The NIS Directive brings new obligations to operators of essential services. It defines their role to prevent and report cyber incidents, with specific liabilities. The NIS Directive is important to strengthen the security of Operators of Essential Services in the UK and across the EU.

This training is GCHQ certified and is ideal for regulators, security auditors, safety and security managers at operators of essential services and infrastructure managers.

In this 5-day training, participants will learn about the NIS Directive and its requirements. We will learn how to assess the current readiness level, and how to develop a roadmap towards compliance. We will present the NCSC Cyber Assessment Framework and discuss on a list of existing good practices to strengthen security and demonstrate compliance with the requirements of the NIS Directive.

Course author: Dr. Cédric LÉVY-BENCHETON (Cetome) is a recognised expert in security with a focus on critical infrastructure sectors and the Internet of Things. Previously, Cédric worked at ENISA, the European Union Cyber Security Agency, several of his guidance and recommendations defined key areas of the NIS Directive. He was also a researcher in telecommunications and has obtained a Ph.D. in Telecommunications.

There are no specific pre-requisites to attend this course, however we do expect delegates to have a basic understanding of technology, computing and the internet.

  • Understand the requirements of the NIS Directive
  • Know the threats and risks to critical infrastructure
  • Be able to assess the preparedness level to the NIS Directive
  • Be able to define a security governance and embed security into the business
  • Identify the roles, responsibilities and accountabilities across an OES
  • Be able to identify critical assets
  • Be aware of the risks related to third-parties
  • Be able to define security priorities and a compliance roadmap
  • Be able to monitor and detect incidents
  • Know how to handle a security incidents, including incident response, reporting to authorities and post-mortem
  • Understand the importance of information exchange and cooperation
  • Become more proactive towards security with threat intelligence and information sharing
  • Know how to build a security culture

Day 1: Introduction to the NIS Directive

  • Introduction to the NIS Directive, why it exists and the UK implementation (NIS Regulations)
  • Cyber attacks on essential services
  • The Cyber Assessment Framework (CAF) and how to use it

In the next 4 days, we will study the security principles of the CAF. We will discuss around good practices (people, process and tools) as well as existing standards, and see how they can be used to assess and demonstrate compliance.

Day 2: Details of the CAF “Managing Security Risk”

  • Governance: focus on the roles and accountabilities
  • Risk Management
  • Asset Management
  • Supply chain and security of third-parties

Day 3: Protecting against cyber attacks (part 1):

  • B1. Service Protection Policies and Processes
  • B2. Identity and Access Control
  • B3. Data Security

Day 4: Protecting against cyber attacks (part 2):

  • B4. System Security
  • B5. Resilient Networks and Systems
  • B6. Staff Awareness and Training

Day 5: “Detecting cyber security events” and “Minimising the impact of cyber security incidents”

  • C1. Security Monitoring
  • C2. Proactive Security Event Discovery
  • D1. Response and Recovery Planning
  • D2. Lessons Learned