How to implement the NIS / NIS2 Act – information security policy

We are launching a series of publications that will guide you step by step through the most important aspects of implementing NIS2 requirements set out in the KSC — from security strategy to risk management and incident response. The first article in the series will focus on information security policy in the context of KSC / NIS2 provisions and the division of roles within it.

What is an information security policy

An information security policy is a strategic document that establishes the organisation’s overall approach to the security of networks and information systems, taking into account the nature of its operations and business objectives. In accordance with the guidelines of the European Union Agency for Cybersecurity (ENISA) and EU regulations, this document should precisely define the roles, resources and indicators enabling the organisation’s level of cyber protection to be monitored and improved.

What requirements must an information security policy meet

In accordance with the European Commission implementing regulation, the security policy under the KSC / NIS2 Act regulations should:

1. define the entity’s approach to managing the security of its networks and information systems;
2. be consistent and complementary with the business strategy and objectives of the organisation;
3. specify objectives in the area of network and information security;
4. include a commitment to the continuous improvement of the security of networks and information systems;
5. include a commitment to provide adequate resources for implementing the policy, including personnel, finances, processes, tools and technology;
6. be communicated and acknowledged by relevant employees and external stakeholders;
7. define security roles and responsibilities in accordance with the guidelines;
8. include a list of documentation to be retained and specify the retention period;
9. take into account a list of thematic policies;
10. specify indicators and procedures for monitoring the implementation of the policy and the current level of the entity’s maturity in network and information security;
11. indicate the date of formal approval by the organisation’s management board.

What documents should the security policy include

The Act on the National Cybersecurity System (KSC) sets out a comprehensive scope of documentation required to ensure regulatory compliance and operational security. This catalogue includes:

1. normative documentation, comprising:
   1. information security management system documentation,
   2. documentation relating to the protection of the infrastructure used to provide a given service, including:
      • a description of the service and the infrastructure in which the service is provided,
      • an assessment of the current state of protection of the infrastructure,
      • risk estimation for infrastructure assets,
      • a risk treatment plan,
      • a description of the technical safeguards for infrastructure assets,
      • the rules for organising and carrying out the physical protection of the infrastructure,
      • details of the specialised armed protective formation guarding the infrastructure – if such a formation exists,
   3. business continuity management system documentation,
   4. technical documentation of the IT system used to provide the given service,
   5. documentation arising from the specific nature of the service provided in the relevant sector or subsector;
2. operational documentation.

Operational documentation is a set of records confirming the implementation of the actions required by the arrangements set out in the normative documentation. It includes both manually prepared reports and automatically generated records, such as system logs, which record key operations and events in information systems. Thanks to operational documentation, an organisation is able to monitor compliance of activities with security guidelines and demonstrate their proper implementation.

Operational documentation may be maintained both in paper form and in electronic form. This makes it possible to tailor it to the specific nature and operational needs of the organisation. It also allows flexibility in the management of operational information and in its archiving, while still meeting documentation requirements.

One of the key challenges for companies is to properly satisfy the requirement to have documentation of the information security management system and the business continuity management system. The regulations of the KSC Act / NIS2 – like the GDPR – are technology-neutral, which gives organisations freedom in selecting solutions. In this context, Article 8 of the Act on the National Cybersecurity System is helpful, as it imposes on entities an obligation to implement technical and organisational measures that are appropriate and proportionate to the risk. These measures should take into account the current state of knowledge, implementation costs, the size of the organisation, the likelihood of incidents occurring, exposure to risk, and the potential social and economic consequences. The KSC Act defines the following requirements concerning security measures, including organisational measures (and therefore also procedures):

1. policies and procedures – including, inter alia, risk assessment, information security, security of the acquisition and system development process, testing, physical and environmental security, as well as human resources security;
2. protection of the continuity of the supply chain of ICT products, services and processes necessary for the provision of services, taking into account relations with suppliers;

3. business continuity and recovery plans – implementing, documenting, testing and maintaining plans ensuring the continuity of service provision, as well as contingency and recovery plans;

4. monitoring systems – subjecting the information system to continuous monitoring and procedures for assessing the effectiveness of the implemented measures;
5. cybersecurity education for personnel, basic cyber hygiene principles, and policies on the use of cryptography, secure communication, and asset management;
6. access management through appropriate access control policies and procedures;
7. collection of information on cyber threats and vulnerabilities, as well as incident management;
8. preventive and impact-mitigating measures for incidents affecting system security, including mechanisms ensuring the confidentiality, integrity and availability of data, regular software updates, protection against unauthorized modification, and prompt action in response to detected threats.

The development of documentation compliant with the requirements of the KSC / NIS2 Act can be effectively based on standards derived from the ISO family of standards, such as ISO 27001 (information security management) or ISO 22301 (business continuity management). These standards provide proven frameworks and guidelines that can be used to create comprehensive documentation covering key areas such as risk management, incident response, and critical infrastructure protection. As a result, organizations can not only comply with the requirements of the KSC / NIS2 Act, but also build an integrated management system tailored to the specifics of their operations. Below we present the main elements that should be included in documentation developed on the basis of ISO standards.

1. Information Security Policy (4.1 4.2 4.3 5.1 5.2 6.2 ISO 27001)
2. Information Security Review Procedure (9.1 ISO 27001)
3. Corrective and Improvement Actions Procedure (10.2 ISO 27001)
4. Internal Audit Procedure (9.2 ISO 27001)
5. Management Review Procedure (9.3 ISO 27001)
6. Roles and Responsibilities Allocation Policy (5.3 ISO 27001)
7. Documentation and Records Control Procedure (7.5 ISO 27001)
8. Risk Management Procedure (6.1 8.1 8.2 8.3 ISO 27001)
9. Procedure for collecting and analysing information about threats (A5.7 ISO 27001)
10. Information classification procedure (A5.12-A5.14 ISO 27001)
11. User management procedure - access control (A5.15 A5.16 A5.18 ISO 27001)
12. Procedure for managing users' confidential authentication information (A5.17 ISO 27001)
13. Procedure for managing information security in supplier relationships (A5.19-A5.22 ISO 27001)
14. Procedure for managing information security in cloud services (A5.23 ISO 27001)
15. Incident management procedure (A5.24-A5.28 ISO 27001)
16. Procedure for ensuring compliance with legal and contractual requirements (A5.31-A5.32 ISO 27001)
17. Business continuity management procedure (A5.29 A5.30 ISO 27001)
18. Human resources security policy (A6.1-A6.6 ISO 27001)
19. Remote work procedure (A6.7 ISO 27001)

PROMOTIONAL OFFER

Time for effective

implementation of KSC / NIS2

Are you wondering how to comprehensively prepare your company for the new directive? During a short conversation, you will learn about the offer and receive a discount

CHOOSE A TIME FOR THE CALL

20. Physical access procedure for rooms (A7.1-A7.6 ISO 27001)
21. Procedure for the presence of visitors and cleaning service personnel (A7.1-A7.6 ISO 27001)
22. Equipment security management procedure (A7.7-A7.14 ISO 27001)
23. Procedure for handling storage media (A7.10 ISO 27001)
24. Procedure for hard drive disposal (A7.10 ISO 27001)
25. Mobile device management procedure (A8.1 ISO 27001)
26. Operational security management procedure (A8.2-A8.6 A8.8-A8.9 A8.14-A8.19 ISO 27001)
27. Malware protection procedure (A8.7 ISO 27001)
28. Backup procedure (A8.13 ISO 27001)
29. Data retention procedure (A8.10 ISO 27001)
30. Data masking procedure (A8.11 ISO 27001)
31. Data leak prevention procedure (A8.12 ISO 27001)
32. Network traffic management procedure (A8.20-A8.23 ISO 27001)
33. Email usage procedure (A5.14 ISO 27001)
34. Cryptographic security management procedure (A8.24 ISO 27001)
35. Systems acquisition, development and maintenance procedure (A.25-A8.33 ISO 27001)
36. Business continuity policy (5.2.1 ISO 22301)
37. Business continuity objectives (6.2.1 ISO 22301)
38. Business impact analysis (BIA) (8.2.2 ISO 22301)
39. Incident management procedures (8.4 ISO 22301)
40. Business continuity plans (8.4 ISO 22301)
41. Contingency plans (8.4.5 ISO 22301)
42. Training programmes and exercises (8.5 ISO 22301)
43. Results of internal audits (9.2 ISO 22301)
44. Management reviews (9.3 ISO 22301)
45. Records of corrective actions (10.1.3 ISO 22301)

How to implement a security policy

For the effective implementation of a security policy, it is necessary to take two key actions. These will ensure that both staff and external partners understand the organisation’s security rules and comply with them.

1. Establishing a security policy: Create a clear and comprehensive network and information systems security policy covering all systems, resources and procedures within the scope of protection. The policy should be tailored to the organisation’s specifics and take into account the actual threats that its IT assets may face.
2. Familiarising stakeholders with the content of the security policy: Ensure that all employees, as well as third parties (e.g. contractors, suppliers), know and acknowledge the security policy. This may take the form of a signed document or digital acknowledgement, clearly specifying what the policy means for their work. The purpose of this measure is to document that all stakeholders understand their responsibilities and the security rules they must follow.

How to ensure the accountability of the security policy

In order for organisations to demonstrate compliance with the obligations set out in the KSC Act, in accordance with the NIS2 Directive, ENISA recommends keeping specific evidence.

1. Documented network and information systems security policy: The policy should include all required elements specified in the Act on the National Cybersecurity System and be formally approved by the governing bodies (with the date of such approval indicated).
2. Documents confirming staff awareness: Employees should be aware of the existence of the network and information systems security policy and its relevance to their work. Evidence may include staff members (and, where appropriate, contractors) signing forms confirming that they have read and understood the policy.
3. Evidence of senior management commitment: The active role of management in information security governance may be demonstrated, among other things, by:
   1. interviews with management staff confirming that management understands the responsibilities and powers relating to network security,
   2. documentation of resource allocation for implementing the policy,
   3. requirements placed on staff regarding the application of security policies and procedures,
   4. initiatives promoting improvements in information security, demonstrating management’s commitment to enhancing protection within the organization.

What a security policy review should look like

An effective network and information systems security policy should not only be well defined, but also systematically reviewed and adapted to changing conditions. ENISA recommends that organizations carry out such a review at least once a year, as well as in response to significant events such as regulatory changes, new threats, or emerging security incidents.

The policy review should be comprehensive. ENISA recommends taking into account, among other things, the following aspects:

1. changes in legislation and best practices – monitoring new regulations and industry standards helps ensure compliance with legal and sector-specific requirements;
2. stakeholder feedback – it is worth collecting input from employees, partners, and customers in order to identify potential areas for improvement;
3. results of independent audits – audits conducted by external experts often reveal significant issues requiring policy updates;
4. recommendations of supervisory authorities – guidance issued by regulatory bodies may create a need for changes;
5. incident analysis – analysing incidents, both internal and those occurring in similar entities in the industry, makes it possible to better prepare for potential threats.

The review should also lead to policy updates, particularly in the following cases:

1. changes introduced in IT systems or in the organisation’s operational environment;
2. problems encountered during the implementation of the security plan that require an adjustment of the approach;
3. assessment of the status of preventive and corrective measures in order to determine their effectiveness and the need for any changes;
4. new threat trends, identified exceptions and reported security incidents.

Any update to the policy should receive formal approval from management. Such approval also applies to any exceptions from the policy, ensuring that the changes are consistent with the organisation’s overall strategy and reflect its approach to security management. Thanks to regular reviews and management-level approvals, the security policy remains up to date and aligned with current requirements and challenges in the protection of networks and IT systems.

How to document a security policy review

For effective management of the security policy for networks and IT systems, transparency and accountability are essential. ENISA recommends maintaining detailed documentation of the policy review and exceptions to the rules so that the organisation can at any time demonstrate compliance with applicable regulations and procedures. Below are the key issues worth noting.

1. Recording changes and comments: The review of the documentation relating to the network security policy and thematic policies should include all comments and change logs. Any change to a policy or procedure should be clearly documented in order to ensure transparency of decisions and their compliance with the established rules.
2. Recording policy exceptions: Where it is necessary to deviate from the adopted rules (e.g. for technical reasons or due to operational specifics), the organisation should keep exception logs. Such exceptions must be approved by the appropriate persons or roles. They may include, among others:
   1. software updates – if an older version of the software is incompatible with the latest update, a temporary exception may be granted while a solution is being found,
   2. access control – where multi-factor authentication (MFA) cannot be implemented due to technical constraints, an exception may be granted, with alternative protective measures applied at the same time,
   3. encryption – if a legacy system does not support encryption, an exception may be allowed until it is replaced.
3. Documentation of the review and approval process: In the process of reviewing the requirements set out in the security policy, the organization should maintain documentation containing a complete review of the main policy and thematic policies. In addition, any updates and granted exceptions should be approved by the management board, and the documentation must be archived. Such practice ensures compliance with regulations and full control over the implementation of changes.

Mapping to norms and standards

Although the Act on the National Cybersecurity System (KSC) does not provide for automatic compliance with any specific standard. This means that implementation of the norms and standards listed in the table is not formally equivalent to full implementation of the requirements of the KSC / NIS2 Act. However, their implementation can be very helpful in achieving compliance. The indicated documents, such as ISO 27001 or NIST CSF, provide proven frameworks and guidelines that can support organizations in implementing key KSC / NIS2 requirements.

How to assign security-related roles and responsibilities

Effective management of network and information systems security requires precisely defined duties and powers. As part of its security policy, an organisation should clearly specify who is responsible for individual aspects of security and what powers they have. Assigning these responsibilities to specific roles within the company structure not only organises tasks but also facilitates oversight of policy implementation. Such documentation should be provided to the management bodies of organisations to ensure transparency and oversight of security-related activities.

PROMOTIONAL OFFER

Time for a strategic

approach to the KSC / NIS2 Act

Are you wondering where to start preparing for KSC / NIS2? During a brief conversation, you will learn about the offer and receive a discount

CHOOSE A CONVERSATION TIME

Consistency and clarity can be achieved by clearly defining rights and duties in job descriptions. In doing so, the assignment of security roles and responsibilities to personnel, as well as their place in the organisational structure, should be taken into account. It is necessary to assign appropriate duties to key roles such as the chief information officer (CIO), chief information security officer (CISO), IT security specialist and incident response specialist.

In addition, the organisation should make use of guidelines, major frameworks and international standards so as to adapt them to its size and business needs. The European Cybersecurity Skills Framework (ECSF) may serve as a useful tool in the process of defining requirements for employees performing security-related functions. Formal designation of persons responsible for security and their appropriate training is a key element in building an effective security management system within the organisation.

Useful evidence of compliance with the indicated obligations for supervisory authorities may include:

1. detailed job descriptions for security-related roles, such as CIO, CISO or DPO, setting out their rights and duties;
2. a list of all roles of key importance for security, with assigned responsibilities and powers;
3. the formal appointment of persons to key security-related positions, together with a clear definition of their duties and scope of activities;
4. a list of appointed persons to positions such as the CISO or DPO, together with a detailed description of their tasks and responsibilities in the area of security management.

Compliance with the security policy is required of both all personnel and third parties cooperating with the organization. Personnel should be aware of the security-related roles within the entity and know when to contact the relevant security-responsible persons. External partners, including suppliers, contractors, service providers and other business partners, should also be informed of the need to comply with the organization’s network and information security policy. Even if they are not directly involved in the entity’s operations, their activities may affect the level of network security and information protection.

1. Compliance with the indicated obligations may be evidenced by:

   1. informational materials for personnel that explain security-related roles and indicate when and how the relevant persons should be contacted;
   2. service level agreements (SLA) with third parties that explicitly specify that those entities must comply with the organization’s network and information security policy, as well as thematic security policies and procedures;
   3. formal evidence, such as letters or e-mails from third parties, confirming that they have received and understood the organization’s network and information security policy, together with the provision to them of the relevant thematic policies and procedures.

   A key element of the policy is the designation of at least one person who reports directly to the management board on matters related to network and system security. This may be an assigned person, such as the CISO or the management board’s NIS2 representative, responsible for overseeing security matters. It is important that such a person has the authority and knowledge enabling effective communication with management.

   

   In larger organizations, it is practical to establish dedicated roles related to information security, such as a chief security specialist or a security analyst. These individuals focus exclusively on the protection of data and systems. In smaller entities with limited resources, information security responsibilities may be assigned to employees in existing positions. For example, IT department staff may additionally take on security-related tasks and perform them alongside their standard duties.

   With regard to ensuring independence and minimizing the risk of unauthorized access to or misuse of resources, particular attention is paid to separating conflicting duties and responsibilities. Examples of such separation include:

   1. separating the (chief) information security specialist from the IT administrator;
   2. separating the roles of system architect (cybersecurity) and system tester (security);
   3. separating the role of the person managing identities (e.g. user access and permissions) from the role of system administrator;
   4. appointing an auditor who is not part of the team and does not report to persons managing the area under review.
   5. separating the position of the person responding to incidents from the compliance team

   Such a separation of functions helps limit the possibility of unintentional modification or misuse of the organization’s assets. At the same time, it provides greater security and control over data and system protection processes.

   It should be noted that security-related roles, responsibilities and authorizations should be reviewed regularly, at least at planned intervals. In the event of significant security incidents or material changes in operations and risk, the policy must be adjusted immediately. This increases its relevance and effectiveness in a dynamically changing technological environment.

   Evidence of the implementation of the duties described above may include:

   1. current documentation concerning the assignment of security roles and responsibilities;
   2. conducting interviews with employees in order to assess their communication skills and authority;
   3. collecting feedback from management and other stakeholders regarding the effectiveness of the person’s communication;
   4. meeting minutes from management board meetings documenting security-related issues;
   5. in larger organizations – verification of the presence of assigned security-related roles;
   6. in smaller entities – checking whether security-related duties are assigned to existing roles;
   7. documentation of the review process, including previous incidents and implemented changes.

How to align requirements with norms and standards

Developing appropriate roles, assigning responsibilities, and defining a clear accountability structure are the foundations of an effective security system within an organization. Information security management requires linking activities to recognised norms and standards that form the basis of best practices in this area. Below we present the ISO 27001 and NIST requirements that relate to this key aspect.

Where to begin implementing the KSC / NIS2 Act?

Implementation of the KSC / NIS2 should begin with a risk analysis – this is the first and key step that makes it possible to identify assets, threats, and security gaps.

Why is this so important?

The NIS2 requirements set out in the KSC Act, like the GDPR, do not specify particular protective measures – it is you who must determine appropriate safeguards on the basis of the risk analysis you have carried out.

The next steps for implementing KSC / NIS2 are:

1. Technical safeguards

Investments in specific technologies and protective tools. KSC / NIS2 requires real, „hard" security, not just documentation.

2. Organisational safeguards

Development and implementation of procedures required by KSC / NIS2. Thanks to them, employees will know how to act safely within the IT infrastructure.

3. Training

Regular education of employees and management board, ensuring awareness of roles, obligations and security principles. This is a direct requirement of KSC / NIS2.

In summary: start with a risk analysis, and only then ensure appropriate technical and organisational safeguards as well as training.