CyberSec Update #14: Practical advice for the board
Back to compliance: practical guidance for boards in the context of NIS2 and the UKSC
Who are we? Where are we heading?
Cybersec Update #2 helped answer the first of these questions. Today – a few days after the Act implementing the NIS2 Directive came into force – we will attempt to help answer the second, no less fundamental question, which is crucial from the perspective of management boards and regulatory compliance.
Once you have established that your organisation will be subject to NIS2/UKSC, the next step should be to assess the extent to which your existing procedures meet the requirements of the legislation and to what extent further action needs to be taken to ensure compliance with the new regulations.
Gap audit – a compliance and risk management tool
A gap analysis is not a formality, but a business tool that allows you to quickly assess what is working and what needs improvement in the context of NIS2 and the UKSC. The analysis highlights which services and systems are critical to operations, where the greatest risks lie, and which procedural and technical gaps conflict with the requirements of the legislation.
The audit results may also be a pleasant surprise if it turns out that the organisation has already implemented more security measures than originally anticipated. Much like Monsieur Jourdain in Molière’s comedy*, we then discover with astonishment that we have been ‘speaking prose’ all along.
In practice, a gap analysis should include, amongst other things, an inventory of assets, an assessment of supply chain security, a review of risk management mechanisms, and readiness to report incidents. The analysis should take into account both legal and technical aspects.
A gap analysis does not mark the end of the NIS2/UKSC compliance process – it is its foundation and a reference point for further action. It is therefore worth treating it as an investment in business continuity, rather than merely a regulatory obligation.
What happens after the gap audit?
The next stage is to establish and maintain an Information Security Management System (ISMS), which will ensure ongoing compliance with the Act’s requirements. Implementing an ISMS can take up to several months, but a thoroughly conducted gap audit allows you to create a clear roadmap for the entire process.
The audit report helps to better understand the requirements of NIS2 and the UKSC, plan actions and efficiently carry out the implementation. However, this is a topic for a separate article, which we will explore in the next part of the series.
* Molière, ‘The Bourgeois Gentleman’
