Interdependencies between essential and important entities

  1. Home
  2. Topics
  3. Cybersecurity Policy
  4. NIS Directive
  5. Interdependencies between essential and important entities

ENISA Interdependencies Indicators Tool

Interdependency indicator -
Category
IMPACT
Description
Economic Impact
Number of Controls
2 Cooperation Group
5 ISO IEC 27002
4 NIST Cybersecurity Framework
7 Cobit5
Mappings to: Cooperation Group (2) ISO IEC 27002 (5) NIST Cybersecurity Framework (4) Cobit5 (7)
ISO IEC 27002 control name EXAMPLE OF IMPLEMENTATION
Managing changes to supplier services
Control ID:
15.2.2
Domain:
15Supplier Relationships
Subdomain:
15.2Supplier service delivery management

Changes to the provision of services by suppliers, including maintaining and improving existing information security policies, procedures and controls, should be managed, taking account of the criticality of business information, systems and processes involved and re-assessment of risks.

 Review the changes related to supplier services related to information security. Measure their financial value.
Monitoring and review of supplier services
Control ID:
15.2.1
Domain:
15Supplier Relationships
Subdomain:
15.2Supplier service delivery management

Organisations should regularly monitor, review and audit supplier service delivery.

 Measure that number of agreements that are not fully adhered to and the related incidents. Measure the penalties and other economic features.
Information security policy for supplier relationships
Control ID:
15.1.1
Domain:
15Supplier Relationships
Subdomain:
15.1Information security in supplier relatinships

Information security requirements for mitigating the risks associated with supplier’s access to the organisation’s assets should be agreed with the supplier and documented.

 The number of supplier contracts, the type of services provided and the impact of those services to the organisation, provide for an estimation of the economic impact of NIS incidents.
Information and communication technology supply chain
Control ID:
15.1.3
Domain:
15Supplier Relationships
Subdomain:
15.1Information security in supplier relatinships

Agreements with suppliers should include requirements to address the information security risks associated with information and communications technology services and product supply chain.

 Review the supplier agreements with focus to dependencies of critical services, their economic value and the related penalties.
Addressing security within supplier agreements
Control ID:
15.1.2
Domain:
15Supplier Relationships
Subdomain:
15.1Information security in supplier relatinships

All relevant information security requirements should be established and agreed with each supplier that may access, process, store, communicate, or provide IT infrastructure components for, the organisation’s information.

 Calculate the amount of penalties arising from the violation of supplier agreement. Calculate the amount of each agreement. These numbers will show the economic impact on related suppliers either from a loss of contract or from the violation of one.

This site uses cookies to offer you a better browsing experience.
Aside from essential cookies we also use tracking cookies for analytics.
Find out more on how we use cookies.

Accept all cookies Accept only essential cookies