As an information security consultant and auditor, I have had the opportunity to work with various organizations in Romania on implementing the requirements of the NIS Directive. Over time, I have collaborated with companies from a range of sectors, from water and energy operators to financial institutions and other critical industry organizations.A crucial aspect I've observed in the implementation of the NIS Directive is that success fundamentally depends on applying a framework of best practices and well-structured processes, and this is where ITIL (Information Technology Infrastructure Library) plays a critical role. Without a clear set of processes and without digitizing critical workflows, NIS implementation cannot be effectively achieved.
My Professional Evolution in Light of the NIS Directive
From the outset, I was drawn to the idea of becoming an auditor. Auditing is a straightforward process with strict rules and clear guidelines, offering a professional and relatively simple direction for someone specialized in information security. But to enjoy auditing, you need a well-organized client.However, with the advent of the NIS Directive, I found that being an auditor was insufficient to make a real impact on organizations in Romania.
This was because, in many cases, local organizations were unprepared for audits, and without significant improvements in how they managed their IT security, audits would constantly result in negative opinions—a scenario neither I nor my clients wanted.After years of interacting with companies less familiar with what a true ISO 27001 implementation means, I have drawn some general conclusions about implementing an ISMS in a business, starting with the basic requirements of the NIS Directive but continuing with increasing the maturity level of the management system.Thus, I chose to take a more challenging path: besides auditing, I started taking on the role of consultant.
My role became to help companies comply with the NIS Directive before reaching the audit stage, guiding them through the complexities of this regulation and providing them with the tools to improve their internal processes. In this context, ITIL has proven essential for structuring how organizations manage their IT services and critical infrastructure. In short, I became a mentor, helping interested organizations take baby steps in this direction. It’s not an easy job.
Why is Implementing the NIS Directive a Challenge?
Implementing the NIS Directive in an organization depends on management involvement and a strategic approach to risk management. More than that, it is implemented through processes and controls.This aspect has been (and continues to be) overlooked (often intentionally) by most security technology vendors in their webinars and conferences. Now, the effect is exacerbated by the impending deadline for the approval of the NIS 2 Directive in the EU.
Implementing the NIS Directive’s requirements may seem simple at first glance, especially when only technical aspects are considered. Most cybersecurity solution providers promote technologies as solutions that solve compliance issues. These technologies are undoubtedly useful but are just one piece of a much more complex puzzle.The major problem with this tech-centric approach is that many organizations in Romania are unprepared to implement such advanced solutions. Without a solid framework of well-defined IT processes, the implementation of these technologies risks being superficial and inefficient. In many cases, I’ve seen organizations purchase these solutions merely to meet “legal requirements,” but without integrating them effectively into their operational processes.
The result is a series of expensive, advanced technologies that are underutilized, unmonitored, and provide no real value to the company. This, unfortunately, is the reality in many regulated organizations in Romania.
What most technology vendors (various integrators, etc.) fail to recognize is that while they propose useful controls and security measures, many of their target audience in Romania are at a much more basic level than these technologies—they haven't implemented ITIL and are at Level 0, ad hoc, in terms of organizing their critical departments.Similarly, what most technology buyers fail to realize is that they will end up like a significant portion of regulated organizations: with a suite of advanced security technologies, but surrounded by chaos, unmonitored, and unexploited in a structured and organized way. Even some of the more prestigious companies find themselves in this situation.Another often-overlooked aspect is that the NIS Directive is not just about technology. NIS compliance requires a holistic approach that includes processes, policies, education, and awareness at the organizational level.
ITIL: The Foundation for NIS Directive Implementation
This is where ITIL comes into play. ITIL is a set of best practices for IT service management, providing a structured framework that allows organizations to organize their IT activities and manage risks in a coherent and controlled manner. This is an essential aspect of compliance with the NIS Directive, as its implementation cannot succeed without a well-defined operational structure.In essence, ITIL provides the foundation for building an information security management system that meets NIS requirements.Without ITIL, organizations remain at an ad-hoc maturity level, where decisions are made on a case-by-case basis without a clear strategy. This makes it almost impossible to implement a management system that meets the security and resilience requirements imposed by NIS. A management system aligned with the basic NIS Directive requirements can only be implemented through modern digital means within an organization, and it must be built on a few minimal ITIL processes.
The Four Key ITIL Areas in Support of the NIS Directive
ITIL covers four essential areas that are directly linked to the NIS Directive requirements:
Service Strategy: A crucial aspect of NIS compliance is aligning IT security strategy with overall business objectives. ITIL helps organizations define and implement a cybersecurity strategy that aligns with their business goals. This also includes implementing a framework for ICT risk management and resilience, a specific requirement of NIS 2.
Service Design: ITIL facilitates the design of IT services in a way that reduces risks and ensures the continuity of critical operations. Under NIS 2, organizations are required to adopt measures to prevent vulnerabilities and ensure business continuity, and the proper design of IT services is a key step in this direction.
Service Transition: ITIL manages service transitions and changes that can impact security. Under NIS 2, any change affecting IT security must be managed and documented appropriately. ITIL provides the necessary framework to do this in a controlled and predictable manner.
Service Operation: ITIL ensures the correct management of IT services in production, including the quick identification and resolution of incidents. This is essential for meeting NIS Directive requirements regarding incident reporting and management.
Let’s start with managing the ecosystem, system architecture, and the asset list of an organization. You can't do anything relevant or of quality if you don't have a CMDB (Configuration Management Database). The overwhelming majority of companies in Romania (including some more regulated ones) cannot explain to an auditor right away what systems they have, how they interact, what applications they have, and so on. Usually, all this is known by a few key people in an organization who are either too lazy or simply refuse to document what they know because they don’t want to become replaceable. Furthermore, most companies don't have a detailed asset list showing even the software versions they have, let alone critical processes or assets. So, I won't even go into business impact analysis or coherent continuity planning.
Let’s continue with operational and security incident management and change management. Most companies do not record this data because they simply don't have a Service Desk. User account management and the lifecycle of an identity are undocumented, or, at best, managed through printed forms that are impossible to use when you want to conduct a separation of duties analysis or audit user accounts. Configuration changes are made ad hoc and not documented.
To generalize about the maturity level of IT management in Romania, it’s often done by the seat of one’s pants and in a chaotic or undigitized manner. Because of this, I estimate that a large portion of companies do not have a structured system to coordinate the activities of their critical departments or only do so to pass a NIS audit (meaning they’ve created some procedures and policies, started implementing minimal mechanisms, but non-digitized, using the famous Microsoft Excel and Word—and that’s in the best-case scenario).
Specific ITIL Tools and Alignment with NIS 2 Requirements
In addition to structuring processes, ITIL relies on a series of digital tools essential for managing IT security. Among these, the CMDB and Service Desk are two of the most important.
CMDB (Configuration Management Database): An efficient CMDB supports the management of essential assets and configurations. Under NIS 2, organizations need to have detailed knowledge of critical IT infrastructure to manage risks. Through CMDB, unauthorized configuration changes can be identified, and dynamic IT asset management tools can collect system configurations in real-time.
A well-maintained CMDB gives organizations a clear view of all their systems and how they interact.
Service Desk facilitates incident reporting and management, a key requirement of NIS 2. The support service is the central point for reporting and monitoring cybersecurity incidents, aiding in their rapid detection and management.
Based on my practical experience, the NIS Directive introduces approximately 50 distinct IT workflows into an organization. Without tools to digitize these workflows, IT and OT (operational technology) teams will be incapable of operationalizing them efficiently.
In conclusion, if you want to truly implement the NIS Directive requirements, start with ITIL. In this way, you begin to establish order and traceability in critical operational departments, and you will later be able to operationalize the integrated mechanisms of an appropriate security management system. Conclusion
To be an advocate for the NIS Directive, my recommendation to any decision-maker under the scope of the NIS Directive is to view this legislative requirement as an opportunity to bring risk control, structure, and order to the business.
One of the major benefits of an integrated ITIL-NIS approach is that it implements order and structure in the affected departments, allowing them to better demonstrate their value to the business. Consequently, they can successfully implement any cybersecurity tool directly required by the NIS Directive or the risk management process.
In the world of companies with an ad hoc level of organization in their IT and OT activities, like the majority of companies in Romania, ITIL brings structure and supports the requirements of the NIS Directive. Without this minimal structure of processes, activities, and tools, it is impossible to bring order to chaos, and it is impossible to effectively implement the basic areas of security management imposed by NIS 2.
If you want to truly implement the requirements of the NIS Directive, start with ITIL. This way, you begin to have order and traceability in critical operational departments and will be able to later operationalize the integrated mechanisms of a suitable security management system.
Comments