Hey there,

Welcome to the second week of The Fellowship newsletter. 

This week has been excellent. On Monday, I was informed that a new version of the NIS Directive was coming into play. The original NIS Directive was published in 2016. It concerns the Security of Network Information Systems. NIS 2 Directive was published in 2022 and expanded the controls further.

NIS 2 Directive – A Breakdown 

I had planned on including some content on the NIS Directive. So having a new one to work with is great! Fresh new content that most people don’t know about. It will be a great addition to the Practical GRC course. 

It’s always best to work methodically when learning a new Regulation, Directive, Law, Standard, or Framework. You need to get your eyes on the document. This is the bible regarding what you are trying to learn. Occasionally, a paywall is a blocker. 

I am using the ISO 27001 standard as an example. To read that document, you need to purchase it from ISO. It’s not cheap either. For my recent ISO 27005 class, I was required to have three different ISO standards as pre-requisite reading. Luckily, my company funded the course and the reading material as part of my CPD. Most of these types of documents are freely available online.

Once you have the document, to understand it fully, you’ll need to read it. There are, however, some quick ways to get to the bottom of the requirements.

First things first:

Search on YouTube for an explainer video. Many different Information Security companies will be using the new regulation (etc.) to gain new customers by selling their solutions to any new requirements that have been introduced.

Make notes on all the key points from the videos and then confirm that each point is visible in the document and that the words in the video reflect the document's requirements. The last thing you want to do is learn from a video and then find out after doing some work that the information needs to be corrected. Verify everything!

If a suitable quality video is unavailable, use “Ctrl + F”. It’s the Microsoft Shortcut that brings up a “Find” box. It allows you to search for words or phrases. It is beneficial and can reduce this process by more than 50%.

Here are the key things that you need to find out in your initial familiarisation session:

Issuer

Who introduced the new Regulation, Directive, Law, Standard, or Framework?

Scope

The geographical region where the new Regulation, Directive, Law, Standard, or Framework applies.

The intended target audience. These are the people, businesses, organisations, or groups affected by the new Regulation, Directive, Law, Standard, or Framework.

If it applies to a region (e.g., The EU), does it apply to organisations outside the region that interact or do business with the Citizens of the region?

Previous Version

Does the new Regulation, Directive, Law, Standard, or Framework replace an older version?

Effective date

This is when the new Regulation, Directive, Law, Standard, or Framework comes into force.

Abbreviations

Understand the abbreviations used. Usually, these documents have a definitions section dedicated to clarifying the meanings of abbreviations or uncommon words.

Purpose

What is the purpose of the new Regulation, Directive, Law, Standard, or Framework? Why is it being introduced?

What are the requirements?

Does the new Regulation, Directive, Law, Standard, or Framework set out something to be done or restrict something from being done?

What are the implications for you or the organisation that you work for?

This might be the time to start looking at doing a gap analysis.

Compliance Checking/Enforcement

Who is liable to be checked for their compliance status?

Who is responsible for checking the compliance status?

Is Certification (if available) optional or compulsory?

If Certification is available, who is the Certification Body?

Consequences of non-compliance

What is the potential impact of any fines or criminal charges?

Who is Liable?

Is executive management personally liable? Or is the Organisation fully accountable for any actions against it?

That’s it for this week’s edition of “The Fellowship”. I hope you take this new knowledge and set yourself the task of understanding a Regulation, Directive, Law, Standard, or Framework you do not have experience with.

Some of you might have seen it; others may not have. I created a 51-page carousel and posted it to LinkedIn on Wednesday. You could also pick it up from my website as a digital download if you missed it. Click the link: NIS 2 Directive – A Breakdown. Share the link with people at your business who might need to know about the changes to the NIS Directive.

Until the next adventure!

Stuart Wedge 🧙‍♂️

PolicyWizard