NIS2 - Are you ready to survive a crisis?

Daniel Andersson Senior Information Security Consultant, Cegal Sweden. Daniel has extensive experience in information security and is a Certified Information Security Manager (CISM) as well as a certified Cybersecurity Practitioner (CSX-P). With a background in both technology and leadership, Daniel has a broad view of today's challenges and their various solutions.

05/06/2024 |

An interruption in business operations can quickly have serious economic consequences, both in terms of lost earnings and costs associated with restoring the company. Trust in the company among customers and partners can also decline, leading to long-term consequences for profitability and business relationships.

When a crisis occurs, minimizing the impact on the company is important. A Business Continuity Plan (BCP) is the collection of documents that ultimately govern this.

The Business Continuity Plan is sometimes confused with a technical plan, i.e. Disaster Recovery (DR) plan, which means that companies are not prepared to continue critical business processes without their normal IT support.

NIS2 – requirements in case of crisis

Article 21 of the NIS2 directive (2022/2555) defines the following requirements in point 2c "business continuity, such as backup management and disaster recovery, and crisis management", which stipulates that the requirement for a well-functioning BCP and DR plan must be met to comply with the NIS2 directive requirements.

Prioritization of business processes

The phrase "when it rains, it pours" concerns the continuity plan, as it often affects multiple business processes in a major disruption. Therefore, it is important to have a good prioritization before which business processes are prioritized to be restored first. Here, there may also be a conflict between what is prioritized based on the company's prioritization and what is considered critical services to society according to NIS2. It is therefore important to document what falls within the NIS2 regulation of the company in case of question, and which IT systems it affects. This ensures that the prioritization is documented in the BCP and DR plans.

Recovery can initially be done without IT support. The plan may also include set goals for how quickly each business process should be restored, without IT support and for full recovery.

Make sure to identify dependencies

The continuity plan should also cover the dependencies between different business processes to ensure that the recovery has the expected effect. A simplified example could be to identify that receiving orders from customers is the highest priority, but that the process of delivering to the customer is not restored quickly enough. In some companies, this may be acceptable, while in other companies, where the customer expects delivery within hours or the next day, it is important to consider the entire process from start to finish.

Who will make decisions when the disaster has occurred?

A good continuity plan also includes mandates for decision-making. When the disaster strikes, the last thing you want to discuss is who has the right to make which decision. This should be clear, and there should be alternative decision-makers available if the primary ones are not accessible. It is also often easy to assume that the normal decision-making structure in the company is the best, even in catastrophic situations, but that is not always the case. During a disaster, there may be a need for different competencies in decision-making, and normal operations are under great stress, especially if certain business processes are still functioning.

When should the continuity plan be activated?

Guidelines for when to activate the continuity plan are also important. Even though we often put many eggs in the same basket, it may be that a disaster only affects parts of the business and to such a limited extent that it can and should be handled within the normal line organization. There are also cases where the same underlying IT system is used for several different business processes, and the critical problem may only affect some of these processes, but recovery requires a halt to all business processes.

When should a BCP be updated?

The continuity plan should be a living document and updated whenever changes occur, whether it is the organization, business processes, or IT systems that change. It is also worth having an external party review the plan, initially and in case of major changes.

Crisis practice provides experience

Just like with anything else we do, we need knowledge and experience to excel at it. Therefore, it's important to practice different crisis scenarios to feel confident in making decisions and ensure that one's continuity plan describes what is required in a crisis. Training in crises and simultaneously identifying how well one follows their continuity plan can be challenging without external assistance. External assistance can create scenarios, manage the exercises, and observe and report on areas that can be improved.

Cegal and BCP and DR

Cegal has consultants with extensive experience in continuity planning who can be involved in various phases, either as support in developing the plans, as assistance in reviewing already developed plans, or in conducting crisis exercises.

Cegal can also provide services for restoring testing of databases outside of your IT environment. We specialize in hybrid cloud solutions, setup, and operation of business-critical solutions, and database monitoring. Cegal has extensive experience in high availability environments (so-called High Availability solutions), where we assist both small and large customers in finding the right solution at the right price.