISMS. If your organisation is intending to use ISO/IEC 27001:2013, you should consider which elements will help achieve your organisational objectives – full compliance and certification may be unnecessary.
Your organisation must incorporate into the ISMS any relevant external requirements, for example direction from the competent authority. You should also set appropriate cyber security requirements for your supply chain to ensure their support in achieving your NIS objectives (see A4 Supply Chain Security).
An industrial automation and control system (IACS) cyber security management system (CSMS) that is relevant to particular essential service sectors.
The CSMS defined in IEC 62443-2-1:2010 is designed to build on ISO/IEC 27001:2013 & ISO/IEC 27002:2013 for IACS environments, with the aim of aligning cyber security risk management with existing safety risk management practices. A management system framework is provided as a baseline, which organisations are encouraged to tailor for their own context.