Regulatory developments: ISO 27001 and NIS2

Lorenzo Distaso

Compliance Specialist Secursat

Information security has become a strategic priority for all entities across Italy and the European Union, regardless of their size, especially in light of the recent regulatory interventions. Although big companies can count on their dedicated departments and significant resources, organizations of all sectors – that fall in the supply chain of entities subject to the DORA Regulation for the financial sector and to the NIS 2 Directive – now face a complex challenge in insuring data protection and business continuity.

In a national and international context where the level of cybersecurity literacy remains critical, and in which DDoS and ransomware threaten critical infrastructure on a daily basis, Secursat – part of the ICT supply chain of many financial organizations and other strategic entities – has decided to adopt a new Information Security Management System according to the ISO 27001 standard, and to register its activities on the portal of the Italian competent authority (ACN – Agenzia per la cybersicurezza nazionale), pursuant to Article 7 of the Italian NIS 2 decree.

The importance of the supply chain

Why take this path? We believe our reliability as a company that is able to manage our clients’ risks is founded on our reputation; therefore, we have decided to invest in those measures that will allow us to keep up with the legislative and technological evolution of our market. Our level of accountability towards our clients and the market remains the highest. Realities to which we offer security services (and more) are already looking for suppliers that are compliant and who guarantee a high degree of reliability when it comes to information security. The procurement and sourcing processes and the search for external partnerships by big actors of critical sectors can no longer ignore a due diligence that focuses on the technical and organizational cybersecurity measures put in place by their business partners.

In this regard, we highlight that, under NIS 2, companies are no longer only responsible for their own information security, but their vendors’ and partners’ too. The obligation to monitor third parties introduced by NIS 2 and DORA translates in a direct attribution of responsibility to the “bigger” entity directly subject to NIS 2 – in the case of a cybersecurity breach – for violations occurred in their supply chain. As part of our clients’ supply chain, Secursat makes sure to meet their needs in dealing with these complex issues, not only by implementing actions, but also by building specific ICT compliance skills to face the different challenges.

Information Security: 27001 and NIS2 

In detail, the adoption of an Information Security Management System according to ISO 27001 has allowed us to get closer to the needs imposed by the new regulatory framework. In fact, while the checklists of controls outlined by the two norms do not perfectly align, there are many points in common. The 27001 “supports” compliance with the NIS 2 Directive in that it creates a risk-based approach, which include, among others, the following measures: information security risk assessment, context analysis, information systems’ access management and monitoring, vulnerability assessment and patching, technical tools for network protection, business continuity solutions and disaster recovery infrastructure. Secursat has decided to make the NIS 2 basic obligations checklist “our own” and to conduct an internal assessment to evaluate the level of compliance. The result is that, currently, with respect to those obligations, our company’s level of compliance is 90%, a symptom that we are on the right track, but there is still work to do, both from a compliance perspective and for the effective protection of networks, systems and information.

This – together with significant investment made to keep up with the continuous technological evolution and to use data strategically and predictively – is the path that Secursat has taken to reinforce the idea that security, when approached in an innovative and holistic way, can be the pivot around which to build not only business protection, but also the effectiveness and efficiency of operational processes.