ISO NIS 2 Control Mapping
Last updated: July 2024
In an era where digital threats are evolving with increasing sophistication, the implementation of robust cybersecurity measures is more crucial than ever. The NIS 2 Directive, an EU-wide legislation aimed at bolstering network and information system security across member states, establishes a framework for achieving higher levels of security. For organizations striving to comply with these regulations, understanding how cybersecurity controls map to NIS 2 is essential. This document aims to demonstrate how Ivanti’s processes as a software vendor and supplier align with these requirements, ensuring that they not only meet but exceed the regulatory standards.
Ivanti is committed to supporting our customers in their cybersecurity endeavors, which is why we are proud to be ISO 27001 certified. This certification is a testament to our dedication to maintaining high security standards and delivering quality assurance in all our products and services. By choosing Ivanti as a supplier, our customers can trust that they are partnering with a provider that adheres to internationally recognized best practices and standards in information security management. Our alignment with ISO standards reinforces our capability to assist customers in navigating the landscape of NIS 2 compliance effectively.
Furthermore, Ivanti embraces the Secure by Design pledge, which ensures that every product is built from the ground up with security as a foundational element. This approach enhances the protection of our solutions and promotes cyber hygiene through continuous monitoring, timely updates, and proactive threat management. This document will explore how Ivanti’s commitment to security by design and our emphasis on cyber hygiene play a pivotal role in aligning with NIS 2 controls, pathing the way for sustained compliance and enhanced security posture.
|
Article 21-Cyber Security Risk Management Measure |
ISO 27001 Control |
|---|---|
|
a) Policies on risk analysis and information system security |
5.2, A.5.1 |
|
6.1.2, 8.2 |
|
|
6.1.3, 8.3 |
|
|
b) Incident Handling |
A.5.24 |
|
A.5.25, A.6.8 |
|
|
A.5.26 |
|
|
A.5.27 |
|
|
A.5.28 |
|
|
A.8.16 |
|
|
c) Business continuity, such as backup management and disaster recovery, and crisis management |
A.5.29 |
|
A.5.30 |
|
|
A.8.13 |
|
|
A.8.14 |
|
|
A.8.15 |
|
|
A.8.16 |
|
|
d) Supply chain security, including security- related aspects concerning the relationships between each entity and its direct suppliers or service providers |
A.5.19 |
|
A.5.20 |
|
|
A.5.21 |
|
|
A.5.22 |
|
|
A.5.23 |
|
|
e) Security in Network and Information System acquisition,development and maintenance,including vulerability handling and disclosure |
A.5.20 |
|
A.5.24 |
|
|
A.5.37 |
|
|
A.6.8 |
|
|
A.8.8 |
|
|
A.8.9 |
|
|
A.8.20 |
|
|
A.8.21 |
|
|
f) Policy and procedure to access the effectiveness of cybersecurity risk-management measures |
9,1 |
|
9,2 |
|
|
9,3 |
|
|
g) Basic cyber Hygiene practices and cyber security training |
7,3 |
|
7,4 |
|
|
A.5.15 |
|
|
A.5.16 |
|
|
A.5.18 |
|
|
A.5.24 |
|
|
A.6.3 |
|
|
A.6.5 |
|
|
A.6.8 |
|
|
A.8.2 |
|
|
A.8.3 |
|
|
A.8.5 |
|
|
A.8.7 |
|
|
A.8.9 |
|
|
A.8.13 |
|
|
A.8.15 |
|
|
A.8.19 |
|
|
A.8.22 |
|
|
h) Policies and procedures regarding the use of cryptography and where appropriate encryption |
A.8.24 |
|
i) Human resoures security, acess control policies and asset management |
A.5.9 |
|
A.5.10 |
|
|
A.5.11 |
|
|
A.5.15 |
|
|
A.5.16 |
|
|
A.5.17 |
|
|
A.5.18 |
|
|
A.6.1 |
|
|
A.6.2 |
|
|
A.6.4 |
|
|
A.6.5 |
|
|
A.6.6 |
|
|
j) The use of multi-factor authentication or continuous authentication solutions, secured voice, video and text communications and secured emergency communication systems within the entity, where appropriate |
A.5.14 |
|
A.5.16 |
|
|
A.5.17 |