The NIS2 (Directive (EU) 2022/2555 of the European Parliament and of the Council) imposes cybersecurity and information security compliance obligations on many organizations that previously had no such requirements. Most of these organizations, wishing to avoid financial penalties, aim to comply with the directive and the national implementing laws. To achieve compliance, they engage expert firms to ensure adherence. The first step towards compliance is to conduct an audit to identify any non-compliances. This article aims to highlight the experiences from the GAP assessment audits for organizations that have recently become subject to NIS2 compliance.
In most cases, the primary goal of an organization’s leadership is to avoid financial penalties. This approach reflects a clear lack of full information security awareness. Organizational leaders often initially believe that hiring an expert organization to ensure compliance is a one-time task that will prevent any negative consequences. Both before and after audits, it is important to communicate that audits and addressing identified deficiencies are not one-off activities, but that the information security management system (ISMS) established must be operated continuously. A change in mindset is needed so that the goal is not merely avoiding fines or personal liability for leaders but creating value and reducing the likelihood of ever-evolving threats. Offering training opportunities is recommended to increase the awareness of both leaders and employees in different roles, laying the foundation for this change in mindset.
During the execution of audits, it is often found that the audited personnel of organizations do not fully understand the requirements of the control measures. This frequently leads to misunderstandings. It is necessary to clarify the concepts for all audited parties and highlight the connections—why certain requirements exist, how they are interconnected, what the goal of their implementation is, and whether the control in question is applicable to the organization. As a result, audits tend to take longer, and the process of educating and ensuring understanding consumes significant resources. We recommend educating the audited party prior to any NIS2 audit, especially for organizations that were previously not subject to such requirements, to explain expectations and ensure a smoother audit process. It is crucial that everyone understands how to properly provide evidence-based answers to audit questions.
As mentioned in the introduction, organizations that have recently become subject to NIS2 compliance have not previously dealt with information security compliance, do not hold an ISO 27001 ISMS certification, and were not previously subject to legal regulations. As a result, many of these organizations outsource their IT operations, which are focused solely on ensuring the functionality defined in contracts. Often, these IT service providers were selected long ago based on trust and business considerations, and there was no requirement from leadership to ensure information security on the part of the provider. Consequently, these service providers often have limited information security skill sets, which may pose challenges when addressing identified deficiencies. As part of the audit, it is important to not only ensure control compliance but also emphasize what conditions are necessary to maintain compliance, both from an IT operations and information system application perspective.
In organizations where IT operations are not outsourced but managed by in-house IT staff, the situation is slightly different. These organizations often face a shortage of skilled personnel, meaning that the system’s functionality often relies on system administrators and IT staff. Typically, the knowledge resides in the heads of these IT professionals, with a lack of documentation, making the absence of these individuals potentially devastating. This means that the IT staff managing the system can be identified as Single Points of Failure. NIS2 compliance is not possible without documentation, making it crucial to have support staff who can document the controls required by information systems and create the conditions for an auditable and transparent Information Security Management System (ISMS) within the organization. It is worth noting that not only is the operation’s documentation often lacking, but policies, procedures, and process descriptions are also frequently missing in audited organizations. In many cases, practices are established but not documented. It is recommended to provide suggestions for establishing an appropriate regulatory framework in audit reports, thereby assisting the audited organizations.
Even when IT knowledge is available (which is often not fully the case), IT security and information security knowledge is generally lacking, and understanding the interconnections can be challenging. As control compliance is examined, audited parties often do not understand why they need to know certain things. This brings us back to the importance of pre-audit training, where it can be explained that this is a general set of controls and not a ‘one size fits all’ solution. Some controls may not need to be complied with, for example, the organization does not have the relevant activities. For instance, if there is no development activity, it is impossible to identify non-compliance related to a lack of code reviews since no development is taking place. The presence of an information security specialist can address this kind of ‘misunderstanding,’ but such expertise is not always available in every organization.
For many organizations, the primary goal is to establish the minimum necessary conditions for operation, and beyond that, they often pay little attention to either IT security or information security. In many cases, there are deficiencies that could cause the system to collapse at any moment, or the lack of regulatory and logical protection measures leads to a high likelihood of data protection incidents, some of which may have already occurred without the organization’s knowledge due to the absence of controls (such as monitoring). Given the potential for large fines, it is advisable to address these areas, especially since many organizations are pursuing NIS2 compliance primarily to avoid penalties.
In many cases organizations do not know their processes or the supporting information systems (neither the internal nor external ones they use), nor the number of these systems or their interconnections. Organizations are simply satisfied if the IT functions and supports business operations. How it operates often does not concern upper management. However, in today’s threat environment, this attitude leads to inevitable failure. Moreover, due to the lack of information on processes and information systems, the audit itself faces difficulties, the list of identified deficiencies will be incomplete, and consequently, the action plan for addressing those deficiencies will be inadequate.
Decision-makers in organizations often believe that conducting an audit will automatically resolve identified deficiencies and that it only needs to be done once to ensure compliance with authorities. After receiving the audit reports, they are surprised to learn that further investments may be necessary (such as vulnerability assessments, penetration test or the implementation of security systems) and that after addressing the deficiencies outlined in the post-audit action plan, they will need to operate the established ISMS. It is recommended to share this information with the audited party and decision-makers even before the audit is conducted, so they are aware of what to expect in the future.
Audit experiences often reveal that organizations are not well-prepared. Ensuring mandatory compliance will pose significant challenges for certain organizations. However, conducting an audit is unavoidable if the organization wants to understand its current standing, its maturity level, and what future resource allocation will be necessary to not only achieve NIS2 compliance but also to develop adequate responses to the growing cyber threats.
About the Author
Zsolt Baranya is a Senior Information Security Auditor of Black Cell Ltd. in Hungary and Germany. Formerly, he has been in information security officer and data protection officer roles at a local governmental organization. He also worked as a senior desk officer at National Directorate General for Disaster Management, Department for Critical Infrastructure Coordination, where he was responsible for the Hungarian critical infrastructures’ information security compliance. Zsolt can be reached at [email protected] and at his company’s website https://blackcell.io/.
