The document identifies internal and external factors affecting information security and NIS2 compliance. It helps understand the organizational context, define the requirements of regulators, customers and partners, and identify key stakeholders interested in effective risk management. It is an essential element of building a cybersecurity strategy tailored to real needs and threats.

The document describes how to conduct internal information security audits in the organization. The audit aims to verify NIS2 compliance, assess the effectiveness of implemented security measures, and identify areas for improvement. The procedure includes rules for planning, conducting and reporting audits, as well as guidance on corrective actions. It is a key tool for continuous improvement of the cybersecurity system.

The document defines the principles for regularly evaluating the functioning of the information security management system. The management review is the moment when management analyzes audit results, incidents, risk levels, and the effectiveness of actions taken under NIS2 implementation. The procedure aims to ensure that the cybersecurity strategy responds to current threats, organizational needs, and regulatory requirements.

The document specifies who in the organization is responsible for individual elements of the information security and business continuity system. A clear division of responsibilities – from management to technical staff – is key to effective NIS2 implementation. This policy minimizes the risk of competency ambiguity, supports accountability of actions, and facilitates quick response to security incidents.

The document defines the rules for creating, reviewing, updating and archiving documentation related to the information security system. It ensures consistency, availability and integrity of documents and evidence of NIS2 compliance. Thanks to this procedure, the organization can demonstrate fulfillment of legal obligations, effective risk management and continuous oversight of key security processes.

The document describes step by step the process of identifying, analyzing, assessing and treating risks related to information security. It forms the basis of a NIS2-compliant approach to minimizing threats to IT systems, data and key services. The procedure supports informed decision-making, prioritization of protection, and implementation of adequate security measures.

A practical tool supporting the assessment of threats and vulnerabilities in the organization's IT environment. It enables systematic documentation of risk analysis results in accordance with NIS2 requirements – from asset identification, through probability and impact assessment, to selection of remedial measures. The worksheet facilitates decision-making on security investment priorities and fulfillment of reporting obligations.

The document describes how to systematically monitor sources of information on current and potential cybersecurity threats to the organization. It enables rapid response to new risks, supports incident management, and maintains NIS2 compliance in the area of proactive action. The procedure covers analysis of CERT communications, industry sources and technology vendor reports.

The document defines the rules for labeling and assigning sensitivity levels to information processed in the organization. This procedure enables proper protection of critical, confidential and public data in accordance with their importance for business continuity and NIS2 compliance. Information classification forms the basis for applying adequate technical and organizational protection measures.

The document contains practical guidelines for the secure processing of information at every stage of its lifecycle – from creation and sharing to storage and deletion. It defines how to handle sensitive, operational and technical data in accordance with their classification and applicable regulations (including NIS2). It is a key element of daily information hygiene in the organization.

The document governs the process of granting, modifying, reviewing and revoking user access rights to IT systems and information resources. It ensures that only authorized persons have access in accordance with their responsibilities. The procedure supports protection against unauthorized access, promotes the principle of least privilege, and is one of the pillars of NIS2 compliance in the area of access control.

The document defines the principles for the secure creation, storage, use and change of authentication information – such as passwords, tokens, cryptographic keys and login data. The procedure supports the protection of user identities and the integrity of IT systems, in accordance with NIS2 requirements. It also includes guidelines on two-factor authentication and regular access reviews.

The document defines the principles for ensuring an appropriate level of security for information entrusted to external entities – service providers, technology and infrastructure suppliers. It contains guidelines on risk assessment, contractual clauses, compliance monitoring and response to supplier incidents. The procedure supports NIS2 requirements for supply chain control and subcontractor cooperation.

The document defines the principles for the safe use of cloud services, including vendor selection, data protection in the cloud, and oversight of entrusted resources. It covers encryption requirements, access controls, data location and regulatory compliance (including NIS2 and GDPR). The procedure supports the organization in the secure use of cloud computing solutions, minimizing risks related to processing data outside its own IT environment.

The document describes how to identify, report, classify and handle information security incidents. It defines roles and responsibilities, escalation paths, documentation methods and requirements for reporting serious incidents to relevant authorities in accordance with NIS2. The procedure enables quick and effective response to threats, limiting their impact on the organization's operations and IT systems.

The document defines the principles and expectations for employees and collaborators regarding information protection and cybersecurity at every stage of the professional relationship – from recruitment through employment to termination. It supports building a security culture, covers training obligations, scope of responsibility and actions to prevent human factor risks. The document complies with NIS2 requirements and is an integral part of the information security management system.

The document defines the principles for securing the organization's technical infrastructure – both physical and digital. It covers server rooms, IT systems, end-user devices and telecommunications networks. The policy describes physical and logical control measures, access management, redundancy and fault tolerance. It is a key element of NIS2 implementation, supporting the protection of resources critical for business continuity and service security.

The document defines the principles for the safe use, storage, transport and destruction of data storage media – such as USB drives, external disks, optical media. The procedure aims to protect information from unauthorized access, loss or disclosure. It is an element of NIS2 implementation, supporting control over the physical flow of data in the organization and compliance with information protection principles.

The document defines the principles for the safe use of mobile devices – such as laptops, smartphones and tablets – in the organizational environment. It covers requirements for configuration, encryption, updates, monitoring and response to device loss or theft incidents. The procedure supports NIS2 compliance and reduces the risk of data leakage and unauthorized access to company resources in remote and hybrid work models.

The document defines the principles for assessing and minimizing risks related to the purchase of ICT services and products, including hardware, software and cloud solutions. It covers vendor selection criteria, security requirements, contractual provisions and NIS2 compliance assessment rules. The policy supports informed purchasing decisions, protects against technological dependencies and enables better management of ICT supply chain security.

The document defines the principles for the safe maintenance and operation of IT systems, devices and applications used in the organization. It contains guidelines on software updates, service availability monitoring, backup management and failure response. The procedure supports business continuity and operational resilience in accordance with NIS2 requirements, forming the foundation of daily technical security management.

The document defines preventive measures and organizational responses to threats from malicious software (malware), including viruses, ransomware, trojans and spyware. It sets requirements for security software use, system updates, user education and safe internet and email usage. The procedure supports NIS2 compliance and minimizes the risk of successful attacks on the organization's information assets.

The document defines the principles for regularly creating, storing, testing and recovering backups of data and IT systems. It ensures business continuity and protection against the effects of failures, security incidents or user errors. The procedure supports fulfillment of NIS2 requirements for operational resilience and management of critical data.

The document describes organizational and technical measures aimed at preventing unauthorized disclosure, loss or theft of information – both in electronic and paper form. It covers access control, encryption, user activity monitoring and data security processing principles. The procedure supports NIS2 compliance and significantly reduces the risk of incidents related to the leakage of confidential or personal data.

The document defines the principles for monitoring, controlling and analyzing traffic in the organization's telecommunications networks. The procedure aims to detect anomalies early, prevent unauthorized access and ensure data transmission security. It covers the use of firewalls, intrusion detection systems (IDS), network segmentation and event logging. The procedure supports NIS2 compliance and increases the organization's resilience to network threats.

The document defines the principles for securely granting, supervising and revoking remote access to the organization's systems and information resources. It covers requirements for multi-factor authentication, connection encryption, VPN use and role-based access restrictions. The procedure supports secure remote and mobile work and NIS2 compliance in the area of access control and protection of telecommunications systems.

The document defines the principles for using, storing, rotating and protecting cryptographic mechanisms in the organization – such as encryption keys, digital certificates and electronic signatures. It ensures the consistency and effectiveness of methods for protecting confidential data, both in transmission and storage. The procedure supports NIS2 compliance and other regulations regarding the integrity, confidentiality and authenticity of information.

The document describes the principles for the safe planning, design, implementation and maintenance of IT systems in the organization. It covers risk analysis requirements, security testing, software updates and change control. The procedure supports NIS2 compliance, promotes the "security by design" approach and minimizes vulnerability risks in the IT system lifecycle – from procurement to decommissioning.

The document defines the organization's long-term approach to ensuring operational resilience and the ability to maintain or quickly restore key processes after an incident. The strategy defines priority resources and services, crisis scenarios, recovery time objectives (RTO, RPO) and the general framework for managing disruptive situations. It is a key element of NIS2 compliance and the basis for developing business continuity plans.

The document describes how to conduct a Business Impact Analysis (BIA) of disruptions to key organizational processes. BIA allows determination of which activities are critical, what acceptable downtime periods are, and what resources are needed for their recovery. The procedure supports the development of effective business continuity plans and fulfillment of NIS2 requirements for operational resilience and risk management.

The document defines how to organize, implement, test and improve solutions ensuring the continuity of key business processes in the event of a failure, incident or crisis. It includes developing business continuity plans (BCP), disaster recovery plans (DRP), roles and responsibilities, and cyclical reviews and tests. The procedure supports NIS2 compliance and increases the organization's resilience to technological and operational threats.