Prices
Free Trial

Risk Management and Information System Security Policy

In this article we will describe the requirement in NIS2’s Article 21(2)(a), which requires your organisation to implement risk management and information system security policies.

Table of Contents

In this article we will describe the requirement in NIS2’s Article 21(2)(a), which requires your organisation to implement risk management and information system security policies.

The purpose of this requirement is to ensure that all organisations have thought about how to manage risks and document their information system security management via a policy.

Information Systems Security Policy

An information system security policy sets out your organization’s approach to managing information system security and how it is implemented, which includes technical, operational, and organizational measures.

Requirements

NIS2 requires your organisation to create and implement an information system security policy for its network and information systems.

The policy must take a risk-based approach and ensure an appropriate level of security that fits the organisation’s purpose. The policy must consider the context of the organisation, the current state of technology, the costs of implementing measures, and the risks to the security of your systems that could cause harm to the delivery of your critical services.

The information system security policy must follow the requirements of the NIS2 Directive and support the business goals of the organisation. In addition, the policy should support the organisation’s core activities and values, and it should take into account the risks that are most relevant for the organisation.

An information system security policy should:

  • describe the organisation’s way of managing security in its network and information systems, the overall framework for how security is handled both strategically and in daily operations
  • define goals for cybersecurity; what the organisation wants to achieve with its cybersecurity
  • include a commitment to meet cybersecurity requirements, for example legal requirements like GDPR
  • include a commitment to keep improving the policy when relevant
  • be available as documentation for all relevant stakeholders

The organisation may also create specific policies on certain topics if needed, for example a backup policy or an access control policy. Such policies must always be consistent with the overall information system security policy.

Documentation

The information system security policy should be updated yearly and whenever there are significant changes to the organisation’s business objectives or to the threat landscape.

The information system security policy must be approved by the organisation’s management body to ensure ownership of the policy. Without management taking responsibility for the information system security policy it won’t have any effect within the organisation.

Any subject-specific policies should be reviewed by the relevant management, and the outcome of the review, including any adjustments, must be reported to the organisation’s management body.

Risk Management Policy

The purpose of having a risk management policy is to set out clear rules and methods for identifying, analysing, evaluating, and handling the organisation’s risks. This should ensure that risk management is consistent and effective across all areas impacting the delivery of critical services.

Requirements

The organisation must have a risk management policy that identifies and addresses all risks connected to the security of its network and information systems

The organisation must carry out and document risk assessments, put a risk management plan in place, and make sure this plan is reviewed and updated regularly.

The results of the risk assessment, the planned risk treatment, and the level of any risks that remain must be approved by the risk owner. This is especially important if the risks could affect critical services. All results and decisions must also be reported to the organisation’s management body.

The risk management policy should:

  • set out a clear process for managing risks,
  • be an integrated part of the organisation’s overall risk management,
  • cover all types of threats and ensure that risks from third parties, such as suppliers, are also addressed,
  • establish and maintain clear criteria for evaluating risks,
  • identify risk owners and document their responsibilities.

Furthermore, the policy should also include methods for risk assessment and may describe:

  • how the organisation identifies and documents risks to its network and information systems, including the identification of single points of failure,
  • how risks to the security of network and information systems are analysed,
  • how the identified risks are evaluated against the established criteria,
  • how the organisation identifies and prioritises appropriate security measures, based on the risk assessment and the effectiveness of those measures,
  • who is responsible for making sure the chosen measures are implemented on time,
  • how the organisation documents the chosen measures and explains the acceptance of any risks that remain.

Documentation

Your risk management policies should be updated regularly and whenever there are important changes in the organisation’s business, vulnerabilities, or threat landscape. The risk management policy must be written down and approved by management.

GDPR Test

See how well you know the GDPR.

  • You'll answer 13 questions about GDPR.
  • It only takes 1-2 minutes.
  • Experts typically answer all 13 questions correctly.
Start Test

Free Trial

We will get back to you via email as soon as possible.