Against the backdrop of national and international standards, it is worth examining those that are most relevant in terms of adoption and compatibility. This article analyses, compares and reflects on the differences between these standards and proposes some considerations of substance and method.
Please note that the standards under analysis are as follows:
- NIS2-Minimum Basic Measures for Essential Subjects (MSB S_E).
- Minimum ICT Security Measures for PA as per AgID Circular 2/2017 (MMS PA).
- Critical Security Controls version 8.1 (CSC 8.1).
- ISO 27001:2022 (ISO 27001).
Each of these standards contains a number of security measures (also referred to as controls or safeguards); the numerical difference between the various standards depends essentially on the methodological approach to the cybersecurity problem.
| MSB S_E | MMS PA | CSC 8.1 | ISO 27001 |
|---|---|---|---|
| 116 | 122 | 153 | 93 |
The Basic Security Measures for NIS2, like the Minimum ICT Security Measures for PA, are very technical and specific. The ISO 27001 controls, on the other hand, have a broader approach and, incidentally, have undergone a recent rationalisation precisely to reduce their number (in 2013 there were 114).
Differences in approach: the software inventory
There can be a considerable gap between ISO 27001 and other standards, but this is due to the specialisation of technical standards that, by their nature, have to address individual procedural and configuration aspects of the information system. Beware, however: this does not mean that ISO 27001 is not adequate to support the security requirements of an information system. On the contrary, it is very effective, but requires a more specialised approach, including the adoption of detailed standards. It is interesting to observe how these standards formulate requirements; take the inventory of software used in the organisation as an example.
ISO 27001 provides an ‘umbrella’ security check (5.09) to provide a rough indication:
An inventory of information and other associated assets, including owners, must be compiled and maintained.
In contrast, the CSC 8.1 standard provides for a safeguard (2.1) that goes much deeper, also involving very specific classification attributes.
Establish and maintain a detailed inventory of all authorised software installed on company assets. The software inventory must document: the title, publisher, date of initial installation/use and business purpose of each item; where appropriate, include the Uniform Resource Locator (URL), app store, version, deployment mechanism and date of disposal. Review and update the software inventory every two years or more frequently.
AgID Circular 2/2017 includes less detail than ASC 8.1, but still has relevant elements such as, for instance, safeguard 2.1.1.
Make a list of authorised software and its versions required for each type of system, including servers, workstations and laptops of various types and for various uses. Do not allow the installation of software not on the list.
Finally, the Basic Security Measures for Essential Subjects in the ACN include a very interesting control (ID.AM-03).
An up-to-date inventory of the services, systems and software applications that make up the information and network systems, including commercial, open-source and custom applications, also accessible via APIs, approved by internal NIS actors, is maintained.
Substantial differences in national regulations
All these standards decry the software inventory across multiple controls, but it is no doubt interesting to appreciate further differences as well. For example, Circular 2/2017 requires the inventory to be updated with an automated tool, control 1.3.2 states that it is necessary to ‘update the inventory with an automated tool when new approved devices are networked‘. None of this is found in the Basic Safety Measures for Essential Subjects, which are simply required to keep the various inventories up to date
- ID.AM-01 (Hardware). An up-to-date inventory of the physical equipment (hardware) that makes up the information and network systems, including IT, IoT, OT and mobile devices, approved by internal NIS actors, is maintained.
- ID.AM-02 (Software and Systems): An up-to-date inventory of the services, systems and software applications that make up the information and network systems, including commercial, open-source and custom applications, also accessible via APIs, approved by internal NIS actors, is maintained.
- ID.AM-03 (Network flows). An up-to-date inventory of network flows between the NIS subject’s information and network systems and the outside world, approved by internal NIS actors, is maintained.
- ID.AM-04 (Supplier Services). An up-to-date inventory of IT services provided by suppliers, including cloud services, is maintained.
It can therefore be said that, at least in this respect, NIS2 is less binding than Circular 2/2017, which nevertheless remains in force. However, it must be considered that the automatism envisaged by Circular 2/2017 concerns a HIGH level of adoption, whereas here we are examining Basic Security Measures for Essential Subjects. Similar cases can be found for ABSC 3 controls deputed to“protect hardware and software configurations on mobile devices, laptops, workstation servers” or ABSC 5 controls deputed to“the appropriate use of administrator privileges“.
Let us imagine a company that, on behalf of the public administration, is in charge of distributing electricity in the territory. Such a reality is simultaneously impacted both by NIS2, as it operates in the highly critical electricity sector (Annex 1, point 1_A), and by Circular 2/2017 as the operator of a public service.
We remind the reader that, according to the Commission Recommendation of 6 May 2003 Art. 2, c. 1, a medium-sized enterprise has the following characteristics:
- Personnel: between 50 and 249 employees.
- Annual turnover: over € 10 million and up to € 50 million.
- Annual balance sheet total: over € 10 million and up to € 43 million.
In theory, companies of this type should equip themselves with automated asset inventory systems. In practice, however, many medium-sized companies still manage this process in a non-automated or only semi-automated way. One of the most popular formulas is the IP address scanner launched manually, exported to CSV and then to an Excel sheet. Then, if the company was not impacted by Circular 2/2017 but only by NIS2, the requirement for automation would lapse completely.
Conclusions
At first glance, it might be inferred that an entity falling under Article 2(2) of the C.A.D. and subject to both Circular 2/2017 and NIS2 must adopt more specific measures than those required by NIS2 alone. In reality, the thinking to be done is profoundly different and also takes into account the historical period in which these measures were conceived and adopted. Circular 2/2017 was born as a prescriptive “checklist” for the Public Administration, while ACN’s Basic Security Measures (daughters of the NIS2 Regulation and the National Cyber Security Perimeter) move towards a more flexible but strategically deeper risk management. Thus, it is not a question of overlapping or mutually exclusive, but of a real integration: if with Circular 2/2017 the focus is on point-by-point technical compliance, the NIS2 approach is more process-based and resilient. As written above, one view does not exclude the other, it complements it.
