If your company needs to comply with the NIS 2 Directive, you’ll have to write lots of new documents to cover cybersecurity and reporting requirements. This article presents all the documents that companies need to write according to NIS2 Chapter IV called “Cybersecurity risk-management measures and reporting obligations” — the reason why I focus only on this chapter is that it is the only one that specifies what essential and important entities need to do to comply with this Directive.
- Risk Assessment Methodology
- Risk Treatment Plan
- Training and Awareness Plan
- Incident Management Procedure
- IT Security Policy
- etc.
List of required documents and records
The table below shows NIS2 requirements, the relevant articles from Chapter IV of this Directive, and the best practice of documenting those requirements.
What must be documented | NIS 2 article | Usually documented through |
Management bodies must approve the cybersecurity risk-management measures | Article 20, paragraph 1 | Risk Treatment Plan |
Management bodies must oversee the implementation of cybersecurity risk-management measures | Article 20, paragraph 1 | Measurement Report + Internal Audit Report + Management Review Minutes |
Members of the management bodies are required to follow training, and must offer similar training to their employees on a regular basis | Article 20, paragraph 2 | Training and Awareness Plan |
Entities must take appropriate and proportionate technical, operational, and organizational measures to manage the risks | Article 21, paragraph 1 | Risk Treatment Table + Risk Treatment Plan + various policies and procedures mentioned below |
When assessing the proportionality of measures, due account shall be taken of the degree of the entity’s exposure to risks, the entity’s size and the likelihood of occurrence of incidents and their severity, including their societal and economic impact | Article 21, paragraph 1 | Risk Assessment Methodology + Risk Assessment Table |
Policy on risk analysis | Article 21, paragraph 2, point (a) | Risk Assessment Methodology |
Policy on information system security | Article 21, paragraph 2, point (a) | Policy on Information System Security |
Incident handling | Article 21, paragraph 2, point (b) | Incident Management Procedure + Incident Log |
Business continuity | Article 21, paragraph 2, point (c) | Business Continuity Plan |
Backup management | Article 21, paragraph 2, point (c) | Backup Policy |
Disaster recovery | Article 21, paragraph 2, point (c) | Disaster Recovery Plan |
Crisis management | Article 21, paragraph 2, point (c) | Crisis Management Plan |
Supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers | Article 21, paragraph 2, point (d) | Supplier Security Policy + Security Clauses for Suppliers and Partners + Confidentiality Statement |
Security in network and information systems acquisition, development and maintenance | Article 21, paragraph 2, point (e) | Secure Development Policy + Specification of Information System Requirements |
Policies and procedures to assess the effectiveness of cybersecurity risk-management measures | Article 21, paragraph 2, point (f) | Measurement Methodology + Measurement Report + Internal Audit Procedure + Internal Audit Checklist + Internal Audit Report + Management Review Procedure |
Basic cyber hygiene practices | Article 21, paragraph 2, point (g) | IT Security Policy |
Cybersecurity training | Article 21, paragraph 2, point (g) | Training and Awareness Plan |
Policies and procedures regarding the use of cryptography and encryption | Article 21, paragraph 2, point (h) | Policy on the Use of Encryption |
Human resources security | Article 21, paragraph 2, point (i) | Security Policy for Human Resources |
Access control policies | Article 21, paragraph 2, point (i) | Access Control Policy |
Asset management | Article 21, paragraph 2, point (i) | Asset Management Procedure + Inventory of Assets |
The use of multi-factor authentication or continuous authentication solutions | Article 21, paragraph 2, point (j) | Authentication Policy |
Secured voice, video and text communications | Article 21, paragraph 2, point (j) | Information Transfer Policy + Secure Communication Policy |
Secured emergency communication systems within the entity | Article 21, paragraph 2, point (j) | Secure Communication Policy |
Take into account the vulnerabilities specific to each direct supplier and service provider and the overall quality of products and cybersecurity practices of their suppliers and service providers, including their secure development procedures | Article 21, paragraph 3 | Supplier Security Policy + Risk Assessment and Treatment Report |
Take appropriate and proportionate corrective measures | Article 21, paragraph 4 | Procedure for Corrective Action + Corrective Action Form |
Notify CSIRT or competent authority of significant incident | Article 23, paragraph 1 | Significant Incident Notification for CSIRT/Competent Authority |
Notify the recipients of services of significant incidents that are likely to adversely affect the provision of those services | Article 23, paragraph 1 | Significant Incident Notification for Recipients of Services |
Communicate to the recipients of services that are potentially affected by a significant cyber threat any measures or remedies that those recipients are able to take in response to that threat; also inform those recipients of the significant cyber threat itself | Article 23, paragraph 2 | Significant Incident Notification for Recipients of Services |
An early warning that indicates whether the significant incident is suspected of being caused by unlawful or malicious acts or could have a cross-border impact | Article 23, paragraph 4, point (a) | Significant Incident Early Warning |
An incident notification that indicates an initial assessment of the significant incident, including its severity and impact, as well as, where available, the indicators of compromise | Article 23, paragraph 4, point (b) | Significant Incident Notification for CSIRT/Competent Authority |
An intermediate report on relevant status updates | Article 23, paragraph 4, point (c) | Significant Incident Intermediate Report |
A final report not later than one month after the submission of the incident notification | Article 23, paragraph 4, point (d) | Significant Incident Final Report |
A progress report – in the event of an ongoing incident at the time of the submission of the Final Report | Article 23, paragraph 4, point (e) | Significant Incident Progress Report |
Common cybersecurity documents that are not required by NIS 2
Besides the required documents listed above, it is also recommended to write the following documents:
- Information Classification Policy — provides clear rules on how to classify documents and other information, and how to protect those assets according to classification level.
- Mobile Device, Teleworking and Work from Home Policy — specifies the rules for using laptops, smartphones, and other devices outside of company premises.
- Bring Your Own Device (BYOD) Policy — specifies security aspects if employees are using their private devices for work.
- Disposal and Destruction Policy — specifies how to dispose of devices and media, in order to delete all sensitive data and avoid breaking intellectual property rights.
- Procedures for Working in Secure Areas — defines security rules for data centers, archives, and other areas that need special protection.
- Change Management Policy — defines rules on how to perform changes in production systems, in order to decrease security risks.
- Clear Desk and Clear Screen Policy — defines rules for each employee on how to protect his/her workspace.
- Security Procedures for IT Department — provides security operating procedures for activities that are not covered in other documents.
For more information about NIS2, download this free white paper: Comprehensive guide to the NIS 2 Directive.