7. POLICIES AND PROCEDURES TO ASSESS THE EFFECTIVENESS OF CYBERSECURITY RISK-MANAGEMENT MEASURES
7.1.1. For the purpose of Article 21(2), point (f) of Directive (EU) 2022/2555, the relevant entities shall establish, implement and apply a policy and procedures to assess whether the policy on the security of network and information systems referred to in point 1.1. is effectively implemented and maintained.
7.1.2. The policy and procedures referred to in point 7.1. shall take into account results of the risk assessment pursuant to point 2.1. and past significant incidents. The procedures shall include security assessments and security testing. The relevant entities shall determine:
(a) what cybersecurity risk-management measures are to be monitored and measured, including processes and controls;
(b) the methods for monitoring, measurement, analysis and evaluation, as applicable, to ensure valid results;
(c) when the monitoring and measuring is to be performed;
(d) who is responsible for monitoring and measuring the effectiveness of the cybersecurity risk-management measures;
(e) when the results from monitoring and measurement are to be analysed and evaluated;
(f) who has to analyse and evaluate these results.
7.1.3. The relevant entities shall review and, where appropriate, update the policy and procedures at planned intervals and when significant incidents or significant changes to operations or risks.
Navigieren Sie sicher durch die NIS2-Richtlinie!
Holen Sie sich den NIS2-Umsetzungs-Fahrplan und unseren Newsletter!