A way

forward, protection of critical

infrastructures
a great
endeavo (Directive EU 2016/114- 1148, and Directive EU
ur (EU) 2022/2555)
akas : NIS, and NIS 2

Sensitivity: Confidential
 KEY TERMS
• Cybersecurity:
• the ability of network and information systems to
resist action that compromises the availability,
authenticity, integrity or confidentiality of digital
data or the services those systems provide.
Mutual • Network and information system:
understand • an electronic communications network, or any
device or group of interconnected devices which
ing: process digital data, as well as the digital data
stored, processed, retrieved or transmitted.
• Essential services:
• private businesses or public entities with an
important role for the society and economy, as for
example water supply, electricity services, etc.
Source: https://eur-lex.europa.eu/legal-content/EN/LSU/?
uri=uriserv:OJ.L_.2016.194.01.0001.01.ENG

Sensitivity: Confidential
 Aspect NIS1 (Directive 2016/1148) NIS2 (Directive 2022/2555)
Limited to essential services and Broader: includes more sectors and
Scope
digital service providers medium/large entities
Energy, transport, banking, health, Adds postal, waste, food,
Sector Coverage
water, digital infrastructure manufacturing, public administration
Entity Size Applies to entities with ≥50
Not clearly defined
Threshold employees or ≥€10M turnover

Basic high Security

Requirements
General obligations

Incident Reporting Only significant incidents

More detailed and harmonized
requirements
Mandatory reporting within 24 hours

level
for all major incidents
Governance & Explicit responsibilities for
Less emphasis on leadership roles
Accountability management bodies

comparison
Supply Chain
Not addressed Explicitly included
Security
Enforcement & Stronger supervision and fines (up to
Vague enforcement mechanisms
Penalties €10M or 2% of turnover)

NIS and Cooperation

Mechanism
Compliance
CSIRTs and national authorities
Adds EU-CyCLONe for coordinated
response
Higher, with mandatory risk

NIS2:
Lower
Burden management and documentation

Sensitivity: Confidential
 ENERGY
IT,
Space
Telecom

Postal Media,
services Culture

Industry
and Waste
mgt
Finance

beyond
Food Water

Transport,
health traffic
governm
ent,
admin’s

Sensitivity: Confidential
 sector deelsector Soort entiteit
energie electriciteit Electriciteitsbedrijf, dat de functie verricht
van “levering”.
Distributiesysteembeheerders
Transmissiesysteembeheerders
aardolie Exploitant van oliepijpleidingen

Industry
Exploitanten van voorzieningen voor de
productie, raffinage en behandeling van olie,
opslag en transport

and gas Leveringsbedrijven

Distributiesysteembeheerders

beyond 1/3 Transmissiesysteembeheerders

Opslagsysteembeheerders
LNG-systeembeheerders
Aardgasbedrijven
Exploitanten van voorzieningen voor de
raffinage en behandeling van aardgas

Sensitivity: Confidential
 sector deelsector Soort entiteit
transport luchtvervoer Luchtvaartmaatschappijen
Luchthavenbeheerders
Luchtverkeersleidingsdiensten
spoorvervoer Infrastructuurbeheerders
Spoorwegondernemingen

Industry Vervoer over water Bedrijven voor vervoer over water (binnenvaart,
kust- en zeevervoer) van passagiers en vracht

and
Beheerders van havens (alsook entiteiten die
werken en uitrusting in havens beheren)
Exploitanten van verkeersbegeleidingssystemen

beyond 2/3 Vervoer over de

weg
Wegenautoriteiten
Exploitanten van intelligente vervoerssystemen

Sensitivity: Confidential
 sector deelsector Soort entiteit
bankwezen Kredietinstellingen
Infrastructuur Exploitanten van handelsplatformen
voor de
financiële markt Centrale tegenpartijen
Gezondheid Zorginstellingen Zorgaanbieders
szorg (waaronder
Industry ziekenhuizen en
privéklinieken)

and Levering en Leveranciers en distributeurs van „voor

distributie menselijke consumptie bestemd water”
van
beyond 3/3 drinkwater
Digitale internetknooppunten
infrastructuur
DNS-dienstverleners
Rigister voor topleveldomeinnamen

Sensitivity: Confidential
 NIS1

Where is it „ Directive (EU) 2016/1148 “, and

based on „ Directive EU (EU) 2022/2555)“
NIS2

Sensitivity: Confidential
 Executive
decision Statement of Work
SoW

In scope, out of scope, high level

Contract
planning, and budget covenant.

Executive management support

Project Rules of Engagement,
Go with the set up
communication, project organisation

– reassuring- SoA Statement of Applicability

flow “landscape”
Infrastructure, IT /network, civil
constructions, production /
operations facilities

Risk assessment Risk based approach

Implementing Roll-out, roll-in [ ‘building’ ISMS]

Note: to be used as a demo principle, only Audit, certification and ‘regular’

Sensitivity: Confidential ISMS maintenance
 Critical Infrastructures
• Identify scope 360°, or ‘full panoramic image’
• Collect “landscape” information – multiple layers:
• Infrastructure (construction) drawings,
• It (software, applications, website, touchpoints, hardware, configuration / patch
mgt,…)
• It network (incl ‘cloud’)

Today • Vendor management, configuration management (tool/application), incl. housing

and hosting service providers;
• Server room(-s)

Front- • Civil / operational constructions drawings, technical operation rooms Asset

• People management

Runner’s • Policies
• Processes
register

approach
• Geographical location, transport modi, suppliers, environmental;
• Statement of Applicability (cfr ref.: slide 7)
• Risk assessment, previous audit reports
• Identify mitigation - controls
• Execute / realise mitigation / solutioning
• Evidences and Document
Note: to be used as a demo principle, only
• Audit, and certification
• Management
Sensitivity: Confidential
/ maintain control on ‘Critical Infrastructure’ protection
 # area Description of Statement of Related standards, documents
Applicability audit framework
Vulnerability-Management What is the handling of SANS Institute Risk assessment
known weak points like? OWASP top 10 Recommendations
Presentation of processes ISO 27002 Periodically Iterative
and derived measures. ISO 31000 Process description,

Patch-Management Concept of measures for ITIL Process definition

patch management at DL. (may be tooling’)

Systemhärtung [hardening] Identify collection of

The Contractor undertakes tools, techniques, and
to harden the systems it Best Practises to
supplies in order to minimise reduce vulnerability
the impact Th Company wide;
Remote access from third ‘d
is i
mo s a c
Fernzugang für
e
SoA
Drittanbieter parties to the network of the
Principal n on
str cis
Anforderungen an die The software development ati e e
ve
Softwareentwicklungsproz processes of the contractor ’ p xam
esse must be designed in such a … ur ple
po
s e , on
Einsatz der In order to ensure that no s. ly!
kryptographischen obsolete cryptographic Fo
Lösungen solutions known to be … r
Dokumentation The service provider shall ISO 27000 , ISMS Define structure
regularly document the Define document
processes mentioned in this process flow, access
list (process manual). management, user
profiles
… … … …

Note: to be used as a demo principle, only

Sensitivity: Confidential
 ISMS
Audit

Approach, Re-usable framework

too

CIRT

Elaborate & engineering, and build

of a re-usable framework / template / approach for other Company’s sites
Sensitivity: Confidential
 EU 2016/114 - Directive 2008/114/EC of 8 December 2008 on the identification and
designation of European critical infrastructures and the assessment of the need
to improve their protection
EU 2016/1148 - DIRECTIVE (EU) 2016/1148 OF THE EUROPEAN PARLIAMENT AND OF THE
COUNCIL of 6 July 2016 concerning measures for a high common level of security of network and information
systems across the Union

ISO 27001 (2,3,4, and 5) - Information security management

ISO (TR) 27019 - Information technology — Security techniques — Information security controls

Solution NIS
NIST 800-53 Rev. 4 Control
for the energy utility industry

based on ISO 31000 - Risk management – Guidelines, provides

principles, framework and a process
for managing risk

standards,
ITIL - Information Technology
Infrastructure Library ISMS
OWASP - Open Web Application
Security Project

frameworks ISO 15408 - Information technology –

Security techniques -- Evaluation
criteria for IT security

, and more ISO 21827 - Information technology — Security

techniques — Systems Security
Engineering — Capability Maturity Model;

ith s p e cific ISO 22301 - Societal security — Business continuity management systems — Requirements

b e a lig ne d w ISO 27031 - Information technology — Guidelines for ICT readiness for business continuity
To dustry
ISO 55001 - Asset management — Management systems — Requirements
a in / in ISO (tr) 27550 - Information technology — Security techniques — Privacy engineering for
do m
Non-exhaustive overview of potential applicable standards, frameworks. system life cycle processes
To be modified according the scope of the audit exercise. UP KRITIS Public -Private Partnership for Critical Infrastructure Protection
KRITIS V
IEC 62443 - “Security for Industrial Process Measurement and Control – Network and
System Security”,
Sensitivity: Confidential
 Stage ISO Standard Purpose
Establishes enterprise-wide risk
1. Strategic Risk
ISO 31000 (Risk Management) principles, context, and
Governance
governance.
2. Asset-Centric Manages lifecycle and criticality
ISO 55000 (Asset Management)
Governance of assets (IT/OT/data).
Provides methodology for
3. Risk Assessment
ISO/IEC 27005 (Information Risk) assessing information security
Integration
risks.

Road 4. IT Security
Management
ISO/IEC 27001 (ISMS)
Defines the structure for
managing information security.
Offers detailed control

ahead
ISO/IEC 27002 (Controls)
implementation guidance.
Defines Cyber Security
5. OT/IACS Security
IEC/ISA 62443-2-1 (CSMS) Management System for

complexity,
Management
industrial automation.
IEC/ISA 62443-3-3 (System Specifies technical security
Security Requirements) requirements for IACS.

and more
s
6. Business
IEC/ISA 62443-4-2 (Component Applies to embedded systems
Security) and devices.
Ensures continuity of critical
p lex ity bring Continuity & ISO 22301 (BCMS)
services during disruptions.
g com Resilience
Analysin 7. Privacy & Data ISO/IEC 27701 (Privacy Aligns ISMS with GDPR and
insights Protection Extension to ISMS) privacy obligations.

Legend:
Doc : document
Proc² : processes, and procedures
Sensitivity: Confidential
 ISO 21827
EU 2022-
start ISO 31000 ISO 55000
2555 ISO 27019

ISO 2700x

controls ISO 27002

Road certification
SoA

ahead ISO ISO OWAS IEC ISO ISO

complexity,
other ITIL
25010 27031 P 62443 22301 15408

audit

and more
s urit
y
evidences
Doc,
proc²

p lex ity bring er s e c

For ‘readability’
g com Cyb aturity t
Analysin m
s s men
purposes, not all
information is shown
insights as s e

Legend: Asset mgt

audit ISMS CIRT
Doc
Proc²
: document
: processes, policies, and procedures Internal register Operational
Sensitivity: Confidential
 Linking
“Asset What:
all information assets to be considered, not only physical assets.
Manageme This includes anything of value to the organisation where
information is stored, processed and accessible, but it is the
nt” to ISO information that is of real interest, less so the network or device per
se, although clearly they are still assets and need to be protected

2700X, and
vice versa

Sensitivity: Confidential
 Some examples:
• Information (or data)
• Intangibles – such as IP, brand and reputation
• People – Employees, temporary staff, contractors, volunteers etc
And the physical assets associated with their processing and
infrastructure:
• Hardware – Typically IT servers, network equipment,

Defining workstations, mobile devices etc

• Software – Purchased or bespoke software

assets • Services – The actual service provided to end-users (e.g. database

systems, e-mail etc)

“data”
• Locations & Buildings – Sites, buildings, offices etc
Any type of asset can be grouped together logically according to a
number of factors such as:

• Classification – e.g. public, internal, confidential etc

• Information type – e.g. personal, personal sensitive, commercial
etc
• Financial or non-financial value

Sensitivity: Confidential
 • Register of Vendors
• Cross referencing supplies (hardware, IT components, plc’s,
• Cross referencing with configuration data (key identifiers per

Asset item)
• Cross referenced with maintenance management
• Service level management /contract (y/n), gold, silver, less…
Manageme
nt
Inventory of all items (grouped, individually, types, locations,
stock/warehouse, unique identifier, vendor.

Foundation
(Tooling)
Risk based approach, again.

1
What components are strategic in your organisation, or production chain

Cross references are key

What if Vendors is not operational anymore: what items are impacted?
What if a key item is running out of life cycle? Alternative product? Alternative Supplier?
In case of quality issue of item? Where are those items located in our Organisation / Production facility
What components are strategic in your organisation, or production chain
Sensitivity: Confidential
 • Register of Software, and applications
• Cross referencing supplier
• Cross referencing with configuration data (key identifiers per

Asset Software, tool, application)

• Patch management, configuration item db
• Latest/active version
Manageme • Swift recovery
• Cross referenced with maintenance or service level
nt management

Foundation
(Tooling)
2
CMDB, ITIL, Business Continuity management, Disaster Recovery, CIRT, Communication,
Compromise management, Termination management,…

Sensitivity: Confidential
 • Bottom-up, and top – down approach
• Identifying the different layers, and interdependencies between
each layer;
1. Production facility /-facilities
2. P&ID, plc automation, technical networks
Asset 3. Process flow diagram
4. Electrical wiring diagram, cabinets, networks, power
Manageme supply, remote controllers;
5. ICT, IT network, architectural drawing, components,

nt firewall; touchpoints,
6. Geographical site(-s) location,

Foundation 1 – site(-s)

(multi 2 – P&ID , plc, automation, technical

networks

layered)
Keep in
mind: Iso
3 – process flow diagram
4 – electrical wiring diagram
62443 … 5 – ict,network, cloud
IEC/ISA 62443 is a comprehensive cybersecurity standard specifically designed for
Industrial Automation and Control Systems (IACS)—making it essential for NIS2
6 - geographical location
compliance in OT environments.

Sensitivity: Confidential
 Asset
Manageme
nt
Foundation
(layered)
1:
production
• P&ID of your production facility
facility
Keep in
mind: Iso • Instrument index (cfr slide 9)
62443 … • Plc, and other automation devices (cfr slide 9)
• Software (versions) (cfr slide 10)
Note: to be used as a demo principle, only
• location
Sensitivity: Confidential
 Asset
Manageme
nt
Foundation
(layered)
2:
production
• Process flow Diagram of your production facility
Keep in
mind: Iso facility •
•
vessel index (cfr slide 9)
Plc, and other automation devices (cfr slide 9)
62443 …
• Software (versions) (cfr slide 10)
Note: to be used as a demo principle, only

Sensitivity: Confidential
 Asset
Manageme
nt
Foundation
(layered)
3:
production
Keep in
mind: Iso
facility Risk management
Physical security
Vulnerability assessment
62443 … Business continuity management
Disaster recovery management
Note: to be used as a demo principle, only

Sensitivity: Confidential
 Asset Site 1
Remote
access
Manageme
nt
Foundation
(layered)
4:
ICT, Site 2
Remote

network accessible Risk management

Physical security
Vulnerability assessment
Business continuity management
Disaster recovery management
Note: to be used as a demo principle, only

Sensitivity: Confidential
 Asset Xyz location
• access roads
• canals
Manageme • rail roads
• airport
nt • power supply (multiple providers)
• Telecom supply (multiple providers)
Foundation
(layered)
5:
geographic
al location Risk management
Physical security
Vulnerability assessment
Business continuity management
Disaster recovery management
Note: to be used as a demo principle, only

Sensitivity: Confidential
 Project
management
- follow-up
budget

Sensitivity: Confidential
 # area status Budget
Vulnerability-Management ◻ Budget
◻ Specified (n started) ◻ estimate:€
◻ In draft/ready for review ◻ Actual:€
◻ Review (<organization> ) ◻ BAC:€
◻ Rework edited ◻ Variance:€
◻ Final acceptance

Patch-Management ◻ Specified (n started) ◻ Budget

◻ In draft/ready for review ◻ estimate:€
◻ Review (<organization> ) ◻ Actual:€
◻ Rework edited ◻ BAC:€
◻ Final acceptance ◻ Variance:€

Project Systemhärtung ◻
◻
Specified (n started)
In draft/ready for review
◻
◻
Budget
estimate:€

management ◻ Review (<organization> ) ◻ Actual:€

◻ Rework edited ◻ BAC:€
◻ Final acceptance ◻ Variance:€

- follow-up Fernzugang für

Drittanbieter
◻
◻
◻
Specified (n started)
In draft/ready for review
Review (<organization> )
◻
◻
◻
estimate:€
Actual:€
BAC:€
Th
progress
◻ Rework edited ◻ Variance:€

‘de is is
◻ Final acceptance

mo c a
n s on c Anforderungen an die ◻ Specified (n started) ◻ estimate:€
tra ise Softwareentwicklungsproze ◻ In draft/ready for review ◻ Actual:€
tiv
e’ exam
sse ◻ Review (<organization> ) ◻ BAC:€
◻ Rework edited ◻ Variance:€
pu
rp ple,
◻ Final acceptance
os
es only
. ! Einsatz der ◻ Specified (n started) ◻ estimate:€
Fo kryptographischen ◻ In draft/ready for review ◻ Actual:€
r Lösungen ◻ BAC:€

Note: to be used as a demo principle, only

Sensitivity: Confidential
 # area Ownership Contact information
Vulnerability- ◻ Name
Management ◻ <organization> ◻ Function/role
◻ email
◻ Company
◻ External – <organization> ◻ Name
◻ – Partner / Supplier ◻ Function/role
◻ email
◻ Name
◻ Service Provider ◻ Function/role
◻ email
Patch-Management ◻ Name
◻ Function/role

Project
◻ <organization>
◻ email
◻ Company
◻ External – ENGIE Th– ◻ Name

‘de is is
management
Partner / Supplier ◻ Function/role
◻ email
mo a c
◻ Name
◻ Service Provider ◻n s on c
Function/role
◻ tra ise
email

- follow-up Systemhärtung
◻ <organization>
◻
◻
◻
tiv
Name
e’ exam
Function/role
email pu
Companyrpo
ple
s e , on
ownership
◻
◻ Name
◻ External – <organization> ◻ Function/role s. ly!
◻ – Partner / ◻ email Fo
r
◻ Name
◻ Service Provider ◻ Function/role
◻ Email

Note: to be used as a demo principle, only

Sensitivity: Confidential
 LIKELIHOOD
LIKELIHOOD

VERY Moderate7
Moderate7 SIGNIFICANT4
SIGNIFICANT4 High2 High2 EXTREME2
EXTREME2 EXTREME1EXTREME1
VERY LIKELY
LIKELY
1
7
7
3 10

Risk Based
LIKELY LIKELY LOW2
LOW2 2 MODERATE2
11 MODERATE2 SIGNIFICANT2
SIGNIFICANT2 HIGH1 HIGH1 EXTREME3EXTREME3
9
6 3 10
11
2 12 4 98 1

approach POSSIBLE
POSSIBLE

5
LOW4
LOW4 MODERATE46 MODERATE1
MODERATE4
12
MODERATE1SIGNIFICANT1
4
8
1
SIGNIFICANT1 HIGH3 HIGH3

UNLIKELY
UNLIKELY LOW7
LOW7 LOW1
LOW1 MODERATE5
MODERATE5 MODERATE3
MODERATE3
SIGNIFICANT3
SIGNIFICANT3
5

RARE RARE LOW8

LOW8 LOW6
LOW6 LOW5 LOW5 LOW3 LOW3 MODERATE6
MODERATE6

CONSEQUENCE
INSIGNIFICANT
INSIGNIFICANT
MINOR MINOR MODERATE
MODERATE
MAJOR MAJOR
CATASTROPHIC
CATASTROPHIC
S
CONSEQUENCES

Note: to be used as a demo principle, only

Sensitivity: Confidential
 ISO ISO ISO ISO Directive EU Directive EU LAWS,
27001 27004 22301 62443 2016/114 2016/1148 regulations,
contracts

ISO
27002 RTP

Prepare risk
treatment plan Develop ISMS
implementation
ISO program
27003 SoA
Prepare statement of
applicability Execute different
projects (n,n1,n2,nx)

ISO 27001
ISO Assess Information
27005 information risks security
management
system
Inventory Manage & main
scope information assets inventory and yearly audit
INVENTORY

Define ISMS ISMS internal Operate ISMS as a

Business scope audit process
case
management Compliance
support review Certification audit

Pre-certification Review & corrective

start
assessment actions

Sensitivity: Confidential
 ISO
CSO 22301
ISMS operational tooling
AUDIT ISO
Business
External 27004
continuity internal
management audit report Audit report S policies
BCP-S4 internal External
BCP-S3 auditinternal
report External
Audit report
BCP-S2 S standards Information security
BCP-S1 audit report Audit report
management system
S procedures
LOG-files
metrics LOG-files
BSC metrics LOG-files S processes
LOG-files
metrics
metrics
S guidelines

Incident ISMS internal audit

INCIDENT report-3 Mgt review
management Incident Mgt review
Mgt review report-4
report-2 Mgt reviewreport-3
Incident report-2
report-1 report-1

Sensitivity: Confidential
 BASIC ISMS
QMS

Note: to be used as a demo principle, only

Sensitivity: Confidential
 Risk & issue communication and reporting tool

End

Note: to be used as a demo principle, only

Sensitivity: Confidential
 Progress
status
reporting
Overview status per deliverable
180
160
140
120
100
80
60
40
20
0
listed defined in progress review commented rework ready accepted target
Note: to be used as a demo principle, only

Sensitivity: Confidential
 Logic deliverable chart NIS 2 @ <Organisation>
Governance
& mgt

NIS2 gap
Risk & Updated risk Statement of Cybersecurit
NIS2 assessment
assessment register applicability y policy set
program report
charter

Secure
Asset Access Patch &
SteerCo Foundationa Communicati
inventory & control & Vulnerability
charter l controls ons &
classification MFA rollout Management
Cryptography

Final
Board level Incident . Incident . Incident Incident Crisis
briefing & Response & Response Notification Response Communicati
training Plan (IRP) Procedure Drill Report on Plan
Recovery

destination? Accountabilit
y matrix raci
Supply Chain
Security
Supplier Risk
Assessment
Framework
Critical
Supplier
Inventory
Updated
Supplier
Contracts

Step by step
TPRM

Annual
Audit & KPI
Continuous Review &
Compliance Dashboard &
Improvement Improvemen
Report Metrics
t Plan

Communicati
Executive Awareness Training & Stakeholder
communication on Strategy
Messaging campaign Workshops Engagement
& Plan

Cybersecurity maturity assessment 0 - 5

Note: to be used as a demo principle, only

Sensitivity: Confidential
 Domain Deliverable Description
Formal document defining
1. Governance &
1.1. NIS2 Program Charter scope, objectives, budget,
Management
and governance structure.
Defines roles, responsibilities,
1.2. Steering Committee
and cadence for high-level
(SteerCo) Charter
oversight.
One-pager and presentation
1.3. Board-Level Briefing &
for the board on their NIS2
Training
liabilities.
Defines who is Responsible,

Final
1.4. NIS2 Accountability Accountable, Consulted, and
Matrix (RACI) Informed for each NIS2
requirement.
A detailed analysis

destination?
2.1. NIS2 Gap Assessment
2. Risk & Assessment comparing the current state
Report
to all 10 NIS2 requirements.
A register of cyber risks,

Step by Step 2.2. Updated Risk Register including financial and

operational impacts.
Formal document listing
2.3. Statement of which controls are applicable
Applicability (SoA) and how they are
implemented.
Updated policies (e.g., Access
2.4. Cybersecurity Policy Set Control, Change
Management, Cryptography).
A complete inventory of IT/OT
3.1. Asset Inventory &
3. Foundational Controls assets, classified by
Classification
criticality.
Implementation and evidence
3.2. Access Control & MFA
of multi-factor authentication
Note: to be used as a demo principle, only Rollout
on critical systems.
Sensitivity: Confidential Evidence of encrypted
3.3. Secure Communications
 Domain Deliverable Description
A formal plan for detecting,
4. Incident Response & 4.1. Incident Response Plan
containing, and reporting
Recovery (IRP)
incidents.
Step-by-step guide for
4.2. Incident Notification
reporting to the national
Procedure
regulator (CCB).
Documentation of tabletop or
4.3. Incident Response Drill
live drills, including lessons
Report
learned.
A plan for communicating
4.4. Crisis Communication

Final
with stakeholders during a
Plan
major incident.
A documented process for
5.1. Supplier Risk Assessment
5. Supply Chain Security assessing third-party

destination?
Framework
cybersecurity risks.
A list of key suppliers,
5.2. Critical Supplier
categorized by the risk they

Step by Step
Inventory
pose to Sibelga's operations.
Contracts with cybersecurity
5.3. Updated Supplier
clauses aligned with NIS2
Contracts
requirements.
Report from an internal or
6. Continuous 6.1. Audit & Compliance
external audit on the state of
Improvement Report
NIS2 compliance.
A live dashboard tracking key
6.2. KPI Dashboard & Metrics performance indicators (KPIs)
like MTTD and MTTR.
Plan for maintaining and
6.3. Annual Review &
improving the security
Improvement Plan
posture post-implementation.
Note: to be used as a demo principle, only

Sensitivity: Confidential
 There's no such thing as
an ‘Final Destination”
Final when it comes to
destination? (cyber-)security...
There isn’t ! realise this.
But above all, act
accordingly.

Note: to be used as a demo principle, only

Sensitivity: Confidential
 0- non-existent
1- initial
2- acknowledged
Cybersecurity Maturity Rating (0-5) 3- defined
4- managed

Final 5- optimal

destination? 1. Risk Analysis & Info System Security Policies

Or try this
10. Use of Multi-Factor Authentication (MFA) 2. Incident Handling
5

one: 9. Human Resources Security, Training & Awareness 3. Business Continuity & Crisis Management

Cybersecuri 0

ty Maturity 8. Use of Cryptography & Encryption 4. Supply Chain Security

assessment 7. Access Control & Asset Management

6. Policies to Assess Effectiveness

5. Security in Network & Info Systems Acquisition

Note: to be used as a demo principle, only

Sensitivity: Confidential
 0- non-existent
1- initial
2- acknowledged
Cybersecurity Maturity (mm/yy) 3- defined
4- managed

Final 5- optimal

destination? • MFA Rollout Plan

• Board-Level Briefing & Training (completed)
NIS2 Gap Assessment Report
• MFA Rollout Progress Report (% coverage on critical systems)

5
Updated Risk Register
Cybersecurity Policy Set (in draft/final status)
Statement of Applicability (SoA)

Or try this • Training & Awareness Program Report (e.g., number of employees trained)

• Human Resources Security Policy

Incident Response Plan (IRP) (drafted/approved)

Incident Response Drill Report (with lessons learned)

one: • Evidence of Encryption (in-transit & at-rest)

0
Incident Notification Procedure

Cybersecuri • Secure Communications & Cryptography Policy Business Continuity Plan (BCP) & Disaster Recovery (DR) Plan

ty Maturity
• Logical & Physical Security Controls Report Crisis Communication Plan

• Access Control Policy • Supplier Risk Assessment Framework

assessment
• Complete Asset Inventory (IT & OT) • Critical Supplier Inventory (with risk ratings)
• KPI Dashboard & Metrics • Updated Supplier Contracts (with security clauses)
• Audit & Compliance Report (internal/external) • Secure Development Life Cycle (SDLC) Policy
• Vulnerability Management Policy & Report

Note: to be used as a demo principle, only

Sensitivity: Confidential
RACI – NIS2 stakeholders
Deliverable / Activity SC PMO
CISO/IT
Comms HR BU Leads
Legal
Security /Compliance
1. Communication Strategy Document A R C C C C C
2. CEO/CxO Endorsement Letter/Video R C C A I I C
3. Steering Committee Updates (dashboard,
A R C I I I C
scorecard)
4. Awareness Kick-off Pack (slides, FAQ, handout) C R C A C I C
5. Visual Campaign (posters, infographics,
I C C A C I I
screensavers)
6. Intranet Hub / Knowledge Portal I R C A C I I
7. Mandatory E-learning Module (role-based) I C C C A I C
8. Scenario-based Workshops (incident simulation,
I R A C C C C
phishing)
9. Manager Briefing Pack (talking points) I R C A C R I
10. Stakeholder Map I R C C I A I
11. Change Champion Network I R C C C A I
12. Feedback Channels (surveys, Q&A mailbox) I R C A C C I
13. Monthly NIS2 Newsletter I C C A I I I
14. Interactive Dashboard / Heatmap (progress
A R C C I I C
status)
15. Success Stories / Quick Wins I C C A I C I
16. Crisis Communication Protocol A C C R I I A
17. Incident Communication Templates
A C C R I I R
(internal/external)
18. Media Training for Spokespeople A I I R C I C
19. Closing Campaign (“Celebrate Compliance”) A R C A I C I
20. “NIS2 is BAU” Guide (ongoing comms) A R C A C C C

Sensitivity: Confidential
RISK – NIS2 risk (per NIS2 domain)
evolution
42%

34% 33% 33% 33% 33%

21%
19% 19% 19%
17% 18%
15%
14% 15% 14%
13% 12% 11% 11%
9% 8%
6% 7% 7%
5% 5% 5% 5% 5%
2%
april may june july aug actual risk cycle

governance (GRC) sec/policy business continuity HR supply chain techn

Sensitivity: Confidential
RISK – NIS2 risk (per NIS2 domain)
ad hoc
NIS2 - domain of identified risks
governance (GRC)

40%

techn sec/policy
20%

0%

supply chain business continuity

HR

Sensitivity: Confidential
 rating
condition
MTBF Installation year,
month

redundancy

Focus on

renewal
Cost of
MTTF
Criticality of item
Tag id

assets, and Recommended Renewal /

Original item cost

Replacement Year

manageme

Version; id;

stock location
provider MTTR

Stock item; #
nt of these

available;
patch
Instrument index

assets Alternative product

• Identify
• Determine
• List (inventory)
• Life cycle management
• Manage
Sensitivity: Confidential
 outside threats

management
perimeter security
Risk

CIRT
SIEM
Perimeter Perimeter Secure Message DHS-
honeypot DLP
governance

DMZ Einstein
IT security

FIREWALL ds ps security
Inside threats
intelligence

Security SLA,
network security

reporting
threat
Cyber

Enclaved Web proxy Enterprise Enterprise Enterprise

management
Enterprise VoIP Inline

Escalation
data centre content NAC message wireless remote DLP
IDS/UPS protection patching
Penetration

firewall filtering security security security

testing

Vulnerability
assessment

endpoint security

dashboard
Security
Desktop host Endpoint security FDCC Patch
DLP
firewall IDS/UPS enforcement Compliance management

Monitoring , response (operations)

Policy management (prevention)

awareness
Security

training

monitoring
SOC/NOC
application security
Database
Static application Code Dynamic Database secure
WAF monitoring ,
testing review application testing gateway
scanning
compliance
policies,
Security

Focused ops
data security
Enterprise
DAR,DIM Data wiping , Identity access Data Data integrity Data
PKI right DLP
protection cleansing management classification monitoring encryption
management
architecture

physical – production facilities - security

forensics
Security

, design

Digital
Motors, pump, Remote
Operation Tubing, Control Automation
buildings scada valve access, IoT
rooms network room devices controllers controllers
Sensitivity: Confidential
 Application Physical assets IT environment
Intangible assets Operating systems IT hardware IT services assets
software IT infrastructure controls

knowledge Proprietary tools servers buildings Alarm, fire Storage devices User
suppression authentication
Mobile, fixed
relations clients Data centres equipment Work stations services
devices

Solution
Corporate
reputation
Business resource Network devices offices
Un-interruptible
Laptops, tablets,
smartphones
Process
management

based on
brands planning scada power systems
Physical media IoT devices firewall
Commercial Information
Automation (plc) Storage rooms Power supply

standards,
reputation management servers Proxy servers

Customer trust utilities Identification

A/C Modems, routers Network services
devices

frameworks
Competitive
advantage
Database tools
(e-)commerce
Security devices filters Network lines Wireless services

, and more
ethics Operation rooms dehumidifiers Communication
applications Anti-spam
devices
Trade secrets Production Multifunctional Spyware intrusion
compressors
facilities equipment detection
licenses Stock, warehouse chillers Web-services

patents Metering devices Software

maintenance
experience Pumps, controllers Support contracts

productivity valves, controllers

Sensitivity: Confidential
 End of this
End
powerpoint, but
only the start of an
great journey

Sensitivity: Confidential
 „Critical infrastructures are organizational and physical structures
and facilities of such vital importance to a nation’s society and
economy that their failure or degradation would result in sustained
supply shortages, significant disruption of public safety and security,
or other dramatic consequence“ [1]

“Kritieke infrastructuur is een installatie, systeem of een deel

Where daarvan, van federaal belang, dat van essentieel belang is voor het
behoud van vitale maatschappelijke functies, de gezondheid, de
veiligheid, de beveiliging, de economische welvaart of het
does it maatschappelijk welzijn, en waarvan de verstoring van de werking of
de vernietiging een aanzienlijke weerslag zou hebben doordat die
applies on functies ontregeld zouden raken.”[2]

An asset, system or part thereof located in Member States which is

essential for the maintenance of vital societal functions, health,
safety, security, economic or social well-being of people, and the
disruption or destruction of which would have a significant impact in
a Member State as a result of the failure to maintain those
[1] Source: UP KRITIS Public-Private Partnership for Critical Infrastructure Protection
functions. [3]
[2] https://publicwiki-01.fraunhofer.de/CIPedia/index.php/Critical_Infrastructure#Belgium
[3] https://publicwiki-01.fraunhofer.de/CIPedia/index.php/Critical_Infrastructure#Council_Directive_2008.2F114.2FEC

Sensitivity: Confidential
 • It proposes a wide-ranging set of measures to boost
the level of security of network and information
systems (cybersecurity) to secure services vital to the
EU economy and society. It aims to ensure that EU
countries are well-prepared and are ready to handle
and respond to cyberattacks through:
What is the • the designation of competent authorities,

aim of the • the set-up of

computer-security incident response teams (CSIRTs), and

directive? • the adoption of national cybersecurity strategies.

• It also establishes EU-level cooperation both at strategic
and technical level.
• Lastly, it introduces the obligation on essential-services
providers and digital service providers to take the
appropriate security measures and to notify the relevant
national authorities about serious incidents.
Source: https://eur-lex.europa.eu/legal-content/EN/LSU/?
uri=uriserv:OJ.L_.2016.194.01.0001.01.ENG

Sensitivity: Confidential
 Improving national cybersecurity capabilities
EU countries must:
• designate one or more national competent authorities and
CSIRTs and identify a single point of contact (in case there is
more than one competent authority);
• identify providers of essential services in critical sectors such
as energy, transport, finance, banking, health, water and
digital infrastructure where a cyberattack could disrupt an
What is essential service.

KEY? EU countries must also put in place a national

cybersecurity strategy for network and information
systems, covering the following issues:
• being prepared and ready to handle and respond to
cyberattacks;
• roles, responsibilities and cooperation of government
and other parties;
• education, awareness-raising and training programmes;
Source: https://eur-lex.europa.eu/legal-content/EN/LSU/?
uri=uriserv:OJ.L_.2016.194.01.0001.01.ENG
• research and development planning;
• planning to identify risks.
Sensitivity: Confidential
 The national competent authorities monitor the application of
the directive by:
• assessing the cybersecurity and security policies of providers of
essential services;
• supervising digital service providers;
• participating in the work of the cooperation group (comprising
network and information security (NIS) competent authorities
from each of the EU countries, the European Commission and the
European Union Agency for Network and Information Security (E
What NISA)
);
• informing the public where necessary to prevent an incident or to
required? deal with an ongoing incident, while respecting confidentiality;
• issuing binding instructions to remedy cybersecurity deficiencies.
The CSIRTs are responsible for:
• monitoring and responding to cybersecurity incidents;
• providing risk analysis and incident analysis and situational
awareness;
• participating in the CSIRTs network;
• cooperating with the private sector;
Source: https://eur-lex.europa.eu/legal-content/EN/LSU/?
uri=uriserv:OJ.L_.2016.194.01.0001.01.ENG • promoting the use of standardised practices for incident and
risk-handling and information classification
Sensitivity: Confidential
 Security and notification requirements
• The directive aims to promote a culture of risk management.
Businesses operating in key sectors must evaluate the risks
they run and adopt measures to ensure cybersecurity. These
companies must notify the competent authorities or CSIRTs of
any relevant incident, such as hacking or theft of data, that

What is seriously compromises cybersecurity and has a significant

disruptive effect on the continuity of critical services and the
supply of goods.
required? • To determine incidents to be notified by providers of essential
services*, EU countries should take into account an incident’s
duration and geographical spread, as well as other factors,
such as the number of users relying on that service.
• Key digital service providers (search engines, cloud computing
services and online marketplaces) will also have to comply
with the security and notification requirements.
Source: https://eur-lex.europa.eu/legal-content/EN/LSU/?
uri=uriserv:OJ.L_.2016.194.01.0001.01.ENG

Sensitivity: Confidential
 Improving EU-level cooperation
• The directive sets up the cooperation group
whose tasks include:
• providing guidance to the CSIRTs network;
• exchange best practice on the identification of
How it will providers of essential services;
• assisting EU countries in building cybersecurity
be done? capabilities;
• sharing information and best practice on
awareness-raising and training, research and
development;
• sharing information and collecting best practice
on risks and incidents;
• discussing modalities of incident notification.
Source: https://eur-lex.europa.eu/legal-content/EN/LSU/?
uri=uriserv:OJ.L_.2016.194.01.0001.01.ENG

Sensitivity: Confidential
 sets up the CSIRT network comprising representatives of
EU countries’ CSIRTS and the
Computer Emergency Response Team (CERT-EU):
• sharing information on CSIRT services;
• sharing information concerning cybersecurity incidents;
• supporting EU countries in the response to cross-border
incidents;
• discussing and identifying a coordinated response to an
incident reported by an EU country;
How it will • discussing, exploring and identifying further forms of
operational cooperation, including:
be done? •
•
categories of risks and incidents;
early warnings;
• mutual assistance;
• co-ordination between countries responding to risks and incidents
which affect more than one EU country;
• informing the cooperation group of its activities and
requesting guidance;
• discussing lessons learnt from cybersecurity exercises;
• discussing the capabilities of individual CSIRTs at their
Source: https://eur-lex.europa.eu/legal-content/EN/LSU/?
uri=uriserv:OJ.L_.2016.194.01.0001.01.ENG request;
• issuing guidelines on operational cooperation.
Sensitivity: Confidential
Published standards
• The published ISO27K standards related to "information technology - security techniques" are:
• ISO/IEC 27000 — Information security management systems — Overview and vocabulary
• ISO/IEC 27001 — Information technology - Security Techniques - Information security management systems — Requirements. The
2013 release of the standard specifies an information security management system in the same formalized,
structured and succinct manner as other ISO standards specify other kinds of management systems.
• ISO/IEC 27002 — Code of practice for information security controls - essentially a detailed catalog of information security controls
that might be managed through the ISMS
• ISO/IEC 27003 — Information security management system implementation guidance
• ISO/IEC 27004 — Information security management — Monitoring, measurement, analysis and evaluation
• ISO/IEC 27005 — Information security risk management
• ISO/IEC 27006 — Requirements for bodies providing audit and certification of information security management systems
• ISO/IEC 27007 — Guidelines for information security management systems auditing (focused on auditing the management system)
• ISO/IEC TR 27008 — Guidance for auditors on ISMS controls (focused on auditing the information security controls)
• ISO/IEC 27009 — Essentially an internal document for the committee developing sector/industry-specific variants or implementation
guidelines for the ISO27K standards
• ISO/IEC 27010 — Information security management for inter-sector and inter-organizational communications
• ISO/IEC 27011 — Information security management guidelines for telecommunications organizations based on ISO/IEC 27002
• ISO/IEC 27013 — Guideline on the integrated implementation of ISO/IEC 27001 and ISO/IEC 20000-1 (derived from ITIL)

Sensitivity: Confidential
Published standards
• ISO/IEC 27014 — Information security governance.
• ISO/IEC TR 27015 — Information security management guidelines for financial services - Now withdrawn
• ISO/IEC TR 27016 — information security economics
• ISO/IEC 27017 — Code of practice for information security controls based on ISO/IEC 27002 for cloud services
• ISO/IEC 27018 — Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors
• ISO/IEC TR 27019 — Information security for process control in the energy industry
• ISO/IEC 27031 — Guidelines for information and communication technology readiness for business continuity
• ISO/IEC 27032 — Guideline for cybersecurity
• ISO/IEC 27033-1 — Network security - Part 1: Overview and concepts
• ISO/IEC 27033-2 — Network security - Part 2: Guidelines for the design and implementation of network security
• ISO/IEC 27033-3 — Network security - Part 3: Reference networking scenarios - Threats, design techniques and control issues
• ISO/IEC 27033-4 — Network security - Part 4: Securing communications between networks using security gateways
• ISO/IEC 27033-5 — Network security - Part 5: Securing communications across networks using Virtual Private Networks (VPNs)
• ISO/IEC 27033-6 — Network security - Part 6: Securing wireless IP network access
• ISO/IEC 27034-1 — Application security - Part 1: Guideline for application security
• ISO/IEC 27034-2 — Application security - Part 2: Organization normative framework
• ISO/IEC 27034-6 — Application security - Part 6: Case studies

Sensitivity: Confidential
Published standards
• ISO/IEC 27035-1 — Information security incident management - Part 1: Principles of incident management
• ISO/IEC 27035-2 — Information security incident management - Part 2: Guidelines to plan and prepare for incident response
• ISO/IEC 27036-1 — Information security for supplier relationships - Part 1: Overview and concepts
• ISO/IEC 27036-2 — Information security for supplier relationships - Part 2: Requirements
• ISO/IEC 27036-3 — Information security for supplier relationships - Part 3: Guidelines for information and communication technology
supply chain security
• ISO/IEC 27036-4 — Information security for supplier relationships - Part 4: Guidelines for security of cloud services
• ISO/IEC 27037 — Guidelines for identification, collection, acquisition and preservation of digital evidence
• ISO/IEC 27038 — Specification for Digital redaction on Digital Documents
• ISO/IEC 27039 — Intrusion prevention
• ISO/IEC 27040 — Storage security
• ISO/IEC 27041 — Investigation assurance
• ISO/IEC 27042 — Analyzing digital evidence
• ISO/IEC 27043 — Incident investigation
• ISO/IEC 27050-1 — Electronic discovery - Part 1: Overview and concepts
• ISO/IEC 27050-2 — Electronic discovery - Part 2: Guidance for governance and management of electronic discovery
• ISO 27799 — Information security management in health using ISO/IEC 27002 - guides health industry organizations on how to
protect personal health information using ISO/IEC 27002.

Sensitivity: Confidential
In preparation
• Further ISO27K standards are in preparation covering aspects such as digital forensics and cybersecurity, while the released ISO27K standards are
routinely reviewed and updated on a ~5 year cycle.

Sensitivity: Confidential