The NIS Regulations (The Network and Information Systems Regulations 2018) were enforced in the UK on 10 May 2018. They aim to improve national cyber security capabilities and increase cooperation between EU member states.
Under the NIS Regulations, OES (operators of essential services) and DSPs (digital service providers) are required to implement effective security measures appropriate to the risk, as well as incident response measures.
With the NIS Regulations now in force, organisations must make assessing their compliance needs a priority. Understanding and implementing the Regulations’ requirements is a comprehensive process, so it’s important to start preparations now.
Top tips for producing documentation for the NIS Regulations
As with any management system, there are basic guidelines for creating and maintaining documentation:
- Your documentation needs to be comprehensive – leave nothing out.
- It should be in line with the CAF (Cyber Assessment Framework) and NCSC’s (National Cyber Security Centre) 14 principles – have a copy of them beside you as you build your documentation.
- It must be tailored to suit your organisation – often, organisations will produce the bare minimum documentation that could apply to anyone. Remember to adapt the documentation to your organisation’s specific needs.
- The documentation should be made available to your staff, with varying levels of access.
- Avoid duplication – where possible, documents should be structured to avoid having to update information in multiple places.
- Documents should have a standard approach using version control, change history and the same format.
- Documents should use job titles instead of names.
Get help with your NIS Regulations documentation
To help you produce the documentation required to comply with the NIS Regulations, we’ve released the new NIS Regulations Documentation Toolkit: a complete set of policies, procedures and project tools to help you achieve compliance quickly and cost-effectively.
The toolkit has been designed to provide the relevant policies and procedures that organisations need to achieve compliance with the 14 high-level security principles developed by the NCSC and the CAF.
Although primarily designed for OES, the toolkit can also help DSPs meet the NIS Regulations requirements, as both are in line with cyber security and incident response best practice.
This comprehensive toolkit contains more than 100 documentation templates and tools so that you can:
- Save hours of unnecessary work and avoid errors;
- Embed the documentation in your organisation quickly and easily by using the pre-formatted templates; and
- Draw on expert guidance from information security specialists to help you achieve your compliance goals.