NIS Regulations: Cyber Assessment Framework

The NCSC (National Cyber Security Centre) has published 14 high-level security principles with which all OES (operators of essential services) must implement, in the form of the CAF (Cyber Assessment Framework).

OES’ compliance with the NIS Regulations (Network and Information Systems Regulations) is monitored through audits conducted by designated competent authorities.

The CAF breaks each principle down into specific outcomes, which are then further broken down into IGPs (indicators of good practice). An auditor will use these IGPs to determine if the organisation has correctly applied the principle.

The CAF consists of the following compliance elements:

Objective A

Managing security risk

• A.1 Governance
• A.2 Risk management
• A.3 Asset management
• A.4 Supply chain

Objective B

Protecting against cyber attack

• • B.1 Service protection policies and procedures
  • B.2 Identity and access control
  • B.3 Data security
  • B.4 System security
  • B.5 Resilient networks and systems
  • B.6 Staff awareness and training

Objective C

Detecting cyber security events

• C.1 Security monitoring
• C.2 Anomaly detection

Objective D

Minimising the impact of cyber security incidents

• D.1 Response and recovery planning
• D.2 Improvements

NIS Regulations Gap Analysis

Get a true picture of how your current cyber security arrangements measure up against the requirements of the Network and Information Systems Regulations 2018 with our NIS Regulations gap analysis service.

The NIS Regulations Gap Analysis is suitable for both operators of essential services (OES) and digital service providers (DSPs), and will assess your organisation’s current level of compliance against the NIS Regulations’ requirements.

• All our consultants are all qualified ISO 27001 and cyber security specialists.
• We are pioneers in the implementation of ISO 27001-conformant ISMSs and have helped more than 800 clients with implementation and certification projects.
• Our unique combination of technical expertise and solid track record in international management system standards means we can deliver a complete solution for NIS Regulations compliance and manage the project from start to finish.
• We have managed hundreds of projects across all industries, including healthcare, energy, transport, water, defence and aerospace.
• We have multi-disciplinary teams that can undertake rigorous penetration testing of your systems and networks, project managers to roll out compliance implementation projects, and executive expertise to brief your board and develop a suitable risk mitigation strategy.
• We deliver practical advice and work according to your budget and organisational needs.
• Our team of experts can attend your site to support your organisation during an audit by a competent authority. We are also available to conduct mock compliance inspections and audits.