Serviceteam IT Security News


The organisation has appropriate management policies and processes in place to govern its approach to the security of network and information systems.


Effective security of network and information systems should be driven by organisational management and corresponding policies and practices. There should be clear governance structures in place with well-defined lines of responsibility and accountability for the security of network and information systems.

Senior management should clearly articulate unacceptable impacts to the business (often called risk appetite), which should take into account the organisation’s role in the delivery of essential services, so decision makers at all levels can make informed decisions about risk without constantly referring decisions up the governance chain.

There should be an individual(s) who holds overall responsibility and is accountable for security. This individual is empowered and accountable for decisions regarding how services are protected. For small organisations, the governance structure can be very simple.


NCSC Introduction to Security Governance

Your organisation’s approach to security governance needs to be an appropriate fit for your organisation. Good security governance is integrated with your business’s usual decision making structures and processes.

Decisions about risk can be made at all levels of your organisation when delegated effectively to people with the right security, business and technical knowledge, skills and experience. Clear lines of communication are also necessary.

Risk management standards

Following a standardised risk management approach can help in achieving good cyber security governance. There are many such standards to choose from. Some of the most well-known for NIS sectors are:

ISO/IEC 27001:2013

An Information Security Management System can aid governance of cyber security risk

An Information Security Management System (ISMS) is a set of policies, procedures, and roles designed to ensure cyber security risks are identified and managed. Traditionally an ISMS is considered to be an information risk management system, however it can be used to manage cyber security risks to essential services.

A properly scoped and implemented ISMS can help your organisation to meet the requirements of the NIS Directive by putting in place policies, procedures, and roles which govern the organisational approach to managing cyber security risks to essential services. 

ISO/IEC 27001:2013 is one of many standards you can use to implement an ISMS. If your organisation is intending to use ISO/IEC 27001:2013, you should consider which elements will help achieve your organisational objectives – full compliance and certification may be unnecessary. 

Your organisation must incorporate into the ISMS any relevant external requirements, for example direction from the competent authority.  You should also set appropriate cyber security requirements for your supply chain to ensure their support in achieving your NIS objectives (see A4 Supply Chain Security).

IEC 62443-2-1:2010

An industrial automation and control system (IACS) cyber security management system (CSMS) that is relevant to particular essential service sectors.

The CSMS defined in IEC 62443-2-1:2010 is designed to build on ISO/IEC 27001:2013 & ISO/IEC 27002:2013 for IACS environments, with the aim of aligning cyber security risk management with existing safety risk management practices. A management system framework is provided as a baseline, which organisations are encouraged to tailor for their own context.


NCSC Introduction to Security Governance

ISO/IEC 27001:2013

IEC 62443-2-1:2010

< Back to NIS Objectives                Forward to Principle A2 >

Source: NCSC

With over 20 years of experience, Serviceteam IT design and deliver sophisticated connectivity, communication, continuity, and cloud services, for organisations that need to stay connected 24/7. We take the time to fully understand your current challenges, and provide a solution that gives you a clear understanding of what you are purchasing and the benefits it will bring you.

To find out how we can help you, call us on 0121 468 0101, use the Contact Us form, or why not drop in and visit us at 49 Frederick Road, Edgbaston, Birmingham, B15 1HN.

We’d love to hear from you!