NIS Directive Kit
Quickly implement the requirements of the NIS Law
Do you want to avoid a negative or qualified NIS audit opinion?
Do you want to avoid possible controls and fines of the National Cyber Security Directorate?
Do you want to create the foundation of a more secure business?
Implement the NIS Directive and Law 362 intelligently!
2500 RON, without VAT
Detailed implementation manual
It contains practical advice from 2 years of experience in consulting for various operators of essential services in the implementation of the requirements of the NIS Directive, which they successfully passed the NIS Audit.
Contains applicable recommendations from the founder's 20 years of experience in information security management.
It contains pragmatic approaches, from the experience of specialists who are NIS certified auditors, in the adjustment and implementation of audit procedures and records. 136bad5cf58d_
Complete documentation for compliance with the Law 362
38 operational procedures and 36 documents for audit records that meet the requirements of the law for 67 auditable control indicators
Documentation updated with the latest legislation
100% editable documentation
We perform a security risk analysis
Build with us the basics and finesse of compliance
Free email support
If you are unclear about how to implement this documentation in your organization, send your questions by email and we will help you by email.
The possibility of a dedicated consultant
If you need dedicated support and consultancy specific to your requirements, you have the possibility of contracting dedicated sessions with the Sectio Aurea team of experts.
The documentation of the Kit for the NIS Directive includes the policies, the operational procedures required by law, the mandatory registers for the provision of audit records to the NIS authorized auditors. The documentation was built to be completed and implemented simply, quickly and efficiently even by an audience less used to information security management.
The content of the kit is aligned with the requirements of the law and methodological norms, but also with the best international practices in information security (NIST Cybersecurity Framework, NIST Special Publications, ISO 27001, IEC 62443, Security for automation and industrial control systems, COBIT 5 for information security).
The NIS Directive Kit is an innovative product that helps you implement the requirements of Law 362 yourself, without specialist assistance. By following our step-by-step instructions, you will implement the requirements of the NIS Directive in a simple, fast and efficient way. You will save time, money and energy and invest in the safety of your business in the long term by avoiding fines.
Implement the NIS Directive and Law 362 intelligently!
Practical Dialogue. February 3, 2023.
An open, honest and committed dialogue on the topic.
The largest webinar on the NIS Directive.
The perspective of accredited NIS auditors, with practical experience in IT management.
The perspective of a consultant with 15 months of experience in implementing the requirements of the law in various companies in Romania, but also with 20 years of experience in cyber security.
What does the Kit actually contain?
Detailed manual for implementing the requirements of the NIS directive in the organization, plus adaptable policy and procedure templatesand operational and audit evidence
Guvernance
-
ARNIS - Security risk analysis of networks and IT systems
-
MEGRE - Risk management methodology for the provision of essential services
-
The decision to establish the Monitoring Commission
-
The decision to appoint the Information Security Officer - the NIS Officer
-
The decision to appoint the Information Security Officer
-
Decision for risk tolerance
-
Risk identification and assessment form or "Risk alert" form
-
Information regarding the development of the risk management process at the company level
-
The plan for the implementation of risk control and follow-up measures
-
Annual report on the development of the risk management process
-
Review of risk profile and risk tolerance limit
-
Consolidated risk register
-
-
PONIS - The security policy of networks and IT systems that ensure the provision of essential services
-
RAIPOD - Model Report on the implementation of the security policy of networks and IT systems that ensure the provision of essential services and its application documents
-
DANIS - The accreditation process established in PONIS through which OSE accredits NIS used in the provision of essential services, including administration components
-
IEC - Evaluation indicators, on the basis of which the OSE evaluates its compliance with the Network and IT Systems Security Policy
-
Examples to choose from Key Risk Indicators
-
-
MEIEC - Method for evaluating compliance indicators
-
Non-Conformity Report (MEIEC Annex 1)
-
Non-conformity log (Annex MEIEC 2)
-
Corrective action report (MEIEC Annex 3)
-
-
PGASP - Personal security assurance program
- ISA - Security training for employees
-
Planning the awareness and professional training campaign
-
The thematic training plan in the field of IT security
-
Templates for internal emails security awareness
-
-
FP - the necessary security requirements for the job description
-
PRASA - Security presentation program for all staff and for staffspecialized
-
PRISA - Security training program for employees who use the networks and IT systems that are the basis for the provision of essential services
- INCEA - Necessary tools for raising awareness and educating employees about the types of IT security threats and the appropriate protection measures in order to limit incidents
- COSE - Service contracts or external service provision
-
LASPO - List of assets, systems and processes of the organization
-
Construction guide SANIS
-
-
PRECDI - Procedure regarding the labeling and classification of data and information
-
SICAE - Cartographic situation of the ecosystem; document through which the establishment and identification of the ecosystem that is the basis for the provision of the essential service, both NIS and other components, is carried out
-
LIRIE - List of identified potential risks and their evaluation in the provision of essential services. The risks are represented by the relations with the interested parties of the ecosystem
-
PROSRE - Procedure for establishing ecosystem relationships; the document includes interconnections (external relations) between networks and computer systems and third parties
-
LASMA - List of service level agreements and/or audit mechanisms of networks and IT systems
-
SANIS Scheme of the architecture of networks and IT systems used to provide essential services
-
Construction guide SANIS
-
Protection
-
PRUSME- Procedure regarding the use of external memory media
-
RESME - Record registers of external memory media
-
PROCESS - Procedure regarding the segregation and segmentation of networks and IT systems used for the provision of essential services
-
PROFIT - Traffic filtering procedure
-
PRAPC - Procedure for ensuring cryptographic protection for information and resources
-
MACC - Management of encryption keys; process that ensures the production, use and record of cryptographic material, including encryption keys
-
PRAPMA - Procedure for ensuring malware protection
-
PRUSSIA - Procedure regarding the use of IT administration systems
-
JIERU - Logs recording events produced by resources used for administration. Diaries are established and kept in electronic form or on paper.
-
PPSIA - The envelope with passwords used for computer systems for the administration of networks and computer systems
-
PROLD - Remote working procedure
-
ECUPA - Record of accounts for users and for automated processes
-
LICPA - List of privileged accounts by access levels and accessible functionalities
-
LICA - List of administration accounts
-
MEAUP - Authentication mechanism for users and automated processes to the resources of networks and IT systems
-
SIVMOC - System for verifying potential changes to a privileged account
-
PROMNIS - Procedure for maintaining the security of networks and IT systems
-
Evidence Implementation Minimum security level
-
Evidence of security exceptions
-
Evidence Detection of vulnerabilities and the application of Patches
-
Request for access, withdrawal of access to the computer system
-
-
PRORUVI - Procedure to reduce the risks related to the use of an outdated version
-
CEISC - Specific security requirements for industrial control systems
-
ANISMS - Analysis of security risks and implementation of security measures to limit unauthorized access
-
PRASI - Procedure regarding the access and security of resources and information
Cyber Defense
-
PRODAIS - Procedure for reporting security incidents
-
PEIREV - Process of identifying, classifying, fixing and eliminating vulnerabilities, especially in software and firmware, at the level of networks and IT systems
-
PRORAI - Procedure for the management, response and analysis of incidents that affect the operation or security of computer networks and systems
-
PRORIS - Procedure for reporting security incidents
-
PISAC - Interconnection procedure to the alerting and cooperation service of CERT-RO.
Resilience
-
Complete Business Continuity Plan Template
-
PRADE - Procedure regarding the management of ensuring the availability of the essential service, in case of a cyber security incident
-
PROMRE - Procedure regarding the management of data recovery in case of disasters, as well as in case of severe cyber security incidents
-
PROCIS - Procedure regarding the organization of crisis management in case of cyber security incidents to ensure the continuity of organizational activities
-
PEGEC - Crisis management processes; documents by which the OSE establishes the processes and methods of implementation in case of cyber security incidents to ensure the continuity of organizational activities
Do you want to preview examples?
PONIS - Network and IT systems security policy
PRECDI - Procedure regarding the labeling and classification of data and information
PROMNIS - Procedure for maintaining the security of networks and IT systems
Why us?
We are authorized
You have the support of specialists who are certified auditors in auditing the law.
Sectio Aurea is a DNSC certified auditor for
NIS Directive
CLE Series / 8020.
People
The specialists who contributed to the Kit have at least 5 years of experience in the specific field of law, in organizations of high complexity (multinationals).
Most are opinion leaders, respected professionals: IT Managers, Security Managers, CISOs.
Business model
The kit is the result of hard and sustained work in implementing the requirements of the NIS directive in various environments.
It was optimized through direct customer feedback, but also following the collaborative consultation of a focused work group.
Do you want to act?
Order the NIS Directive Kit
Our Team - Your Cybersecurity Experts
At Sectio Aurea, we collaborate with top IT and security professionals. They have a minimum of 5 years of experience in complex, multinational organizations, managing complex projects and leading security teams. They are opinion leaders, respected professionals and occupy positions such as IT Manager, Security Manager, CISO, DPO and Architects.
We work with 16 cyber security experts. With each one we have a history of years of successful projects and constant interactions.
However, we can scale with entire teams of IT specialists in your priority areas.
Our specialists hold a wide range of certifications in advanced fields such as cybersecurity, data protection, security management and information systems auditing. Choose to collaborate with us and we assure you that your business will benefit from the highest level of expertise in information security.
Testimonials
NIS Directive Audit
NIS Directive Consulting
About the European NIS Directive and Law 362/2018
As of January 12, 2019, the NIS Directive (EU Directive 2016/1148 of the European Parliament and of the Council of 6 July 2016) was adopted by Law no. 362/2018 by the Romanian Parliament.
Its aim is to achieve a high common standard for network and information security in all Member States of the Union that provide essential services to society.
As services increasingly rely on IT network infrastructures, these measures are aimed at strengthening the readiness of EU states to respond to cyber security threats, thus leveraging their overall confidence in the digital single market.
Therefore, the NIS Directive is an essential European regulation that ensures the sustainability of the new digital economy.
Is the NIS Directive addressed to you?
YES. If you have a business in the following sectors of activity and meet certain indicators
Energy
Transport
Banking
Financial market infrastructures
Supply and distribution of drinking water
Digital infrastructure
Online markets
Search engines
Health
Cloud computing
What are your obligations?
Implement the minimum security requirements according to the law.
Prepare and implement in the business a structured system of policies, procedures, regulations
Continuous (permanent) monitoring of the level of security and interfacing with the authorities
December 17, 2020
Performing a classification analysis as an essential service operator (OSE)
Registration in the Register of Essential Service Operators (ROSE)
Self-declaration on compliance with the law
Documentation of self-assessment of compliance with minimum security requirements
2 years since enrolling in ROSE
Implement minimum security requirements in line with industry best practices.
Preparation of audit indicators auditable by the state and by authorized auditors.
Performing risk analysis, Implementing security procedures and policies in the organization, implementing an appropriate set of technologies.
COMPLIANCE AUDIT.
Penalties for non-fulfillment of legal obligations
Up to 5% of YOUR TURNOVER
For more information we recommend the following
