NIS2: Working towards compliance with Cyberday (3/3)
This is the final part of our three-part blog series handling the NIS2 Directive. Make sure to read part 1: Get familiar with the NIS2 Directive: Exploring its background and improvements and part 2: NIS2: who's in the scope before this one!
As mentioned in the previous parts of the blog series, NIS2 brings various requirements for organizations. It can be time consuming to try to keep up with the requirements, so we at Cyberday offer a solution to make information security management more efficient. If you are new to Cyberday, to sum it up: Cyberday helps organizations build a structured and clear ISMS and improve security standards.
Start working towards compliance
Starting to work towards compliance in Cyberday by simply activating the NIS2 framework from the library directly in Cyberday: Open the Organisation dashboard and click Edit frameworks and activate the NIS2 framework. The framework will show your current compliance level and active tasks, if you're already working with other frameworks.
Share responsibilities within your organisation
Working towards compliance is more efficient when involving a team rather than a single person, just like with the work of the other frameworks as well. If you are not familiar with our app: You can simply invite team members and delegate different responsibilities to different people in Cyberday. Read more about user management and user levels in Cyberday.
Delegating responsibilities is made simple in Cyberday by assigning owners to themes from the Organisation dashboard. Read more about delegating tasks from our article How to delegate tasks in Cyberday.
Gathering assurance: fulfilling tasks
With the help of Cyberday, you can identify and document your assets, systems, processes, and services and further establish controls with the help of our policies and tasks. For most of our tasks of the NIS2, just like for all of the other frameworks you may already know from working with in Cyberday, we provide ready to use templates and examples.
Once you click on a theme, you will see the list of policies in the selected theme. The policies include the different tasks you need to fulfil in order to gather assurance and prove compliance for the policy. In the theme card, in addition to the policies, you can also see linked documentation items, guidelines and reports. Click on a policy to get to the overview of tasks included in the policy. You can activate the tasks separately or mark them as non-relevant, if they are not suitable for your organization. You can add additional tasks and assurance at any point later on. Read more about working with tasks in Cyberday.
Examples of the tasks in Cyberday.
Linked requirements in NIS2: 21.2-4
Cyberday helps you document and manage risks efficiently and stay up to date with any potential changes. Identifying risks in Cyberday works with the help of our automated cyber security risk identification when activating information security tasks or simply by risk identification through incident or change handling. You will create a documentation list of all of the risks in Cyberday directly, so you can treat and follow them later on as well.
You can pre-process the risks in Cyberday, for example by identifying related assets and the tasks, which are currently managing the risk. Once a risk is identified and pre-processed, you can move on to the risk evaluation and the risk treatment processes. You can find instructions and “templates” for the different steps in Cyberday (see screenshot below). Simply select the correct choices, by i.e. answering questions, linking tasks and checking up on the treatment process status. Mark a risk as done and close the treatment process to keep an overview of open and closed risks. Once a risk is being treated, you can ensure the monitoring i.e. by setting review cycles.
Read more about risk management tools in Cyberday from our blog: Information security risk management in Cyberday: Identifying risks, evaluation, treatment and closure
Linked requirements in NIS2: 23.1
As mentioned in the previous blog posts, NIS2 requires organizations to report incidents. In Cyberday, every employee can report an incident from their Guidebook. Admins can view the reports from their account and handle them according to requirements. Read more about Incident management in Cyberday.
Supply chain security
Linked requirements in NIS2 21.2d and 21.3
Make your partner management systematically by documenting e.g. system providers and personal data processors and use this info on reporting. Define owners, who have the main responsibility for maintaining the partner relationship. In addition, you can document e.g. the status of contracts and many other related things.
In the partner management policies, the own measures for partner security are specified, which aim to sufficiently ensure the digital security level of your partners.
Upcoming: New Partner monitoring features
We will be introducing new features for partner monitoring in Cyberday soon, through which an information security questionnaire can be sent to the defined partners with a desired level of accuracy, and thus collect additional evidence of the partner's readiness level. We will let you know once this update is done!
Manage employee awareness
Linked requirements in NIS2 20.2
As you may know, collecting evidence of your employee awareness training can be challenging. Cyberday provides you with different tools to guide and train your employees, while in contrary to most other ISMS tool providers, where a software usually only is being used for the compliance work itself. Each of your employees will get (limited) access to Cyberday in order to have an own Guidebook. Read more about our employee Guidebook and how it works here.
Prove compliance with reports
One important step in collecting provable material of compliance is creating reports. You can not only create reports for you or your team, but also share them with i.e. members of your supply chain, chosen customers or stakeholders.
Cyberday gives you a great choice of reporting templates to choose from and create the report via one-click: Cyberday fetches all the information needed from the information you are adding to the tasks. Read more about the reporting feature in Cyberday.
Follow your progress
One great way to see your current process and compliance level in one simple overview is the report “Requirements by status” in Cyberday. This color-coded report will fill more and more green, depending on how many of the tasks are already compliant. You can simply click on the different controls in the map and jump straight to the right section with the information about the specific requirement. You can also get an idea of the total amount of requirements and the implementation status.
Questions and feedback
Do you have any further questions, would need another help article, or would like to give some feedback? Please contact our team via email@example.com or the chat box in the right lower corner.