Does the new Net­work and Infor­ma­ti­on Sys­tems Secu­ri­ty Act (NISG) affect me and does it requi­re ISO 27001 certification?

The Net­work and Infor­ma­ti­on Sys­tem Secu­ri­ty Act — NISG (see publi­ca­ti­ons) only con­cerns defi­ned sec­tors defi­ned in §2 of the Act:
Ener­gy, trans­port, ban­king, finan­cial mar­ket infra­struc­tures, health­ca­re, drin­king water sup­p­ly, digi­tal infra­struc­tures as ope­ra­tors of essen­ti­al ser­vices. In addi­ti­on, pro­vi­ders of digi­tal ser­vices, such as online mar­ket­places, online search engi­nes and cloud com­pu­ting ser­vices, as well as public admi­nis­tra­ti­on bodies.

Whe­ther a com­pa­ny must meet the requi­re­ments of the Net­work and Infor­ma­ti­on Sys­tems Secu­ri­ty Act as an ope­ra­tor of essen­ti­al ser­vices will be deter­mi­ned by the Fede­ral Chan­cell­or and sent to the affec­ted com­pa­nies by noti­ce, pro­ba­b­ly start­ing in Q2 2019. Howe­ver, due to the new com­po­si­ti­on of the Aus­tri­an Fede­ral Govern­ment, we assu­me a later delivery.

As a pro­vi­der of digi­tal ser­vices, you have to take action yours­elf and check whe­ther the requi­re­ments of the NISG have to be met.

The­re is no ISO 27001 cer­ti­fi­ca­ti­on obli­ga­ti­on for ope­ra­tors of essen­ti­al ser­vices in Aus­tria, but the­re is an obli­ga­ti­on in the spe­ci­fied are­as of

1. Gover­nan­ce and risk managemen
2. Deal­ing with sup­pli­ers and third parties
3. Secu­ri­ty architecture
4. Sys­tem administration
5. Iden­ti­ty and access management
6. Sys­tem main­ten­an­ce and operations
7. Phy­si­cal security
8. Inci­dent detection
9. Inci­dent management
10. Busi­ness continuity
11. Cri­sis management

Imple­ment appro­pria­te mea­su­res and pro­vi­de evi­dence of ope­ra­tio­nal effec­ti­ve­ness through regu­lar audits within a 3‑year period.

Alt­hough the­re is no ISO 27001 cer­ti­fi­ca­ti­on requi­re­ment, we belie­ve it is essen­ti­al to estab­lish a struc­tu­red approach. Map­ping of the divi­si­ons with the requi­re­ments of ISO 27001 is recom­men­ded here. Final­ly, the use of ISO 27001 is useful and recom­men­ded, as the CIP pro­cess can be used for the NISG veri­fi­ca­ti­on. Of cour­se the­re are a lot of fur­ther advan­ta­ges of an ISO 27001 cer­ti­fi­ca­ti­on, plea­se read our fur­ther artic­le on this topic.  “Should i cer­ti­fy my com­pa­ny to ISO 27001?”.

In our next artic­le of the ISO 27001 series, we will high­light the importance of imple­men­ting an ISMS sys­tem accor­ding to ISO 27001 for sup­pli­ers of lar­ge cus­to­mers and what advan­ta­ges this has in sup­pli­er management.