Building a raft¶

With risks mapped and legal obligations understood, it is time to build your raft. This is the combination of technical, organisational, and procedural safeguards that will carry you safely across. Begin with governance, as NIS2 requires, then add technical controls, operational capabilities, and the human element.

Governance is not optional¶

The management body shall approve all security measures, oversee their implementation, participate in training, and may bear personal liability for failures. Responsibility cannot be fully delegated. Organisations may appoint a security officer or chief information security officer with clear reporting lines to the board. Define roles and responsibilities across the organisation so everyone knows who is accountable for what. Establish decision-making frameworks that work in practice.

Policies shall have board approval. At minimum, these include the information security policy, acceptable use policy, incident response procedures, business continuity plans, supply chain security procedures, and data classification and handling instructions. These documents are operational guides.

Technical implementation builds the foundation¶

Identity and access management should start with multifactor authentication on critical systems. Implement role-based access control aligned with job responsibilities, and privileged access management for administrative functions. Conduct regular access reviews to remove permissions that are no longer required.

Network and system security can include segmentation to contain breaches, intrusion detection to spot attacks, continuous monitoring and logging, patch management to close known vulnerabilities, endpoint protection, and vulnerability scanning to identify weaknesses before attackers do.

Data protection may involve encrypting information both at rest and in transit, maintaining secure and tested backups, implementing data loss prevention measures, and ensuring secure disposal of information at the end of its life.

Secure development practices should be integrated into procurement and development processes. Include security requirements in vendor contracts, follow secure coding standards, perform testing including static and dynamic analysis as well as penetration testing, and apply change management controls to prevent new risks from being introduced.

Operational capabilities make it real¶

Incident response should include the ability to detect and monitor events, classify their severity, follow response playbooks, escalate issues when necessary, use communication templates for regulatory reporting, and perform forensic investigations to understand what occurred.

Business continuity begins with a business impact analysis to identify critical functions and dependencies. Define recovery time and recovery point objectives, document backup and restoration procedures, test them regularly, and maintain disaster recovery plans. Crisis management procedures enable leadership to make rapid decisions when needed. All plans should be exercised to ensure they work in practice.

Asset management may include maintaining a comprehensive inventory, classifying and assigning ownership for each asset, managing configurations to maintain known-good states, and tracking the lifecycle from acquisition to disposal.

People and culture complete the vessel¶

Security awareness training should be continuous and practical. Provide regular sessions for all staff, role-specific training for IT, security, and management, and phishing simulations to test effectiveness. Maintain visibility of security through ongoing communications, and ensure management understands their obligations under NIS2.

Human resources security begins at hiring. Conduct background checks where appropriate, include security clauses in contracts, deliver onboarding briefings, and ensure offboarding procedures revoke access and recover equipment. Employees should acknowledge acceptable use policies.

Output¶

By the end of this stage, the organisation will have implemented controls that function effectively, documented procedures that staff can follow, trained personnel who understand their roles, and a governance structure with clear authority.