NIS2 Implementing Regulation

Requirement

4.3: Crisis management

Oh no! No description found. But not to worry. Read from Tasks below how to advance this topic.

1. The relevant entities shall put in place a process for crisis management.

2. The relevant entities shall ensure that the crisis management process addresses at least the following elements:

roles and responsibilities for personnel and, where appropriate, suppliers and service providers, specifying the allocation of roles in crisis situations, including specific steps to follow;
appropriate communication means between the relevant entities and relevant competent authorities;
application of appropriate measures to ensure the maintenance of network and information system security in crisis situations.

For the purpose of point (b), the flow of information between the relevant entities and relevant competent authorities shall include both obligatory communications, such as incident reports and related timelines, and non- obligatory communications.

3. The relevant entities shall implement a process for managing and making use of information received from the CSIRTs or, where applicable, the competent authorities, concerning incidents, vulnerabilities, threats or possible mitigation measures.

4. The relevant entities shall test, review and, where appropriate, update the crisis management plan on a regular basis or following significant incidents or significant changes to operations or risks.

Fulfill this requirement by completing the tasks below ->

This requirement is part of the framework:

NIS2 Implementing Regulation

Other requirements of the framework

4.3: Crisis management

Best practices

How to implement:

4.3: Crisis management

This policy on

4.3: Crisis management

provides a set concrete tasks you can complete to secure this topic. Follow these best practices to ensure compliance and strengthen your overall security posture.

1. The relevant entities shall put in place a process for crisis management.

2. The relevant entities shall ensure that the crisis management process addresses at least the following elements:

roles and responsibilities for personnel and, where appropriate, suppliers and service providers, specifying the allocation of roles in crisis situations, including specific steps to follow;
appropriate communication means between the relevant entities and relevant competent authorities;
application of appropriate measures to ensure the maintenance of network and information system security in crisis situations.

For the purpose of point (b), the flow of information between the relevant entities and relevant competent authorities shall include both obligatory communications, such as incident reports and related timelines, and non- obligatory communications.

3. The relevant entities shall implement a process for managing and making use of information received from the CSIRTs or, where applicable, the competent authorities, concerning incidents, vulnerabilities, threats or possible mitigation measures.

4. The relevant entities shall test, review and, where appropriate, update the crisis management plan on a regular basis or following significant incidents or significant changes to operations or risks.

Read below what concrete actions you can take to improve this ->

Frameworks that include requirements for this topic:

No items found.

How to improve security around this topic

In Cyberday, requirements and controls are mapped to universal tasks. A set of tasks in the same topic create a Policy, such as this one.

Here's a list of tasks that help you improve your information and cyber security related to

4.3: Crisis management

Task name

Priority

Task completes

Complete these tasks to increase your compliance in this policy.

Critical

No other tasks found.

Complete these tasks in Cyberday ISMS ->

How to comply with this requirement

In Cyberday, requirements and controls are mapped to universal tasks. Each requirement is fulfilled with one or multiple tasks.

Here's a list of tasks that help you comply with the requirement

4.3: Crisis management

of the framework

NIS2 Implementing Regulation

Task name

Priority

Task completes

Complete these tasks to increase your compliance in this policy.

Critical

Management and use of information received from CSIRTs and competent authorities

Critical

High

Normal

Low

Incident management

Incident management and response

Management and use of information received from CSIRTs and competent authorities

This task helps you comply with the following requirements

4.3: Crisis management NIS2 Guide

Including suppliers in incident management

Critical

High

Normal

Low

Incident management

Incident management and response

Including suppliers in incident management

This task helps you comply with the following requirements

GV.SC-08: Including relevant suppliers and third parties in incident activities NIST 2.0

ID.IM-02: Improvements from security tests and exercises NIST 2.0

13.1.c: Responding to incidents CER

§ 8: Rapporteringskrav för leverantörer MSBFS 2020:8

§ 14.3: Incidenthantering och respons NIS2 Åland

Internal communication in an incident situation

Critical

High

Normal

Low

Incident management

Incident management and response

Internal communication in an incident situation

This task helps you comply with the following requirements

1.6.1: Reporting of security events TISAX

DE.AE-06: Information on adverse events NIST 2.0

RS.CO-02: Notifying stakeholders of incidents NIST 2.0

RS.CO-03: Sharing Information with stakeholders NIST 2.0

17.2: Establish and Maintain Contact Information for Reporting Security Incidents CIS 18

Maintaining chosen theme-specific policy documents

Critical

High

Normal

Low

Risk management and leadership

Cyber security management

Maintaining chosen theme-specific policy documents

This task helps you comply with the following requirements

5.1.1: Policies for information security ISO 27001

5.1: Policies for information security ISO 27001

7.5: Requirements for documented information ISO 27001

CC5.3: Establishment of policies SOC 2

6.1: Yleiset tietoturvakäytännöt Tietoturvasuunnitelma

Establishing a crisis management team and process

Critical

High

Normal

Low

Risk management and leadership

Continuity management

Establishing a crisis management team and process

This task helps you comply with the following requirements

1.6.3: Crisis preparedness TISAX

4.3.2: Determine whether the incident is under control and take the necessary reactive measures NSM ICT-SP

RC.RP-02: Recovery actions NIST 2.0

15.2.γ: Επιχειρησιακή συνέχεια και αντίγραφα ασφαλείας NIS2 Greece

§ 30.(2).3: Aufrechterhaltung des Betriebs NIS2 Germany

Complete these tasks in Cyberday ISMS ->

The ISMS component hierachy

When building an ISMS, it's important to understand the different levels of information hierarchy. Here's how Cyberday is structured.

Framework

Sets the overall compliance standard or regulation your organization needs to follow.

Requirements

Break down the framework into specific obligations that must be met.

Tasks

Concrete actions and activities your team carries out to satisfy each requirement.

Policies

Documented rules and practices that are created and maintained as a result of completing tasks.

Never duplicate effort. Do it once - improve compliance across frameworks.

Reach multi-framework compliance in the simplest possible way‍

Security frameworks tend to share the same core requirements - like risk management, backup, malware, personnel awareness or access management.

Cyberday maps all frameworks’ requirements into shared tasks - one single plan that improves all frameworks’ compliance.

Do it once - we automatically apply it to all current and future frameworks.

Start free trial