Information Security Audit and Self – Assessment Frameworks for operators of essential services and digital service providers

Back to News

ENISA publishes today a report with good security self-assessment and audit practices for national competent authorities (NCA), digital service providers (DSP) and operators of essential services (OES).

The report presents the steps of an information security audit process for OES, as well as of a self-assessment / management framework for DSP, as means to assess security and/or compliance with the security requirements set by the NIS Directive. The key outcome of the study is a set of good practices for audits and/or self-assessments aligned to NISD security requirements. 

One of the NIS Directive key objectives is to introduce appropriate security measures for OES, as well as for DSP, in an effort to achieve a baseline, a common level of information security in networks and information systems.

NCA will assess the compliance of OES with their obligations stemming from article 14 of the NIS Directive. For the DSP, there is no requirement for a compliance assessment; however, the member states should ensure that they take appropriate security measures. Information security audits and self–assessment / management exercises are the two major enablers to achieve these objectives.

More specifically, the report:

  • proposes steps to facilitate the audit process. The same steps are useful for the self-assessment;
  • proposes an indicative list of questions for NCA, which, together with relevant evidence, could facilitate NIS Directive compliance assessments of OES;
  • proposes an indicative list of questions, which, together with relevant evidence, could facilitate DSP’s self-assessment exercises against the security requirements of NIS Directive article 16(1);
  • presents post-audit actions for the NCA, with a view to extract benefit and/or knowledge, following an information security audit exercise; and
  • analyses leading audit and self-assessment / management frameworks, providing a mapping of those frameworks per domain of applicability i.e. in DSP, OES business environments or both.

ENISA considers this report as an integral part of its work towards a better collaboration among Member States on cyber security. In this light, the report raises awareness of the most important challenges that stakeholders will face under the spectrum of the NIS Directive requirements. 

For the full report: Guidelines on assessing DSP security and OES compliance with the NISD security requirements