Guest blog: Gemserv - Think NIS doesn’t affect you? Think again

The new Network and Information Security (NIS) Directive which has just come into force is aimed at rising cybersecurity among operators of essential services, but it could also have significant implications for their suppliers.

The directive, which aims to raise the overall level of cybersecurity across the EU, places significant emphasis on supply chain risk management.

After all, if a key supplier to a major telecoms or transport organisation is hit by a cyber-attack it could also impact on the essential service they provide.

The recently published first version of the Cyber Assessment Framework (CAF), which aims to help UK organisations track their progress against NIS, highlights how the directive’s net casts much wider than just the key operators themselves.

It stresses how OES need to understand and manage the risks to the networks and information systems which underpin essential services from their dependencies on external suppliers.

Indicators of good practice

The framework highlights a number of indicators of good practice including the need for OES to have a deeper understanding of the supply chain, including sub-contractors, and the wider risks faced.

Factors which should be taken into account include areas such as the supplier’s partnerships, competitors, nationality and other organisations with which they sub-contract to inform risk assessment and procurement processes.

The guidance says OES should also have confidence that information shared with suppliers that might be essential to the essential service is well protected.

As well as the supply chain risk management requirements placed on OES, the suppliers, will increasingly be expected to demonstrate the robustness of their cyber-security approach to an OES through compliance to standards such as Cyber Essentials and ISO27001.

NIS and GDPR

Organisations which have implemented an Information Security Management System (ISMS) against a standard such as ISO 27001 will be in a good position for NIS compliance as they will have already have analysed risks against their network and information systems, implemented controls to minimise those risks and be continuously improving their ISMS to meet business objectives.

Businesses and organisations can also benefit from information security strategies which ensure they comply with the requirements of both NIS and GDPR.

While their focus is different - with NIS targeting operators of essential services and the GDPR concerned with protecting personal data -  both require organisations to adopt risk-based security measures as well as report incidents in case of breaches.

FROM SOCIAL MEDIA

How to hire the RIGHT salesperson? Join us on 7 June @techUK https://t.co/voe78psqsy. We look forward to the presen… https://t.co/M2t0nj4MIs
Read Head of Cloud, Data Analytics and AI @ChannelSwimSue's comment on the House of Lords Science and Technology Se… https://t.co/I8I9v4CwX6
Setting up a 'returners programme' at your organisation is a great practical step to improve #diversity. Have a rea… https://t.co/F6Ok8abpil
Pick up your copy of the @raconteur special report on AI in the @thetimes and read this article where @techUKCEO di… https://t.co/hARTzv2uWn
.@techUKdepCEO when we talk about the internet and regulation, we are often conflating many issues. The Lord Commun… https://t.co/y8ZxRQmNZN
.@techUKdepCEO tells Lords Communications Committee that good regulation is welcome by the industry but must be pro… https://t.co/mUSdwBSkxp
Preparing your business for GDPR can be like a game of Jenga, say Alex Milner-Smith and Sean Dempsey from… https://t.co/AXVNImZ5zl
Tune in here https://t.co/K7GZj1kmKl at 3.30pm to watch Antony Walker @techUKdepCEO give evidence to the Lords Comm… https://t.co/DMki1zHFlS
On day two of techUK Data Protection Week we're focussing on the business sector. techUK Programme Manager for Fina… https://t.co/52hJX1hBAo