==Introduction==

• Belongs to the family of ISO 27000 series (Information security management).
• Among widely used security practices/standards for information security management systems (ISMS).
• A systematic framework for establishing, implementing, maintaining, and continually improving an organization’s ISMS.
• ISO/IEC 27001 helps organizations built an adaptable information security management system and risk management process tailored to their size and needs.
• Help organization preserve the confidentiality, integrity, and availability of information.
• ISO/IEC 27001 helps organizations become risk-aware and proactively identify and address cybersecurity related weaknesses.

==Clauses==

1. NIS2 Updates NIS1, Setting EU-Wide Cybersecurity Rules

The NIS2 Directive (Network and Information Systems 2) is a major revision of the original NIS1 Directive (adopted in 2016), designed to strengthen cybersecurity across the European Union. While NIS1 allowed member states significant flexibility in implementing cybersecurity measures, NIS2 establishes more harmonized and stringent EU-wide rules. It introduces minimum common standards for risk management, incident reporting, and cross-border cooperation. The directive also enhances oversight and enforcement, including fines for non-compliance, to ensure a consistent and robust cybersecurity posture across the EU.

==Network and Information Security (NIS2)==

NIST Framework CSF 1.1 overview:

The NIST framework Core consists of:

• Govern, Identify, Protect, Detect, Respond, and Recover as functions and 108 subcategories.

The NIST framework Tiers consists of:

• Tier 1 (partial): Informal, reactive processes.
• Tier 2 (Risk-Informed): Approved policies, risk management.
• Tier 3 (Repeatable): Formalized processes, risk integration.
• Tier 4 (Adaptive): Continuous improvement, dynamic adaptation. The NIST framework Profiles consists of:
• Current Profile: Assesses existing cybersecurity practices.
• Target Profile: Defines desired cybersecurity outcomes.
• Gap Analysis: Compares profiles to prioritize improvements.

Purpose: Align cybersecurity with business goals and enhance resilience.

Strategic Elements

1. Scope of the ISMS
2. Strategic issues and directions
3. Legal and regulatory aspects
4. Needs scale
5. Security needs
6. Sources of threats

1) Security Rules

1. Organization

1. Security policy
2. Security organization
3. Information‑security risk management
4. Security and lifecycle management
5. Assurance and certification

2. Implementation

1. Human aspects
2. Business continuity planning
3. Incident management
4. Awareness and training
5. Operations
6. Physical and environmental aspects

3. Technical

1. Identification / authentication
2. Logical access control
3. Logging

2) Action Plan

1. Business Continuity Plan / Disaster Recovery Plan (BCP/DRP)
2. Monitoring and alerting
3. Backups and environment management
4. Equipment management
5. Flow isolation
6. Access management
7. Antivirus policy
8. Supplier management and IT charter
9. Roadmap

==Strategic Elements==

This blog aims to familiarize readers and provide examples on IT governance and the PSSI.