It is a minimum requirement of the NIS2 that organisations protect their network and information systems by establishing measures within their human resources security, access control policies and asset management.

Human Resources Security

Your organisation must ensure that employees, partners, and suppliers understand and commit to their security responsibilities in line with the organisation’s information system security policy.

Requirements

Your organisation must ensure that employees, suppliers and service providers are aware of and live up to their responsibilities for protecting your organisation’s networks and information systems. 

You may establish procedures to ensure that:

• all employees, direct suppliers, and service providers are aware of and follow your standard cyber hygiene practices,
• all users with administrative or privileged access understand and act according to their roles, responsibilities, and authorisation,
• members of management understand and act according to their role and responsibilities for network and information system security

These security responsibilities can be included in contracts and employment agreements.

You may carry out background checks on new employees and on direct suppliers and consultants, if you find that this is required by your risk assessment of their role, responsibilities, and their access to network and information systems. 

If you find that background checks are relevant then you should:

• define which roles and responsibilities require background checks,
• ensure checks are carried out in line with laws and ethical standards,
• complete the checks before individuals take on the role or responsibilities in question.

You should also ensure that security responsibilities which remain valid after an employee leaves or changes role are clearly defined, communicated, and understood. You should also define and communicate the rules that apply in case of violations of security policies or procedures.

Documentation

Your organisation’s employment agreements may state that employees are required to complete the necessary training in network and information system security, and that they are aware of their responsibilities for following the organisation’s policies and procedures.

Your documentation may include written policies and procedures for activities such as background checks and exit interviews. These policies and procedures should be reviewed at planned intervals.

Access Control Policies

You should establish access control policies to protect physical and digital assets against loss of confidentiality, integrity, and availability by preventing unauthorised access.

Requirements

Your organisation must establish an access control policy for granting, changing, and removing access rights to networks and information systems, which should be in line with the information system security policy.

The policy must identify and assess risks related to both logical and physical access control, covering access by both people and processes, for example, when an external system is connected to an internal one.

The policy must include procedures for managing access rights, including privileged rights, and these should cover:

• methods for identifying and assessing the need for access for employees, suppliers, and service providers, including both normal users and those with administrative rights,
• methods for ensuring that access rights are granted, modified, or removed as needed.

Your organisation should restrict and control the use of IT administration systems and systems that can change security configurations. Your access control policy may cover access for both employees and external parties, such as suppliers.

You should manage and document the identities of all users and systems with access to information and related assets, making sure it is clear who or what has access to networks and systems and why. This process should cover the full lifecycle of identities, including their creation, modification, regular review, and eventual removal. To support this, secure authentication procedures and technologies should be implemented in line with the access control policy.

Documentation

Your documentation of access controls may include written policies and procedures for granting, changing, and removing access to your organisation’s premises and information systems. These policies and procedures should be reviewed at regular intervals.

Asset Management

Asset management gives your organisation insight into which assets must be protected and what level of protection is appropriate for each, and it is a requirement of the NIS2.

Requirements

Your organisation must define the management of assets that could affect network and information security. Therefore, you should establish procedures which cover the management of all assets, including network and information systems, related components, and critical dependencies with your partners. An appropriate level of protection should be defined for each asset. 

The organisation:

• should establish a procedure for setting classification levels for assets, so that protection levels reflect the sensitivity, criticality, risk, and business value of each asset,
• should prepare and communicate instructions for handling assets throughout their lifecycle, and in line with the information system security policy. 
• may develop and maintain an inventory of network and information systems and related assets. You should ensure the assets inventory stays complete, accurate, and reliable. Changes in the inventory should be documented and included in change management processes.
• should require that all staff and external partners return or permanently delete assets issued to them as soon as their employment or contract ends.

Documentation

Your compliance documentation may include written procedures for handling assets and records of how these are communicated to relevant employees. These procedures should be reviewed at regular intervals.