The eagerly awaited Cyber Assessment Framework (CAF) to help organisations to manage risks to their essential services in accordance with the Network and Information Security (NIS) Directive has now been published.
Sector Competent Authorities (CAs) will be able to use the CAF to assess and enforce compliance under the NIS Directive for Operators of Essential Services (OESs) that fall within the Directive’s scope. The first version framework, produced by the National Cyber Security Centre, provides a systematic method for assessing the extent to which OESs are achieving the outcomes specified by the 14 NIS Directive’s security objectives.
The CAF stresses the outcomes of what needs to be achieved rather than exactly how it needs to be done for compliance with the NIS Directive. Each contributing outcome is assessed by a set of indicators of good practice. The National Cyber Security Centre cautions that assessment of these contributing outcomes is “primarily a matter of expert judgement” and the indicators of good practice do not remove the requirement for the “informed use of cyber security expertise and sector knowledge”.
The NIS Directive comes into effect on 9th May 2018.
Gemserv will soon be publishing a series of papers to help you understand what the requirements are for your business and how we can help you ensure you have the appropriate governance and processes to meet the directive. If you would like to receive our papers please contact our marketing team by emailing firstname.lastname@example.org.