Select Your Language

Damovo’s Compliance with NIS2 Directive as an ISO 27001 Certified Company

10/17/2024
Andrew Hay

As an ISO 27001:2022-certified organisation, Damovo has established a comprehensive information security management system (ISMS) that aligns with the stringent requirements of ISO 27001 and the NIS2 Directive. Our certification ensures we follow best practices for managing information security, risk treatment, and incident management across our organisation.

Damovo’s Information Security Office, Chief Information Security Officer (CISO), and Data Protection Officer (DPO) have thoroughly reviewed the NIS2 requirements to ensure that our existing ISO 27001-based information security program meets or exceeds these new obligations. This review process ensures that we are not only compliant with NIS2 but are also well-prepared for any future cybersecurity challenges.

This exercise was a critical step in aligning with NIS2 but was equally important in demonstrating to our customers that we are proactively maturing our security program. By continuously enhancing our security posture, Damovo maintains and strengthens the trust placed in us by our clients and partners, ensuring that we remain a leader in secure communications and ICT services.

Below is an outline of how Damovo complies with key NIS2 requirements, leveraging our ISO 27001 framework.

Governance (Article 20, NIS2)

Damovo takes governance seriously, ensuring that all aspects of information security are managed according to clear, well-defined policies. The following table illustrates the specific ISO 27001 controls that align with the governance requirements of NIS2:

NIS2 RequirementISO 27001 Control
Policies for governanceAnnex A: A.5.1 Policies for information security
Compliance with legal and regulatory requirementsAnnex A: A.5.31 Compliance with legal, statutory, regulatory, and contractual requirements
Independent review of securityAnnex A: A.5.35 Independent review of information security
Employee awareness and trainingAnnex A: A.6.3 Information security awareness, education, and training

These measures ensure that Damovo maintains a strong governance framework, ensuring accountability and oversight over all information security processes.

Risk Management Measures (Article 21, NIS2)

Damovo implements a robust risk management framework to ensure the early identification, assessment, and treatment of information security risks. Below are the ISO 27001 controls that correspond to the NIS2 risk management requirements:

A. Cybersecurity Risk Assessment

NIS2 RequirementISO 27001 Control
Risk assessment6.1.2 Information security risk assessment procedures
Risk treatment6.1.3 Information security risk treatment processes
Information security policiesA.5.1 Policies for information security

Damovo’s risk management procedures enable the organisation to proactively address vulnerabilities and mitigate risks, ensuring our operations remain resilient against cybersecurity threats.

B. Incident Handling

Damovo’s approach to incident handling ensures a swift and effective response to cybersecurity incidents. The table below highlights the ISO 27001 controls relevant to this requirement:

NIS2 RequirementISO 27001 Control
Incident managementA.5.24 Information security incident management planning
Response to incidentsA.5.26 Response to information security incidents
Learning from incidentsA.5.27 Learning from information security incidents

By continually learning from incidents, Damovo strengthens its security posture and ensures that future incidents are managed more efficiently.

C. Business Continuity

Maintaining business continuity is critical to Damovo’s operations. We employ the following ISO 27001 controls to align with NIS2 business continuity requirements:

NIS2 RequirementISO 27001 Control
Continuity managementA.5.29 Information security during disruption
Backup proceduresA.8.13, A.8.14 Information backup procedures
Logging and monitoringA.8.14, A.8.15 Logging and monitoring activities

These measures ensure that Damovo’s operations remain stable and resilient even during disruptions, safeguarding the continuity of our services. 

D. Supply Chain Security

Damovo recognises the importance of securing its supply chain to prevent vulnerabilities affecting our services. The following ISO 27001 controls support our approach:

NIS2 RequirementISO 27001 Control
Supplier relationshipsA.5.19 Information security in supplier relationships
Supply chain securityA.5.21 Managing security in the ICT supply chain
Cloud services securityA.5.23 Information security for the use of cloud services

By maintaining rigorous security standards throughout our supply chain, Damovo ensures we can deliver secure, uninterrupted services to our customers.

In summary, Damovo’s risk management practices, backed by ISO 27001, align with the NIS2 Directive, ensuring proactive management of cybersecurity risks and business continuity protection.

Security in Network and Information Systems (Article 21, NIS2)

Damovo’s network and information system security measures are designed to safeguard our digital infrastructure. We achieve this through the following ISO 27001 controls:

NIS2 RequirementISO 27001 Control
Network securityA.8.20 Network security controls
Technical vulnerabilitiesA.8.8 Management of technical vulnerabilities
Security of network servicesA.8.21 Security of network services

These measures ensure that Damovo’s network remains protected from external threats, securing the integrity and availability of our information systems.

Human Resources Security and Access Control (Article 21, NIS2)

At Damovo, we recognise that human resources security is a key component of cybersecurity. We employ the following ISO 27001 controls to meet the requirements of NIS2:

NIS2 RequirementISO 27001 Control
Identity managementA.5.16 Identity management
AuthenticationA.5.17 Authentication information
Privileged accessA.8.2 Privileged access rights
Employee training and awarenessA.6.3 Information security awareness, education, and training

Through these measures, Damovo ensures that employees and contractors are granted appropriate information access and regularly trained to mitigate security risks.

Cryptography and Encryption (Article 21, NIS2)

Cryptography and encryption are fundamental components of our data protection strategy at Damovo. The following ISO 27001 control ensures alignment with NIS2:

NIS2 RequirementISO 27001 Control
Use of cryptographyA.8.24 Use of cryptography

By adhering to this control, Damovo ensures the protection of sensitive data, both at rest and in transit, safeguarding against unauthorised access.

Reporting Obligations (Article 23, NIS2)

Damovo complies with NIS2 reporting obligations by implementing the following ISO 27001 controls:

NIS2 RequirementISO 27001 Control
Incident reportingA.6.8 Information security event reporting
Information transferA.5.14 Information transfer protocols

By following these procedures, Damovo ensures rapid and accurate reporting of cybersecurity incidents, enabling swift responses and minimising potential impact.

Certification and Third-Party Assurance (Article 24, NIS2)

Damovo actively manages third-party risk and certification through the following ISO 27001 control:

NIS2 RequirementISO 27001 Control
Supplier agreementsA.5.20 Security within supplier agreements

This ensures that our third-party partners adhere to the same high-security standards as Damovo, safeguarding our information and systems.

 

Conclusion

Damovo’s ISO 27001:2022 certification provides a strong foundation for compliance with the NIS2 Directive. By mapping our existing ISO 27001 controls to NIS2 requirements and engaging in a thorough review process, we ensure that we are well-prepared to meet the evolving regulatory landscape, protect our assets, and maintain the highest standards of information security across our operations.

Please get in touch with your account manager for more detailed guidance or consultation on our approach to NIS2 compliance and how a similar exercise could benefit your organisation.

You may also enjoy our webinar series for additional information on preparing your organisation for NIS2 Compliance in 90 days.