Playback speed
×
Share post
Share post at current time
0:00
/
0:00

NIS2: The Two Dimensions You Must MASTER

Jetro
Feb 13, 2025
Share

In the last couple of months, I've done several NIS2 assessments and discovered something interesting: NIS2 scores an organization based on two dimensions: Documentation and Implementation.

Two Dimensions

Documentation is all about how well you have written down your information security policies and governance. Think of, for example:

  • How do we deal with USB drives?

  • How do we deal with third-party software, and how do we download and install it on your system?

  • How often should we do backups?

That's all documentation.

On the other hand, there’s Implementation. That is effectively installing, enabling, and activating controls to keep your environment safe. So, effectively installing anti-malware, doing effective training on anti-phishing, and blocking USB drives.

Four Quadrants

Now, NIS2 looks at both dimensions. And that’s interesting because then you can combine them and have four different personas or profiles of a company.

If you have a lot of Documentation but not a lot of Implementation, you are a PAPER TIGER. There’s a lot of stuff in the cabinets and on paper, but not much has been implemented.

On the other hand, if your team is doing a lot of Implementation and really putting up controls, but they lack the legal framework or the governance around them, I call them ACTION HEROES. They are in the field doing the work, but there is no legal backup.

If your organization is doing both Documentation and Implementation, hey, you are the ROLE MODEL. Congratulations! Keep going.

And if your organization is low on Documentation and low on Implementation, you are a GHOST. You really don't exist according to the NIS2 security standards.

And you?

So, with that said, comes an interesting question: What type of organization are you working in? Are you the Action Hero? Are you the Paper Tiger? Are you the Role Model? Or are you the Ghost?

Think about that.

You need both Documentation and Implementation.

With that said, I wish you a wonderful day, and see you next time.
Jetro

I help European Organizations Strengthen Their Digital Security & Compliance

Outcome: Reduced Risk 🔸 Improved Cyber Resilience 🔸 More Peace of Mind

Thanks for reading BlueDragon Insights! Subscribe for free to receive new posts and support my work.

BlueDragon Insights
BlueDragon Insights
Authors
Jetro
Recent Posts
Most ICT Teams Can't HANDLE This
  Jetro
The NIS 2 Question Everyone DREADS
  Jetro
Why Your Logs Are FAILING You
  Jetro
This NIS2 Finding HAUNTS Everyone
  Jetro
Why Confidential Computing 'Double Boosts' Your Information Security
  Jetro
The CIO/CISO’s dilemma
  Jetro
Digital Sovereignty Explained in 1 Minute
  Jetro