Will your organisation soon have to comply with the new NIS2 cybersecurity directive? If so, this is a unique opportunity to take your security to the next level. Yet it also brings challenges. Luckily, you are not alone. Even though NIS2 compliance always remains your responsibility, a Managed Service Provider specialising in security can ease your worries. Especially if you include the following points of interest when selecting this partner.
Certifications
For NIS2 compliance, your organisation is expected to have its information security up to a certain level. If so, it is vital that your IT partner also meets these high security requirements. So pick a partner that at least meets the ISO 27001 information security standard.
A company holding the ISO 27001 certification has demonstrated that it takes cybersecurity seriously and that all processes meet the highest standards for information security. Therefore, if your IT partner has achieved this certification, you can be confident that it will guarantee your security.
Controle
An IT partner unburdens you so that you can focus on your core business. Yet you should never feel like you are losing control of your business data and IT systems. You should quite literally hold the keys. Make sure you always maintain access to your own data and systems yourself, so that you are not dependent on your IT provider.
This is also crucial from the perspective of NIS2 requirements: after all, compliancy always remains your own responsibility. Your IT partner will support you in NIS2 compliance and relieve you of the practical aspects, but you will remain in control. Therefore, ask potential IT partners how they tackle this.
Up-to-date knowledge and technology
You can expect an IT partner who is specialised in NIS2 compliance to have teams with up-to-date knowledge of security technologies and practices, as well as the latest changes to NIS2 legislation. Ask potential IT partners for references from other customers and take a listen to their impression of the knowledge of the respective teams. Also inquire with the IT partners themselves about their policies around employee training.
Also ask for a demo of the solutions the IT partner deploys to support customers in achieving NIS2 compliance. That way, you will get an idea of the technologies they are working with and how up-to-date they are. Be sure to check whether these do follow state-of-the-art industry standards and whether they are relevant to achieving NIS2 compliance. For example, is the IT partner deploying Endpoint Detection & Response (EDR) or a Security Operations Centre (SOC)?
Continuous improvement processes
NIS2 requires you to manage your IT environment like a prudent person. A one-off effort is not enough, as cyber threats are constantly evolving. This calls for periodic assessments and corresponding improvement plans, with the aim of continuously improving your security. This requires the right processes.
So ask about the procedures and processes your IT partner has implemented to support you in complying with NIS2. This includes, for example, how risks are evaluated and addressed, how to draw up a Security Incident Response Plan (SIRP), and how patch management is set up.
Holistic approach
NIS2 is not merely the responsibility of the IT department, but of your entire organisation. Therefore, you should choose an IT partner that takes a holistic approach around cyber security. In doing so, the IT partner not only pays attention to the technological aspect of NIS2, but also to the legal and process aspects.
The technological aspect is about taking the right measures depending on the available technology to protect your business from cyber threats. The legal aspect is about complying with NIS2 legislation, with all the obligations that come with it. And the process aspect is all about getting the right processes in place and documenting them, such as incident response.